How can I Recognize a Phishing E-Mail?

How can I Recognize a Phishing E-Mail?

15 June 2021

Phishing is the type of cyber attack that can hit anyone anywhere at any time. But if that is true, is there a way we can protect us against such attacks? How can we recognize a mail as phishing?

As you might have guessed, there is no cookie-cutter recipe on how to recognize phishing. However, there are a few checkpoints by which we can categorize an e-mail as "likely phishing" and then carefully read and process it.

In this article we will take a closer look at suspicious signs in an e-mail itself, in links, and finally on phishing websites.

The Phishing E-Mail

Phishing e-mails can come in various shapes and sizes. The following picture shows a phishing attack hidden inside the attachment of an e-mail.

Phishing Mail

How can we determine that the e-mail above (or any other) is indeed phishing?

  • In the example "James Phish" is an unknown sender. We never received an e-mail from him before not to mention we never wrote one to him. We were neither expecting a message from him nor have we heard of him before. Although not every unknown sender means us harm, it can be a first hint to be suspicious about an e-mail and read it with care.

  • The same rules for unknown sender apply to an unknown e-mail address. If we don't know the e-mail address and weren't expecting any messages from it, we should be mindful and investigate the e-mail further. Moreover, if the e-mail address looks really odd (fd7r90@example.com) or pretends to owned by e.g. a popular brand but the domain doesn't belong to this brand (IBelongtoMicrosoft@example.com) it can be a sign of phishing.

  • A mismatch between sender name and e-mail address makes an e-mail appear suspicious. Or how would you react if you would receive an e-mail from the sender "PayPal <amazon_mail@example.com>"?

  • Often phishing e-mails are written for a large group of potential victims and therefore have a rather impersonal form of address. They generally start with "Dear recipient", "Dear customer", simply "Hello", or have no addressing at all. It is also common practice to use part of the recipient's e-mail address, e.g. if the victim has the e-mail address my_personal_mail@example.com the beginning of the phishing message could look like this: "Dear my_personal_mail".

  • Likewise, the e-mail content can warn us about potential phishing. Prizes and offers, which seem to be extremely lucky, are mostly exactly that: too good to be true. Phishers lure their victims into giving out their bank data or similar in return for non-exisiting prizes. So if you win the lottery one day, make sure it really is the lottery you won and not part of a phishing attack.

  • Invoices that require you to make manual money transfers or to give out personal data could be phishing, too. The easy way to verify whether an invoice is phishing or not, is checking whether you really bought what the invoice claims you did and whether you were expecting an invoice from this company or not.

  • Requests for a password renewal, account verification, or data confirmation require us to use personal data, most likely an user name or e-mail and a password. Make sure the e-mail comes from the company or website it states it comes from. Bigger brands often have information on their websites about how such mails could look like and what they would definitely not write in an e-mail (have a look at e.g. PayPal's phishing policies).

  • E-mail attachments can contain phishing as well. PDF files and documents can be used as an e-mail body and contain information that tricks you into giving out personal data. It is also possible to attach HTM or HTML files to an e-mail which could then, if clicked, open a phishing website in a browser.

The Phishing Link

If a phishing e-mail contains a link to a phishing website, we can sometimes already draw conclusions from the link address itself. Clicking unknown links should always be done carefully and after some fact checking since not only phishing can lurk behind it but also malware, viruses, or worse.

  • Link shorteners are not suspicious per se and are even used by big online companies like YouTube or LinkedIn. However, as the name suggests, they shorten links and therefore hide important information about where the links lead. Phishers like to use link shorteners to disguise their suspicious phishing link as a well known link address.

  • Links that seem like they belong to a popular brand but only contain the brand's domain as subdomains or in the url path. As an example we have the link apple.com.phishing_domain.net. At first glance, it looks like the link belongs to Apple. After more thorough inspection we can see that the apple domain is only a subdomain and the link actually leads us to a page on phishing_domain.net.

  • A link which redirects to another website can be an indication of phishing. Phishers like to use redirects in links to hide the final destination like with link shorteners. Phishers could e.g. use urls like https://www.no_phishing.com/?redirect=http://www.phishing.com to obscure phishing websites.

The Website

Do not click a link unless you have already identified the e-mail as non-dangerous. In case you ever end up on a phishing page despite being careful, there are a few things which can help you to idetify the page as phishing.

Phishing websites can often be a perfect copy of the website they want to imitate as you can see in the following example of a Netflix phishing site.

Netflix Phishing Netflix Original Website (left) vs. Netflix Phishing Website (right)

Nevertheless, there are a few things which differentiate a phishing website from a non-phishing one.

  • Phishing sites sometimes don't have a favicon or not the right one. If you see a website of a big company without a favicon it should alert you and lead to further investigation on your side.

  • Phishers, who are good at hacking websites, can host phishing pages on already existing, legitimate websites – called compromised websites. If an Amazon login page is hosted on a url of SOS Children's Village, it most likely is phishing or similar and should ideally be reported to the persons responsible of the compromised website.

  • To test if a website which asks for login data is phishing, we can try to enter a fake user name and fake password. Phishing websites usually don't have any type of verification for the inserted data. They will often take false user data and then redirect you to a different page which could e.g. either be the original legitimate website or a "Thank you! Your changes have been successfull."-page.

Websites That Identify Phishing

If you don't feel confortable deciding whether a link is phishing or not, here are some websites which analyse links for you:


Phishing is not always easy to identify since it is constantly evolving and can look completely different depending on the intentions and skills of the phisher. It is on us to pay attention to the links we click and to whom we give our personal data. As long as we are sure about the legitimacy of a message or inspect it further if we are not, phishing attacks can be avoided almost without any extra effort.