What is a Common Indicator of a Phishing Attempt?

November 05, 2021
an address box on a web brouser overlaid by two fish hooks.

Phishing is the most common cybercrime and the most dangerous for your business. Some of today’s most devastating cyberattacks, including incidents like the Colonial Pipeline ransomware disaster, started with a phishing email. Employees may encounter phishing attempts daily if action isn’t taken to keep phishing messages out of your IT environment. An estimated 6 billion phishing emails were sent to businesses daily in 2020. 

Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>

Why Is It Important to Be Aware of Phishing?

Phishing is the type of cyberattack employees see the most. Cybercriminals favor phishing because it has a low barrier to entry, it’s cheap and it’s effective. Phishing is an easy way for bad actors to obtain passwords, user data and other credentials, enabling them to undertake other cybercrime operations like business email compromise or deploy ransomware. An estimated 75% of organizations in the United States were hit by a phishing attack that resulted in a data breach in 2020.

What Are Some Red Flags of Phishing?

Phishing can be tricky to spot, but these red flags should always give you pause as they’re common indicators that an email is actually a phishing attempt.  

Subject Line 

Is the subject line accurate? Subject lines that feature oddities like “Warning”, “Your funds has” or “Message is for a trusted” should set off alarm bells. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected elements like emojis or other things that make it stand out from emails you regularly receive from the sender, it’s probably phishing.  


If the greeting seems strange, be suspicious. Are the grammar, punctuation and spelling correct? Is the greeting in a different style than you usually see from this sender? Is it generic when it is usually personalized, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate


Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. For example, If the message says it is from [email protected] instead of [email protected], you should be wary.  

Word Choices, Spelling & Grammar 

This is a hallmark test for a phishing message and the easiest way to uncover an attack. If the message contains a bunch of spelling and usage errors, it’s definitely suspicious. Check for grammatical errors, data that doesn’t make sense, strange word choices and problems with capitalization or punctuation. We all make the occasional spelling error, but a message riddled with them is probably phishing.  


Does this look like other messages you’ve received from this sender? Fraudulent messages may have small variations in style from the purported sender’s usual email style. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right.  


Using malicious links to capture credentials or send victims to a web page that can be used to steal their personally identifiable information (PII) or financial information is a classic phishing scam. Hovering your mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you have interacted with it, definitely don’t provide any information on the page that you’re directed to because it’s almost certainly phishing.  


Never open or download an unexpected attachment, even if it looks like a normal Microsoft 365 (formerly Office) file. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions.  


Is this someone or a company that you’ve dealt with before? Does the message claim to be from an important executive, politician or celebrity? A bank manager or tax agent you’ve never heard of? Be cautious about interacting with messages that seem too good to be true. Messages from government agencies should also be handled with care. Phishing practitioners love using fake government messages. In the United States, the federal government will never ask you for PII, payment card numbers or financial data through an email message out of the blue – that’s phishing. 

See how ransomware rocks businesses in The Ransomware Road to Ruin. DOWNLOAD IT NOW>>

How Can I Protect My Business from Phishing Attacks Affordably? 

Protecting your business effectively, efficiently and affordably is a snap when you choose automated, AI-powered email security with Graphus.  

Automated Phishing Protection with Graphus 

Graphus offers an array of benefits for businesses of every size that keeps phishing out of your business and away from your employees while empowering your employees to quickly stop a phishing attempt if they spot one. Graphus features three layers of protection between a phishing email and your business.   

TrustGraph uses more than 50 points of comparison to ferret out malicious incoming messages before they ever reach employees’ inboxes.  

EmployeeShield adds a bright, noticeable box that warns employees to use caution when handling unexpected messages.  

Phish911 makes it easy for employees to report any suspicious message that they receive to an administrator for help.  

Stop phishing with Graphus – the most simple, automated & affordable phishing defense available.

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus