What does a phishing email look like? We've compiled phishing email examples to help show what a spoofed email looks like to prevent against phishing attacks.
Brand deception phishing is the most common example of phishing people will come across. Brand deception phishing occurs when an attacker mimics a trusted company in an email and asks someone for their personal information like credit card numbers or login credentials.
What exactly is phishing?
Phishing is the act of using social engineering to steal information from victims through email or text message by impersonating another person or company. Emails will usually be disguised as a customer invoice, password reset, or login request.
Links and attachments often contain malware that is used to steal sensitive information and gain a foothold inside a company network. For scam emails that request password resets, a fake copy of a real website is used to trick the user into logging in, thus stealing their credentials.
These scams are responsible for millions of dollars of lost revenue every year, and is one of the most popular forms of cybercrime to date.
Examples of phishing emails
There are multiple types of scams that use different techniques to try and steal data from recipients. These can range in complexity, payload type, and how hard they are for an average person to detect. Let’s review a few of the most popular types of phishing emails.
Domain spoofing can be done directly to the email header, when the attacker tries to actually use and send from our example banktrust.com. Email authentication, specifically DMARC records, can be used by receiving mail servers to check to ensure that the server that sent the email is allowed to send emails on behalf of that domain.
DMARC records have a line of text that contains all of the servers that are allowed to send on behalf of that domain. When an email is received the receiving mail server can run an DMARCcheck on that domain to ensure that the server is listed as authorized to send. If the server is not authorized to send on behalf of that domain the DMARC check will fail.
Without DMARC email authentication, attacks would run rampant across the internet. Luckily DMARC is a widely adopted standard and in use almost everywhere.
Lookalike domains are when an attacker uses a domain that appears to be legitimate but is actually different and uses slightly altered letters and numbers that make it hard to tell the difference. For example, a scammer trying to impersonate the domain of banktrust.com may register the domain banktust.com (note the slight difference in spelling) and begin to send password reset emails from that address.
Lookalike domains can also be applied to websites as well. Using the banktust.com example, an attacker can send an email from that fake address that points to a fake website that is a clone of the real banktrust.com. The page is monitored by the attacker and once the victim enters their credentials, that information is stolen.
Some domain spoofing attacks are quite sophisticated and utilize techniques such as cross site scripting (XSS) attacks that make identifying fake URLs and web pages even more difficult.
While most email scams use thousands of messages to find a few victims, spear phishing takes the complete opposite approach. By extensively researching a target company, attackers customize a spear phishing campaign around how that company operates in an attempt to seem as legitimate as possible.
This could include registering a similar looking domain, using stolen email signatures, company logos, and even names of individuals that are known within the company. Stolen information is often leveraged to craft messages that appear real and urgent. Sometimes these messages go as far as learning the company structure and exploiting the hierarchy to create false urgency in the phishing email.
Spear phishing can impersonate both internal staff members, or known and trusted vendors that the organization has a relationship with. Since spear phishing doesn’t rely on a single tactic to succeed it can be tough for an untrained eye to spot a problem. Implementing a phishing defense system can help automatically detect and stop these types of attacks.
You can think of whaling as an even more targeted version of spear phishing, where the attackers now begin to impersonate senior representatives within a company. They use this knowledge of company hierarchy to pressure other staff into sending funds, resetting passwords, or clicking on links without hesitation.
With whaling there is usually a sense or urgency or pressure that appears to come from a senior staff member within the company. The victim, which is usually just an employee at the company, will feel pressured into completing the task quickly.
This is sometimes also referred to as CEO fraud, as the whaling usually aims to impersonate c-level executives within an organization in order to gain access to the most valuable information a company has access to.
Whaling techniques have evolved over the years and could request the victim to do a number of tasks such as reset their login passwords, buy gift cards, or forward sensitive information such as tax forms or other company documents.
Attackers can impersonate staff relatively easily by searching on the target company website for information, and guessing the formatting of the email account they wish to impersonate. Stolen company logos, signatures, and phone numbers are also used to make these emails appear more legitimate.
Consumer phishing impersonates well-known brands and then targets consumers prompting them to update their account information, or fix an issue with their account. This can lead the victim to either click on a malicious link that steals their credentials, or call a fake hotline where scammers will ask the victim for their personal information, and sometimes even their credit card numbers.
Like all forms of this scam, the attack relies on impersonation, but chooses to masquerade as already known and trusted companies in hopes that recipients of the phish will be less on guard when the message comes from a brand they like and trust.
How to identify phishing emails
No matter what type of email you may encounter, there are few ways you can identify if that email is legitimate or not.
Carefully check the sending domain. This is often the most important step in identifying a scam email. Many times recipients will glance at the From field and skim through the rest of the email. Attackers can format emails to look identical to internal emails using signatures, logos, and fonts that all look like a real email.
When DMARC email authentication is in place to block domain spoofing, attackers will leverage lookalike domains to confuse victims. If an email doesn’t seem right, spend an extra minute or so verifying that the email address in the From field is actually who you think it is. If you’re still not sure, consider contacting your IT department or contacting the sender by phone using a number that you already have on file not listed in the email.
Preview links before clicking. Even if an email appears to be legitimate, it’s best practice to preview a link before clicking on it. This can be done in almost all email browsers by hovering your mouse over a link for a few seconds without clicking. If the link appears to be directed to a strange domain, or something that looks gibberish, it’s best to take caution and not click the link.
Even with the link preview technique, attackers can perform redirects from that page. For example, the email link could go to Dropbox, which is a real service. But within that dropbox link is a document that contains another link that redirects you to somewhere else that attempts to install malware or steal your information.
Does the email suddenly feel urgent? Urgency and scare tactics are used in most phishing attempts in order to scare victims into acting quickly without thinking their actions through. Before taking action, review the sender's addresses to verify if it is real. Official services such as Chase will come from chase.com or jpmorgan.com. If you think the email is real but still aren’t 100% sure, consider calling the service or person from a number you already know, or find outside of the email in question.
Be on the lookout for misspellings. In the case of mass phishing campaigns, emails are usually poorly spelled or contain other punctuation errors. Many of these massive scam operations are stationed in non-english speaking countries, which forces them to use translators which don’t always work as intended.
Keep a lookout for low resolution branding images. When images are stolen for signatures in emails, they are usually low resolution screenshots that are simply re-pasted into the email. While this doesn’t always mean an email is a phish, it should raise a red flag for you to investigate the email further.
How to report phishing emails
If you’ve received a scam email or may have had your information stolen from a phishing attack, you can report this incident to the Federal Trade Commission.
If a scam email was sent to your inbox, you can forward it directly to the FTC Anti-Phishing Working Group at [email protected]. If the message was a text message you can forward it to SPAM (7726).
You can also file a report of the attack by visiting http://ftc.gov/complaint.
How to protect against phishing emails
Unfortunately you can’t simply download a program and be safe from email-based attacks. You need a complete phishing response and defense system in place. Since these attacks are constantly evolving you’ll not only need to ensure that your email servers are configured correctly, but that your staff is kept up to date with the latest email threats and company policies.
Two factor authentication can be paired with threat detection to help stop compromised information from being accessed outside of the organization. Two factor authentication relies on combining what a user knows, with something that user has, such as their cell phone. Even if credentials are stolen, the attacker will need the user’s cell phone in order to login.
The Agari Advantage
Agari offers a turnkey solution to combat phishing email attacks through automatic response, remediation, and containment. The system utilizes both signature-based security as well as behavioral analysis to stop malicious files and bad actors at the same time.
If you’re looking to learn how to keep your business safe from email-based attacks, see how Agari Phishing Defense works in action and sign up for our newsletter for the latest in email security.