How to identify a phishing email

A phishing email impersonates a legitimate sender in order to trick users into disclosing sensitive information.

학습 목표

이 글을 읽은 후에 다음을 할 수 있습니다:

  • Explain how email is used in phishing attacks
  • Identify common elements of a phishing email
  • Learn strategies for avoiding phishing emails

글 링크 복사

What is email phishing?

Phishing is a cyber attack in which an attacker conceals their true identity in order to deceive the victim into completing a desired action. Like fishing, phishing uses "bait" (a legitimate-seeming email address, promise of monetary payment, a time-based threat, etc.) to trick the victim into giving up sensitive information or granting access to protected resources, like a corporate network.

Often, a phishing attack uses email to convince targets that a message is coming from a trusted source, like a reputable financial institution or an employer. Because the message appears legitimate, the user may be more likely to share valuable account data or engage with malware — typically presented as an attachment or link — camouflaged within the email.

What is the purpose of a phishing attack?

Phishing attacks generally aim to trick a user into revealing confidential information, engaging with malware, or granting access to an account or application. When successful, a phishing attempt allows attackers to steal user credentials, infiltrate a network, commit data theft, or take more extreme action against a victim (e.g. carrying out a ransomware attack).

To learn more about phishing techniques, see What is a phishing attack?

How is email used to carry out a phishing attack?

In email phishing — an umbrella term for any email-based phishing attack — the attacker sends an email message impersonating a reputable sender, such as a government organization or a well-known corporation.

Some phishing tactics attempt to collect information directly from the recipient by claiming that an account has been breached in some way (e.g. fraudulent password reset requests) or by offering a monetary reward (e.g. fake gift cards).

Other phishing emails contain malware within the attachments or links that appear in the body of the email. By interacting with the malware — for example, opening or downloading an attachment that contains a malicious payload — the user may unknowingly infect their device or network, enabling attackers to gain access to protected applications and data.

How to identify a phishing email

Because phishing emails are designed to imitate legitimate individuals and organizations, they may be difficult to identify at first glance. Here are some common warning signs to watch out for:

  • The email does not pass SPF, DKIM, or DMARC checks. Three DNS records — Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) — are used to authenticate the origin of an email. When an email message does not pass one or more of these checks, it is often marked as spam or not delivered to its intended recipient. For this reason, it is uncommon to find legitimate emails in spam folders.
  • The sender’s email address is not associated with a legitimate domain name. The domain should match the name of the organization the email claims to come from. For example, if all email addresses from Legitimate Internet Company are formatted as “employee@legitinternetcompany.com,” a counterfeit email might be sent from a similar-sounding address like “employee@legitinternetco.com.”
  • A generic greeting is used in place of a name. Words like “customer,” “account holder,” or “dear” may be a sign that the email is part of a mass phishing attempt, rather than a personal message from a legitimate sender.
  • There is a time limit or uncharacteristic sense of urgency. Phishing emails often generate a false sense of urgency to convince users to take action. For instance, they may promise a gift card if the user responds within 24 hours, or allege a data breach to get the user to update their password. It is rare for these tactics to be tied to real deadlines or consequences, as they are intended to overwhelm a user into taking action before they become suspicious.
  • The body message is full of errors. Poor grammar, spelling, and sentence structure may hint that an email is not from a reputable source.
  • Links in the body message do not match the sender’s domain. Most legitimate requests will not direct users to a website that is different from the sender’s domain. By contrast, phishing attempts often redirect users to a malicious site or mask malicious links in the email body.
  • The CTA includes a link to the sender’s website. Even when links appear to point to legitimate websites, they may redirect victims to a malicious site or trigger a malware download. Most reputable organizations will not ask users to disclose sensitive information (e.g. credit card numbers) by clicking on a link.*

In general, the more sophisticated a phishing attempt is, the less likely it is that these elements will appear in an email. For instance, some phishing emails use the logos and graphics of well-known companies to make their message look legitimate, while other attackers may code the entire body field as a malicious hyperlink.

*Exceptions to this rule may include password reset requests and account verification. Phishing attempts may also fake these types of requests, however, so it’s wise to double-check the sender’s email address before clicking on anything.*

How to prevent phishing attacks

As with any kind of unsolicited email (often referred to as ‘spam’), phishing emails cannot be completely eliminated by a security tool or filtering service. However, there are several actions users can take to diminish the chances of a successful attack:

  • Evaluate emails for suspicious elements. Email headers may reveal deceptively-worded sender names or email addresses, while the body may include attachments and links that camouflage malicious code. Users should err on the side of caution when opening a message from an unfamiliar sender.
  • Do not share personal information. Even when communicating with a trusted individual, personal information — e.g. Social Security numbers, bank information, passwords, etc. — should never be exchanged in the body of an email.
  • Block spam. Most email clients come with built-in spam filters, but third-party filtering services can give users more granular control over their email. Other recommendations for avoiding email spam include unsubscribing from mailing lists, refusing to open spam emails, and keeping email addresses private (i.e. not listing them on an organization’s external-facing website).
  • Use email security protocols. Email authentication methods like SPF, DKIM, and DMARC records help verify the source of an email. Domain owners can configure these records to make it difficult for attackers to impersonate their domains in a domain spoofing attack.
  • Run a browser isolation service. Browser isolation services isolate and execute browser code in the cloud, protecting users from triggering malware attachments and links that may be delivered through a web-based email client.
  • Filter harmful traffic with a secure web gateway. A secure web gateway (SWG) inspects data and network traffic for known malware, then blocks incoming requests according to predetermined security policies. It can also be configured to prevent users from downloading files (like those that may be attached to a phishing email) or sharing sensitive data.
  • Verify the message with the sender. If an email message still seems suspicious, it may be necessary to independently confirm the message was sent by a legitimate individual or organization. There are several verification methods that can be used to do this, like a phone call or text message. When in doubt, ask the sender if there is a more secure way to transmit any sensitive information they may have requested.

How does Cloudflare protect against email phishing?

Cloudflare Area 1 Email Security detects and blocks phishing attempts in real time. It proactively scans the Internet for attack infrastructure and campaigns, uncovers email fraud attempts, and provides visibility into compromised accounts and domains.

Learn how to stop phishing attacks with Cloudflare Area 1.