Guide to Email Phishing: How Your Email Could be Attacked and How to Prevent It


With every passing day, there are more and more internet users all around the world. By April 2020, nearly 4.57 billion people across the globe were actively using the internet. That is close to two-thirds of the world’s population. By 2030, the number is forecast to rise to 90%.

There is no escaping the internet as it is the fabric of our daily lives. Companies use the internet to sell products and connect with customers. Governments use it to provide services and communicate with citizens. Private individuals use the internet to be entertained, socialize with friends and family, pay bills, and even run their own businesses.

Unfortunately, increased use of the internet corresponds to a rise in cybercrime too. By 2021, damages caused by cyberattacks could reach as much as $6 trillion

Businesses and governments in every country and industry spend enormous budgets each year trying to prevent and halt cyberattacks, adopting sophisticated technologies, and hiring entire cybersecurity teams to help combat the threat. For many, cybercrime is simply a problem of technology. However, that is only half the story.

The true culprit in cybercrime is human error. The single most important way to protect against cyberattacks is education and changing behaviors around the use of technology. Especially during National Cybersecurity Awareness Month, that’s the key to #BeCyberSmart.

There are lots of ways that cybercriminals succeed in hacking into important networks and systems. The most severe attack vector is when hackers use other people to work around technology-based defenses and gain access to unauthorized systems. This is called a “social engineering” cyberattack, and it also falls under the umbrella of “phishing.”

Understanding Phishing Attacks 

In phishing attacks, the cybercriminal acts as a legitimate user or entity in an attempt to gain access to sensitive, personal information from the target. The types of information sought in phishing attacks include credit card details, login passwords, and personal identifying data.

The purpose of the attack is to gain illegal access to sensitive accounts, such as an online bank account, or to gather intelligence for future cyberattacks against the victim.  

How Phishing Attacks Work

A phishing attack can occur over the phone or the internet. Cyberattackers tend to prefer using the internet, as their activity is harder to trace. Online phishing attacks are conducted using messages on social media or malicious ads; however, the most common method by far for phishing is email.

This is what an email phishing attack looks like: the hacker sends an email that seems to be from a legitimate company or organization, such as a social media network, bank, ISP or another type of organization. The email contains a malicious file attachment, and the message convinces the victim to open the file, which opens the gateway to their computer or network.

Other phishing techniques include getting the victim to click on a malicious link contained in the email, and this triggers them to take an action, for example, updates to account information, which the hacker uses to access the victim’s account and data.

Phishing Emails: The Basics

Phishing emails might look like legitimate emails; however, they have distinguishing features if you know what to look out for. Here are five ways to help pinpoint a potential phishing email:

1. Intimidating language: Phishing emails are often written to threaten or intimidate the victim into taking an action. One common example is when the phishing email states that the user’s account will be deactivated unless they click on the link and do what the email tells them to do. The email is designed to intimidate the victim and prompt them to follow the attacker’s instructions right away.

2. The email address and name of the sender: Phishing emails often display a name or email address that is at odds with what you would expect to see. The sender information may look unprofessional or have missing details—this is a suspicious sign and should be taken seriously. 

It’s also important to remember that an email service provider such as Gmail would never send an email via an account of a different email provider, such as Hotmail. Make sure the email in the From field and the email that appears immediately below it are from the same email service provider.

3. Email recipient names are not displayed: In a phishing attack, the To field is worth paying close attention to. In the example email, the email was sent in bulk to “Undisclosed Recipients”. This is a sign that the sender was trying their luck and reaching out to many users in the hope of catching a few victims.

4. Suspicious hyperlinks inside the email: It is really important to check the links included in the email to make sure they are legitimate, You can do this by hovering with your mouse over the hyperlink so that the real destination URL appears at the bottom left of the window. Make sure not to click if the hyperlink seems suspicious.

5. Suspicious attachments in the email: Emails are often sent with various attachments, such as Word or Excel files, or PDF documents. It is prudent to take care when opening any attached files if you are unsure of the sender or email. Be particularly careful of executable files. These are files that computers automatically run when opened, and you do not want to allow any such file to run on yours.

Typically, phishing emails are sent to large groups of random people in the hope that even a small number will take the bait and click on a link or attachment. However, there is another type of phishing attack that targets specific individuals, and it is called spear phishing.

Spear Phishing: An Overview

In a spear phishing attack, the hackers collect information about a specific person and use it to create a personalized email targeting them alone. The aim of a spear phishing email is to convince the victim that the email is real and trustworthy so they will open an attachment or provide access to some sort of sensitive data. This opens the gates so that the hacker can get past the security measures on a network and enter the IT system.

For a spear phishing attack to be successful, the cybercriminals gather intelligence about the target victim via their personal information that is available to the public, such as that found on social media, people search websites, corporate bios and others. The act of collecting this type of intelligence is called Open Source Intelligence (OSINT). 

6 Ways to Protect Yourself From Phishing and Spear Phishing Email Attacks

Stopping phishing attacks completely is not realistic; however, there are ways to minimize the chances of falling victim. Here are some simple steps you can take to protect your sensitive data and ensure the security of your networks and systems.

1.Make sure you don’t have any personal information displayed publicly online. You are more likely to become the target of a spear phishing attack if you have a strong personal presence on the internet.

2.Never click on links in emails that you feel uncertain about. Hover with your mouse over the link so you can first see the URL destination. 

3.Never open or download attachments from people you don’t know. Never run executable files that come with an email. In the case of an email that has any Microsoft Office files attached, launch the files without enabling macros. This will help prevent the installation of malware on your device if the file is infected.

4.Don’t visit websites that are not legitimate or authentic, and don’t click on popup ads on sites you don’t trust.

5.If you receive an email that seems suspicious, try to contact the sender another way, like phone call or a chat app, and find out if they really sent it.

6.Make sure to install antivirus software that includes phishing defense, and your operating system and any installed programs or apps should be up to date at all times. If you happen to fall victim to a phishing attack, antivirus software provides a last line of defense.

When it comes to cybersecurity, adopting security software on all devices is vital; however, it is the mistakes people make that are still a huge cause for concern. People must be made aware of the defining features of phishing emails and have a good understanding of the risks of phishing attacks in order to make any cybersecurity plan a success.

Organizations all over the world are in need of cybersecurity professionals who can help prevent phishing attacks and all other kinds of cybercriminal activity. There are currently millions of open cybersecurity positions in high quality companies, which means there is abundant opportunity to launch a cybersecurity career with the Nexus at University of Michigan Engineering Cybersecurity Professional Bootcamp.

Each course is led by experts from the industry, and a team devoted to career services will guide you towards your ideal job upon course completion. In under a year, you can qualify as a cybersecurity professional and help prevent phishing attacks and all other kinds of cyberattacks that put the world’s data at risk. Contact an Admissions Advisor today to schedule a consultation and get started on the road to a new career.

Skip to content