Social Engineering: How to Recognize Phishing Emails

Published on : 23 May 2020

Social Engineering

According to Wikipedia, Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. It is a type of confidence trick for the purpose of information gathering, fraud, or system access; it varies from a traditional “con” in that it is a lot of additional steps to a more intricate fraud scheme. Our team had earlier written an article overviewing Social Engineering, we highly recommend checking out our previous article on our VISTA InfoSec Blog by clicking here.

Moving further, in a typical social engineering scenario, an attacker gathers information by interacting with people. Humans have natural tendency to trust people and the same trust is exploited in order to take advantage of them. In our earlier article, we had characterized Social engineering attacks into two classes: Computer-based or Human-based. We’ll dive straight into Computer–based, particularly over “Phishing Emails and How one can recognise them”.

Traps vs Users

Thousands of phishing attacks are seen every day and they’re often effectively making their victims fall into their trap. Hackers using deceitful emails, trick users into giving them their personal information. They may try and steal passwords, account numbers, or Personal Identifiable Information (PII) details. If they acquire that information, they could gain access to your email account, bank account, or other accounts.

Hackers often keep coming up with new ways to find their victims, however there are signs which will help you identify a phishing email. These will sometimes like they are from a company you recognize… sometimes masquerade that they are from your own bank, a payment company, a social networking site, etc.

Phishing emails often exploit one into clicking on links or clicking on an attachment. All such tricks are meant to create FUD (Fear, Uncertainty and Doubt). These may include:

  • Suspicious activity or log-in attempts detected.
  • Claiming to update your account or your payment information.
  • Confirm personal information of a user.
  • Click link to make payments.
  • Inform that you’re eligible for a refund or a reward.
  • Offer free stuff to claim online.
  • Create a sense of urgency.

These were in short how hackers trick you into clicking onto links and providing them the information; nevertheless there are ways one can recognize these signs which we’ll discuss in detail.

How to Recognize Phishing Emails

1. Request of Sensitive Information via Emails

One may receive an unsolicited email from an organization that provides a link or attachment and asks you to provide sensitive information often with a sense of urgency. Most companies do not send an email asking for passwords, credit card information, or any PII details nor will they send you a link from which you can login. These email look authentic in nature. They go to the extent that they match the email style used by a company or that of an external business such as a bank… these hackers ensure that it imitates the real thing. However, when such realistic looking email make requests that one wouldn’t usually anticipate, it’s often a strong giveaway of not being from a trusted source.

One should keep an eye out for such emails requesting you to confirm personal information that you would never usually provide such as banking details or login credentials. One must not reply or click any links and if one contemplates possibility that the email is genuine, one should examine online and contact the organization directly without using any communication method provided within the email.

2. Unable to provide proper reference

Phishing emails typically use common greetings such as “Dear valued member”, “Dear account holder”, or “Dear customer”. If an established enterprise has your personal details in their records, they would refer to one my proper name and not resort to a common noun which would point that a “carpet bombing” approach was used.

3. Have Domain Account Emails

One need only check the name of the person sending the email. Check the sender’s email address to ensure it is sent by the authentic party. Make sure no alterations (like additional numbers or letters) have been made in the sender’s email id. Sometimes companies do make use of unique or varied domains to send emails, and some smaller companies use third party email providers which should not be a cause for alarm.

Looking closely at these details they can appear very real nevertheless the moment you take to truly inspect the email address one may find that it’s a bogus variation intended to appear authentic. One can also check by googling or reverse searching online these email ids to find whether the ids are genuine or fake.

4. Know How to Spell

Possibly the easiest way to recognize a phishing email’s is bad grammar and spelling mistakes. An email from a legitimate organization is well written; constructed by professional writers and exhaustively checked for spelling, grammar and legality errors. Receiving an unexpected email from a company, and being riddled with mistakes, this is a strong indicator of it being a phishing email.

Hackers prey on the uneducated, believing them to be less observant to such errors and thus, become easier targets to deceive. There is possibly a reason why these emails are deliberately poorly written and riddled with bad syntax, it ensures that they only trick the most gullible targets or sometimes the one too much pressed for time and thereby lacking attention to detail.

5. Force Victims to Their Website

Sometimes these emails are entirely occupied as hyperlinks .Therefore, even an accidental click anywhere in the email will open a fake web page, or download spam or any malware onto your computer.

6. Restrict Sending Unsolicited Attachments

Unsolicited emails that contain attachments is prone to be sent by hackers. Normally, authentic organizations don’t randomly send you emails with attachments, but instead direct you to download documents or files from their own website.

However, sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, lookout for high-risk attachment file types include .exe, .scr, .bat and .zip. These attachments could contain a malicious URL or trojan, leading to the installation of a virus or malware on your PC or network. However even if one suspects, an attachment is genuine, it is often a good practice to always scan it with an antivirus software before opening the same.

7. Contains Legitimate URLs

Always double check URLs. If the link in the text isn’t identical to the URL displayed as the cursor hovers over the link, that’s a sure indicator you will be taken to a site you don’t want to visit. If one finds a hyperlink which doesn’t seem correct, or does not match the context of the email, one should not trust and click on it.

Also, ensure by hovering your mouse over these embedded links to ensure the link begins with a https://.

8. Messages Designed to Make One Panic

It is common for phishing emails to invoke panic to the recipient such as an email claiming that your account has been compromised and to verify one must log into it. This approach attempts to force you to enter your login details on a fake counterfeit website and capture the information. Otherwise, emails may say that your account will be terminated if not acted upon urgently. Confirm and take the time to think whether the email is sensible. If uncertain, contact the business through other means.


When uncertain, even if you know the source, if something looks suspicious, delete or ignore it. Like links in emails, social media posts and online advertising are often how hackers try and steal your information.

It does not matter how secure your security system is in the world, it takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand these specific email phishing examples and all of the tell-tale signs of a phishing attempt.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.