How to Identify Phishing Emails

How to Identify Phishing Emails


In phishing emails, criminals sometimes pretend to be financial institutions, sometimes online shops, sometimes lottery organisations, and sometimes even your boss. Add to this a faithfully recreated email and website design, and suddenly there is a great danger of a successful phishing attack. So how is it possible to identify a phishing attack? With our overview of the characteristics of phishing emails, you can now detect any attempt at fraud and learn how to detect dangerous emails.

Features of phishing emails

Wrong sender address

A common method are sender addresses that resemble addresses of well-known companies or institutions and differ only slightly from the originals. Sometimes, for example, a vowel is missing so that “” becomes “” – which may not be noticeable when you fly over the email. In other cases, the address contains combinations of numbers and letters, making them much easier to identify as phishing emails. Unfortunately, this is not a typical feature of phishing emails, but also of newsletters or other valid mass emails.

Unusual recipient address

If the email was sent to an address other than the account login address you know, you need to be particularly careful. You may want to consider again whether you really used this address when you created your account.


Even if both the sender and recipient addresses seem to be correct, it is worth taking a closer look. A so-called “homographic attack” takes advantage of the fact that some characters have strong similarities. In the above heading, the capital “O” was replaced by the digit “0”, which the inattentive recipient may not notice.

The situation is even more difficult since the advent of internationalised domain names. The problem arises because logically different characters look the same in some cases. An example: The glyphs a (“а”) and a (“a”) probably look the same to you – but they are not. The former is the graphic representation of a Cyrillic letter, the latter the representation of a small Latin letter. Also, the Cyrillic letters а с, е, о, р, х and у look the same to users as the Latin letters c, e, o, p, x and y.

Internationalised domain names make it possible to use the Cyrillic, Greek, Armenian and other alphabets for domain names. If very similar letters of another alphabet are used for known domain names, the link in an email does not lead to the known search engine provider (see previous heading), but to a phishing website.

Only a thorough analysis of the email header using special tools can help in these cases.

Unusual Subject

Subject lines such as “Earn an extra 10,000 euros now”, “Request loan online” or “Your account has been blocked” indicate a phishing attack. Banks handle urgent and confidential transactions by letter post, and you can generally be sceptical about fantastic financial offers or products – not only on the Internet.

It becomes downright perfidious in cases where personal and seemingly plausible statements are used, for example I tried to reach you, You have to look at this or Look where I tagged you. In these cases, criminals hope that the recipient is curious enough to open the email and click the link contained in it. In one of the last major phishing waves, passwords that actually belonged to the recipients and had been stolen during a database hack were included in the email.

Impersonal salutation

Emails that avoid a personal salutation or begin with greetings such as “Dear Customer”, “Dear Ladies and Gentlemen” or similar, point to a phishing email. Financial institutions or companies always address you by your name.

Spelling and syntax

If emails are written in flawed language containing spelling and grammar mistakes, this is a clear indication of an attempted fraud. The same applies if the email was written an unusual mixture of English and another language.

Formatting errors and inconsistent layout

Phishing emails often contain incorrectly resolved or missing umlauts. For example, “ä” is replaced by “a” and “ö” by “o”. Missing characters that have been replaced by a black rectangle are also cause for scepticism. Remnants of HTML commands, a non-uniform layout or changing fonts also point to phishing.

Links, Forms and Attachments

The aim of a phishing email is always to encourage the recipient to take further action. For this purpose, these emails very often contain links to phishing websites. These websites are increasingly indistinguishable from the originals. Graphical elements, structure and texts are adopted in such a way that users are not aware of the danger in which they find themselves.

The same applies to forms that you must use to enter sensitive data. For example, you may be asked to confirm data or enter a PIN or TAN. You should be extremely sceptical about this. Banks will never ask you to enter such information in forms.

Attachments such as images or PDF files are also a popular tool for criminals. Frequently, a virus or other malware is downloaded or automatically redirected to a phishing website after clicking on the attachment in question.

Appeals, prompts and threats: it’s oh so urgent!

Most fraudulent emails have one thing in common: it’s all very urgent. If you act late or fail to do so at all, you may face serious consequences. Your account will be blocked (see above), your data will be deleted, or your prize is cancelled. You don’t really want that, do you?

In some cases, phishing emails appeal to your conscience, especially emails in which you are supposed to donate money or help someone in some way. In such cases the consequences are not threatening you, but someone else.

How to block phishing emails

Special software offers truly secure protection against phishing emails. It will let you identify all types of phishing attempts before they end up in your inbox. The right anti-phishing software scans every single email and ensures that only safe emails end up in your mailbox.

When choosing the software, it’s important to make sure that it checks whether the email comes from the specified sender. This is achieved, for example, by checking the sender reputation and detecting homographic attacks. The software should also provide effective attachment management and be able to “know” your communication partners. In this way, you can avoid harmless emails from important partners being blocked by mistake.