What is Phishing?

Phishing is a type of cyber attack where criminals attempt to trick you into revealing sensitive information such as passwords, credit card numbers, or personal data by disguising themselves as a trustworthy entity. Phishing remains the most common cyber threat, with over 3.4 billion phishing emails sent every day worldwide. University students are a particularly targeted group due to frequent use of email, online services, and shared networks.

Phishing attacks range from crude mass-mailed scams to highly targeted attacks that impersonate colleagues and reference real projects. Understanding the full spectrum is essential for protecting yourself in both personal and professional contexts.

Section 1: Recognising Obvious Phishing Emails

Many phishing emails contain obvious red flags that you can learn to spot immediately. These are the most common indicators:

1. Suspicious Sender Domains

Always check the sender's full email address, not just the display name. A legitimate company email will come from its official domain (e.g., @nexgen-tech.com). Phishing emails often use misspelled or completely unrelated domains (e.g., @nexgentech.com, @mail-lottery.com, @security-warning-alert.com).

2. Generic Greetings

Phishing emails typically use impersonal greetings such as "Dear User", "Dear Valued Customer", or "Dear Employee" rather than your actual name. Legitimate organisations that have your account will usually address you by name.

3. Too-Good-to-Be-True Offers

Emails claiming you have won a prize, inherited money, or been selected for an exclusive reward are almost always scams. If you did not enter a competition or expect a payment, treat it as suspicious. Classic examples include lottery winnings, gift card prizes, and advance-fee scams.

4. Poor Grammar and Spelling

Professional organisations proofread their communications. Multiple spelling errors ("inovice", "costumer", "departmant"), grammatical mistakes, and excessive punctuation (!!!) are strong indicators of phishing.

5. ALL CAPS and Excessive Urgency

Subject lines or body text written entirely in capital letters, combined with multiple exclamation marks, are designed to trigger panic. Legitimate organisations communicate calmly and professionally.

6. Fake Virus and Security Warnings (Scareware)

Some phishing emails claim your computer is infected and urge you to download a "security tool" or "antivirus scanner" immediately. These emails often include alarming language like "CRITICAL ALERT" or "Your system has been compromised." The attached file or download link is typically malware (e.g., .exe files). Legitimate security teams never send executable files via email or ask you to download tools from external links.

7. Fake Invoice and Billing Scams

Attackers send fake invoices for products or services you never purchased. The email may claim you owe money and threaten legal action or account suspension. The invoice is usually an attachment containing malware, or a link to a phishing page. If you did not order a product or service, do not open any attachments or click any links. Verify directly with the company through their official website.

Example: Obvious Phishing

Example: Scareware

Section 2: Analysing Subtle Phishing Techniques

More sophisticated phishing emails look professional and may closely mimic real communications. Detecting these requires careful analysis of details.

1. Domain Impersonation

Attackers register domains that look nearly identical to legitimate ones. Watch for subtle differences:

• fedex-notifications.com instead of fedex.com
• linkedln-mail.com (lowercase L instead of "i") instead of linkedin.com
• microsoft365-security.net instead of microsoft.com

Always check the actual domain after the @ symbol character by character.

2. Legitimate-Looking but Fake Links (Footer vs. Link Mismatch)

A link may display one URL but actually point to another. Before clicking any link, hover your mouse over it to see the actual destination. The displayed text might say "www.fedex.com" but the actual link goes to a completely different domain. Watch especially for emails where the footer and branding show a legitimate company website, but every clickable link in the email body redirects to a fake domain. This mismatch between the visible branding and actual link destinations is a strong phishing indicator.

3. Fake Shipping and Delivery Notifications

One of the most common phishing techniques uses fake package delivery alerts. These emails claim to be from FedEx, DHL, UPS, or similar services. They typically include a fake tracking number and urge you to "track your package" or "update delivery preferences." Red flags include: vague sender descriptions ("Shipper: Online Order" instead of a real company name), domains that add extra words to a legitimate brand (fedex-notifications.com), and tracking links that go to external phishing sites instead of the real carrier website.

4. Urgency with Plausible Context

Unlike obvious scams, subtle phishing creates urgency using believable scenarios: "unusual sign-in activity detected", "your package is awaiting delivery", or "mandatory security training deadline". These use realistic timeframes (3 business days, 12 hours) rather than obviously fake deadlines.

5. Brand Impersonation

Attackers mimic the branding, layout, and tone of companies like Microsoft, Google, FedEx, or LinkedIn. The email may look pixel-perfect, but the sender domain and link URLs reveal the deception. Real security alerts from Microsoft come from @accountprotection.microsoft.com, not from @microsoft365-security.net.

6. Flattery and Curiosity as Lures

Some phishing emails use flattering or intriguing content to make you click. Examples include: "A recruiter from a top company viewed your profile", "You appeared in 47 searches this week", or "Congratulations on your promotion." These emails exploit your natural curiosity and desire for recognition. The goal is to get you emotionally engaged so you click without checking the sender domain carefully. LinkedIn impersonation emails are especially common and often use flattering statistics about profile views or recruiter interest.

7. Emails Sent to Your Work Address for Personal Services

Be suspicious if banks, delivery services, or social media platforms send alerts to your work email. These services typically contact you through the email address you registered with them.

How to Tell Real Urgency from Fake

Legitimate urgent emails (such as mandatory training deadlines or security patches) typically: come from your organisation's actual domain, direct you to internal systems (intranet, not external links), reference specific policy numbers or details, and provide verifiable internal contacts.

Example: Fake Shipping Notification

Example: LinkedIn Impersonation

Section 3: Evaluating Sophisticated Attacks

The most dangerous phishing emails are nearly indistinguishable from legitimate communications. They exploit trust, use real colleague names, and create scenarios where acting quickly feels necessary.

1. Compromised or Spoofed Colleague Accounts

Attackers may send emails that appear to come from a real colleague's email address. The message references real projects, tools, and internal processes. The giveaway is usually in the link: for example, nexgen-tech.sharepoint-docs.com is NOT Microsoft SharePoint (real format: nexgen-tech.sharepoint.com).

2. Pre-textual Authentication Prompts

A particularly deceptive tactic is when the phishing email pre-explains why you will see a login screen. For example: "SharePoint has been experiencing authentication issues lately, so you may need to sign in again." This makes the credential-theft step feel normal and expected. Attackers want you to think the login prompt is a routine inconvenience rather than the actual attack. If an email warns you that you will need to re-authenticate, treat this as a major red flag and verify the email through a separate channel (e.g., call or message the sender directly on Teams or Slack).

3. Near-Identical Domain Spoofing

Some attacks use domains that differ by a single character or TLD:

• nexgen-tech.co instead of nexgen-tech.com (different TLD)
• nexgen-tech.net instead of nexgen-tech.com

Under time pressure, these differences are extremely easy to miss. Always slow down and check the full domain carefully.

4. Subdomain Spoofing

This advanced technique uses the legitimate domain name as a subdomain prefix of a fake domain. For example: linda.nguyen@nexgen-tech.com.secure-hr-portal.com. At first glance this looks like it comes from nexgen-tech.com, but the actual domain is secure-hr-portal.com. In email addresses, the real domain is everything after the last @ sign. Read it from right to left to identify the true domain.

5. Business Email Compromise (BEC) and Authority Exploitation

In a BEC attack, the attacker impersonates a senior executive (CEO, CFO, director) and sends an urgent, confidential request. Common BEC scenarios include:

• A CEO asking you to purchase gift cards urgently for a "client appreciation event" and send the codes by email
• A CFO requesting an emergency wire transfer to a new vendor
• An executive asking you to handle something "quietly" and not tell anyone else

Key rule: Executives never bypass standard procurement or financial processes for urgent personal requests via email. Any request involving gift cards, wire transfers, or financial actions that asks you to circumvent normal procedures is almost certainly a scam. Always verify these requests by calling the executive directly using a known phone number.

6. Emotional Manipulation and Social Engineering

Sophisticated attacks use multi-layered psychological tactics:

• Curiosity: "Confidential restructuring plan" - appeals to your desire to know insider information
• Fear: "Role eliminations" - triggers anxiety about your job security
• Trust: Uses names of real colleagues or executives you actually work with
• Secrecy: "Keep this between us" or "Do not share" - prevents you from verifying with others
• Authority: Impersonating a CEO or senior executive to discourage questioning
• Flattery: "You have been specially selected" - makes you feel important and less critical

When you feel a strong emotional reaction to an email (excitement, fear, curiosity, urgency), pause and evaluate before acting. Attackers deliberately trigger these emotions to override your critical thinking.

7. Password-Protected Attachments

Attackers may send password-protected files with the password included in the email. This technique bypasses automated email security scanners that cannot open encrypted attachments. If you receive an unexpected password-protected file, verify with the sender through a separate channel before opening.

8. Distinguishing Legitimate Ambiguous Emails

Not every email from an unfamiliar sender or external domain is phishing. Legitimate signs include:

• References to prior conversations or known colleagues by name
• Specific details (project names, version numbers, room numbers) that would be difficult to fabricate
• Requests routed through normal processes (e.g., "send to Legal for review")
• Technical instructions using standard tools (e.g., "run npm audit in your terminal") rather than external links
• Verifiable internal contacts (extension numbers, room locations)

Example: Spoofed Colleague with Pre-textual Login

Example: CEO Gift Card Scam (BEC)

Example: Subdomain Spoofing

What To Do If You Suspect a Phishing Email

1. Do not click any links or download attachments.
2. Do not reply to the email or provide any information.
3. Verify through a separate channel - call the sender directly, message them on Teams or Slack, or visit their office. Do not use any contact information from the suspicious email itself.
4. Check the sender domain carefully - read the full email address character by character, right to left from the @ symbol.
5. Report it to your IT department or security team.
6. Delete the email from your inbox.

Protect Yourself

• Always check the full sender email address, not just the display name. Read the domain character by character.
• Hover over links before clicking to verify the actual URL matches the claimed destination.
• Compare footer branding to actual links - if the footer says "www.fedex.com" but the links go elsewhere, it is a phishing email.
• Use strong, unique passwords for each account.
• Enable two-factor authentication (2FA) wherever possible.
• Keep your software and devices updated and install security patches promptly.
• Be cautious with unexpected emails, even from known contacts, as their account may be compromised.
• Never download executable files (.exe) from email links or attachments. Legitimate IT teams do not distribute software this way.
• Be sceptical of gift card or wire transfer requests, especially if they invoke urgency and secrecy.
• Pause when you feel strong emotions - excitement, fear, or curiosity triggered by an email is often a deliberate manipulation tactic.
• Navigate directly - when in doubt, type the URL yourself rather than clicking a link in an email.
• Trust your instincts - if something feels off, take a moment to verify before acting.

Quick Reference: Red Flags by Difficulty

Level	What to Look For	Common Attack Types
Obvious	ALL CAPS, wrong domain, generic greetings, grammar errors, too-good-to-be-true offers	Lottery scams, fake invoices, scareware, advance-fee fraud
Subtle	Similar-looking domains, footer vs. link mismatch, plausible urgency, brand impersonation, flattery	Fake shipping alerts, LinkedIn impersonation, Microsoft security alerts, fake account notifications
Sophisticated	Subdomain tricks, TLD differences, pre-textual logins, emotional manipulation, authority exploitation	BEC/CEO fraud, colleague impersonation, payroll scams, password-protected malware, insider info lures