The three most common email phishing techniques

I’m sure you’ll agree with me when I state that receiving scam & phishing emails are almost a daily occurrence.No matter how good your IT system is, cybercriminals are always finding better ways to bypass IT security systems.As such, email phishing is the new normal.In this article we’re going to outline the three most common email phishing techniques cybercriminals use so you know what to look out for and are not caught out.Number 3 on the list is something you should make your colleagues and associates aware of as it’s becoming more common and becoming a victim of this attack is highly likely.

1. Spoofing

Email spoofing is when a cybercriminal sends out a mass email to an extensive list of email addresses pretending to be from another sender. An excellent example of this which we see regularly is emails that have been designed to appear to come from well-known technology companies.These include:

  • Microsoft Office 365
  • Apple ID Login
  • Amazon
  • Google
  • Adobe

Here is a perfect example of a spoofed email from what appears to be Office 365:

Example Phishing Email

The only way to know that this email is legitimate or not is to look closely at the sender’s email address.In the example above the sender is, which is not a domain owned by Microsoft.That’s the first error.The second is the “resolve issue now” button. Hovering over this link will reveal the URL to which the link goes. It is essential to check all links manually before you click.

2. Cloned Website

A cloned website is usually the second part of a spoofed email. When you click on a malicious URL in an email, it will take you to a page that looks like a genuine login screen for an online service you may use.These cloned websites are easily created by cyber criminals and can be replicated to many website domains.

Fake Website Login

Again, the only real way to know if it is an official website or not is by checking the URL in the address bar.If you are in doubt, then it’s worth raising a support ticket with your IT provider or department.Many online services now attempt to block malicious websites once reported.Both Google & Microsoft have services which monitor and will warn if you are visiting a malicious website.This feature does not detect all malicious websites, so again check with your IT department.

3. Manual Smart Attack

Smart attacks can come in many forms, and it can leave you second-guessing yourself.An excellent example of a smart attack we recently encountered was an email sent to an HR manager just before payroll was about to be run.

HR Payroll Attack

The email in question appeared to be from a senior director in the company instructing the HR manager if he could update his personal bank details for payroll.The email itself looked legitimate, and the only thing that stopped them instruction going through was the HR manager who asked the senior director to confirm.This attack was so smart that there’s no real way for software or systems to overcome it. As such, it’s essential that staff are aware of the threats that can come in many forms from email.[contact-form-7 id="8710" title="Schedule Cyber Awareness Training for your Staff"]

Book A Consultation