Phishing is one of the most prevalent types of cybercrime that businesses around the world are currently facing, and a successful attack can have devastating consequences, no matter the size of your organization or which industry you’re operating in.
As the holidays approach, many of us have a tendency to become less aware of the threats that we might be facing in the workplace; we’re too busy winding down, thinking about spending time with family and friends, and whether to have a second mince pie. But hackers don’t break up for the holidays.
To help you keep yourself and your organization safe this holiday season, we’ve put together a—suitably festive—list of indicators that an email might not really be from who the sender claims to be, using real-life examples that our technical team has seen this year.
If you want to sing along, we’re skipping straight to the last verse. So, without further ado: “On the 12th day of Phishmas, a scammer gave to me…”
Twelve Urgent Requests

Creating a sense of urgency is a common tactic that attackers use to get results quickly, because it encourages users to react to their message, rather than to stop, think and respond to it. In Q3 this year, two out of five of the most commonly clicked on phishing simulations in the U.S. included subject lines that created a sense of urgency.
Eleven Strange Attachments

If you receive an email from a colleague with an unexpected file attached, you should always check with them via another method of communication whether it was genuinely them that sent it. And if you’re sent an email with an attachment from an unfamiliar sender, it’s better to not open it at all.
That’s because you could be unknowingly downloading malware onto your device. As many people have continued to work from home either full-time or part-time this year, it’s become the “new norm” to send administrative documents via email. Cybercriminals know this, so they impersonate trusted senders and send out malware disguised as a harmless file, in the hope of deploying malware, such as ransomware.
And these files really are well disguised! Windows executables, PDFs and Office documents—all of which most of us use on a daily basis—are all within the top five malicious email attachment types seen in T2 2021.
Ten Grammar Errors

If a phishing email was written by someone whose first language isn’t the same as your own, or even by an AI-powered machine, it could contain grammatical or spelling errors. Most professional institutions try to avoid these types of mistakes in their communications, so inconsistent grammar could be an indication that something is wrong.
Nine Impersonations

Malicious actors may pretend to be a reputable entity such as a business that you regularly engage with, or whose services you use, in order to gain your trust. In this example, someone claiming to be from Microsoft is actually baiting you into clicking a malicious link. And, in fact, Microsoft is the most impersonated brand globally when it comes to phishing attempts that involve spoofing.
Eight Generic Greetings

Some spam messages might address you with impersonal language instead of using your name. Attackers often use this approach when sending emails out to as many recipients as possible in a traditional phishing campaign (as opposed to a more targeted spear-phishing campaign), because it enables them to reach more targets at once, with as little effort as possible.
You might have noticed that, in this example, the attacker is also trying to create a sense of urgency. Combining tactics is a common way for cybercriminals to induce panic and make a less-wary victim more likely to bite their lure.
Seven Mismatched Domains

This message claims to come from Dell, but the sending domain is completely unrelated—this is another clear indicator that the sender isn’t who they say they are.
72% of attackers use free webmail providers to send phishing emails when impersonating other entities, and over half of these use Gmail as their delivery method. That’s because these providers are easily accessible. So, if you receive an email from a free webmail domain such as Gmail, don’t click on any links they’ve sent you or download any attachments before verifying that the sender is genuine; businesses often have their own domain registered, so it’s likely that the email came from a malicious actor.
Six Shady Offers

If a deal in your inbox sounds too good to be true, it most likely is. Sometimes, scammers will promise a reward if you follow their request, but this is almost always a trick to steal your information.
If the message claims to be from someone you know, verify the offer with them via another form of communication, preferably by giving them a call or asking them in person. If it’s from a brand, like in this example, go to their website directly—don’t click on the link.
Five Unknown Links!

As well as using phishing emails to trick users into installing malware, attackers often use them to steal sensitive data from their victims, such as financial information or login credentials. One of the most common ways that they do this is by encouraging their victim to click on a link that takes them to a phishing website disguised as a login page. If the user enters their credentials, the page sends them straight to the attacker.
But how can you tell whether a link is genuine?
Well, even if a link has the expected text, hovering over it may reveal a different destination entirely. If it seems to be indicating a legitimate website but you weren’t expecting the email in the first place, you should still verify that the sender is who they say they are by asking them via a phone call or in person.
Four Scare Tactics

Attackers may threaten negative consequences if you don’t comply with their request. For example, phishing emails might “warn” you that your account will be deactivated, that you’ll receive a fine, or that you’ll miss a meeting unless you click.
Three Scanned Docs

It isn’t unheard of for printers and scanners to send documents via email. But if these messages come from strange external domains or contain attachments you aren’t expecting, then they could be malicious. It’s always a good idea to check that the source is legitimate by directly contacting the supposed sender—not by replying to the email with the link to the scanned documents.
Two Fake Login Screens

While this email promises to take you to Netflix, the login page that appears here may be an impostor trying to steal your credentials.
Of the 20% of employees that are likely to click on a phishing link, an alarming 67.5% go on to enter their credentials on a phishing website, unknowingly giving their attacker the keys they need to tap into their company’s data.
If you receive an email with a link to a login page, the safest thing to do is to go directly to your account through the sender’s website, rather than by clicking on the link in the email. But if you do find yourself faced with a potentially dodgy login screen, there are a few indicators that you can look out for to check whether it might be malicious:
- Check for spelling and grammatical errors on the page and in the website URL. Attackers often disguise malicious websites by naming them after a legitimate site but changing a character or two in the URL, e.g. “expert1nsights.com” instead of “expertinsights.com”.
- Make sure the website is secured with HTTPS. If the URL begins with HTTPS and has a padlock in the corner, it’s likely to be secure. However, cybercriminals have found ways of hiding malicious pages within legitimate domains so, if you’re uncertain at all, don’t enter your credentials.
And A Reason To Improve Security!

A successful phishing attack can have devastating consequences for your organization, including operational downtime, reputational damage, data loss, direct financial loss and resulting financial loss through the cost of remediation, legal fees and compliance fines.
But luckily, there are a lot of ways that you can improve your organization’s security posture to help prevent phishing attacks. These include implementing technical security solutions that stop phishing emails before they can reach their intended recipients, implementing multi-factor authentication to stop attackers accessing accounts even if they steal an employee’s credentials, and training your employees to spot an attack before it’s too late.
We’ve put together a series of buyers’ guides to the top products designed to protect your organizations’ inboxes against phishing attempts, which you can find below: