Reading Time: 4 minutes

4 MINUTE READ

The Biggest Hidden Red Flags in a Phishing Email

blog-800x400-spear-phishing_1 (1)
Joe Howland
Joe Howland, Chief Information Security Officer

During Cybersecurity Awareness Month, you’ll likely hear a lot about the dangers of phishing emails. Many common red flags include: 

  • An incorrect sender’s email address 
  • Suspicious URLs that you can see by hovering over the link 
  • Suspicious attachments (such as a malicious Word document or PDF) 
  • Suspicious email subject lines 
  • Horrible spelling and grammar 

However, as spammers and scammers get better at their jobs, their techniques grow more sophisticated. Many phishing emails now easily mimic a sender’s supposed email address, make links and attachments seem safe, and look more professional. 

That’s why you need ways to detect phishing emails by identifying “hidden” red flags—deeper flaws in a scammer’s approach where they try to use psychological tactics that trick you just long enough so that you take a desired action. 

Here are five hidden red flags that could fool you if you’re not skeptical enough. 

1. Timing

Recently, we sent a simulated phishing email to VC3 employees to test their skepticism about the timing of an announcement. The email read: 

 

Subject: Important Dress Code Changes 

Dear all, 

The COVID-19 coronavirus continues to affect lives on a daily basis. As many of you know, VC3 is encouraging those of you who can work from home effectively to please do so. Staff considered critical to operations will still be required to work onsite in the upcoming weeks. 

Due to the new safety standards introduced by the World Health Organization, VC3 employees are now required to follow a strict new policy which can be reviewed at [WE PROVIDED A REALISTIC LOOKING LINK]. 

Please contact your managers with any questions you may have on this new policy. 

Thanks,
VC3 

 

This email came from a legitimate looking email address. It would be easy to click on it. What prevented employees from getting fooled? 

Timing. It arrived at 9 a.m. on a Thursday morning, out of nowhere. Dress code is rarely discussed at VC3. Such a major change to company policy would be discussed at our monthly company meeting. The timing was off. 

Consider the timing of an email when you receive it. Does it arrive out of nowhere? Does it strike you as odd that it arrives on a particular day and time? Does it not match previous instances?

2. Professionalism

Professionalism as a red flag is different than spelling and grammar mistakes. Many phishing emails are now written more professionally—or at least copied and pasted from other sources. Professionalism is a subtle yardstick that requires your experience to judge. 

A recent email I received from a scammer included the following unprofessional red flags: 

  • Uncapitalized first name 
  • Sending multiple emails every week 
  • Overly pushy 
  • Saying that we had already scheduled a meeting to talk, and that I missed the meeting, although no such meeting existed
  • Unprofessional humor and inappropriate jokes for a business email 

Digging deeper into the “company” that sent the email, it was easy to discover after a bit of Googling that the company based in New Jersey did not exist. 

3. Urgency

Your organization should have trusted processes and procedures that allow for doubt and offer ways to confirm that a request is legitimate. Obviously, a trusted co-worker or your boss may ask for a timely, urgent request, but you will often know when those requests make sense. 

However, “urgent” requests such as the following should raise a red flag. I recently received the following email. 

 

Subject: Your identify verification is pending 

Sorry for the suspension notice, but we’re having trouble authorizing your Crypto App account associate with you. And for protection Crypto.com App account associated with you [MY EMAIL ADDRESS WAS INSERTED HERE], access to Crypto.com App account has been locked as there we detected a possible case of attempted abuse. 

Tap the link below on your phone to login to the Crypto.com App. 

[A fake login button with a malicious link was inserted here.] 

For further support, please email us at [THEY INCLUDED A SUPPORT EMAIL THAT LOOKS LEGITIMATE]. 

Best regards, 

Crypto.com App Team 

 

For those using this app, this looks urgent. This is how spammers try to get you to click. Even more dangerous are requests related to work-related applications that may request you to log in about an “urgent” security or financial concern, seeking to collect your username and password. If you have doubt about an “urgent” request, contact the person who oversees the alleged urgent request or your IT support resource.

4. Anomaly

Look out for situations that have never happened before—something that violates a long-established process, with no additional context or information. 

Here’s another simulated phishing email we sent to test our employees. 

 

Dear User, 

We are migrating the J drive to a new enterprise storage network today, August 04, 2021. The work will be performed at 10:30AM and completed before the end of today. We expect services to be down for 30-45 minutes during this window of time. Access to the J: drive will remain the same after the migration. 

The only effort required on your part is to click the J DRIVE LINK [included a fake link] and follow the instruction to migrate your data to the new enterprise storage network today. 

Sincerely,
IT Help Desk 

 

If you asked people within the company, they would say, “What’s the J Drive?” This is an anomaly and should be treated with high suspicion. You know the day-to-day work and feeling of being with your organization. An anomaly like this should stick out.

5. Tone

This is the most vague of the five red flags we’re sharing because it’s often a feeling, rather than something specific. You know how people sound. Everyone establishes a unique email tone over time. They type a certain way, phrase sentences a certain way, and use certain words like a habit. 

If the tone seems wrong, odd, or unusual, look at other factors. Look at what they’re asking you to do. Is it an unusual request? Are they prepping you to do something out of the norm? If in any doubt, go to the person and ask if they’ve sent it. Even if they did, it never hurts to check it out. 

 

If you’re already spotting the obvious signs of phishing attacks, add these five red flags to your arsenal when training employees or giving them materials about phishing signs. 

And when in doubt, verify. Pick up the phone. Call the person or organization. Ask if they sent the email. 

Are your employees prepared for phishing attacks? If you have any doubt, contact us through the form below and we’ll be happy to talk about some options that may work for you.