Phishing Emails: What They Are, How to Spot a Phishing Email and How to Protect Yourself

Phishing emails have come a long way since the infamous Nigerian prince scam. Do you know how to protect yourself from a targeted phishing attack?

While advancements in technology have made security programs stronger than ever, they’ve also given cybercriminals the tools they need to send malicious emails to hundreds of thousands of people – at the click of a button. In this guide, we’re going to walk you through everything you need to know about email phishing attacks and the steps you should take if you become a target.

Quick Overview

What is Email Phishing?

Email phishing is a common type of scam that involves sending out unsolicited emails to harvest login credentials, spread malware, or steal personal information. Named after the hobby fishing, this scam involves dropping a lure and waiting for someone to take the bait. The cybercriminal doesn’t expect everyone to fall for it, but because sending out emails in the tens of thousands is so easy, the numbers are on their side. There’s bound to be someone who takes the bait. 

There are three major categories of email phishing that cybersecurity experts recognize: spray-and-pray phishing, spear-phishing, and whaling. We’ll take a closer look at them next.

Spray-and-Pray Phishing Emails

Just about everyone has experienced this type of phishing. The spray-and-pray technique involves sending thousands of phishing emails out, hoping that someone will fall for it. These bulk emails tend to be easy to spot, often containing typos and unrealistic propositions. Modern email services, like Gmail, are also pretty good at automatically filtering these into “spam” folders, so most people won’t even see them. However, because cybersecurity competency varies, sending the messages out in bulk is bound to “catch” someone. 

In other words, spray-and-pray is like running a big net through the ocean. The numbers back up this analysis: according to Verizon’s latest Data Breach Investigation Report, these types of phishing emails are ignored almost 97% of the time. However, if a criminal sends ten thousand emails and averages a 3.4% click rate, that’s still 340 potential victims.


While spray-and-pray phishing is just a numbers game, spear-phishing is much more targeted. The cybercriminals who use this technique don’t send out broad messages to anyone and everyone – they do their research and target individuals or small groups of people using specialized emails.

How do they know what type of email will be most effective? Most criminals simply leverage websites that contain large amounts of public personal information, such as people-search sites. Using these websites, they can find addresses, employment histories, family ties, and plenty more.

They will then write an email tailored to the target. This may be a sophisticated email attack. For instance, the criminal may pose as a potential client of the target, use a believable email address, and slowly build up to sending the target a file under the pretense that it contains information about a job.

So, while the phishing attempts that we see most commonly are pretty easy to spot, even the most security-conscious users can be fooled by spear-phishing.


Whaling is a unique phishing strategy in which a cybercriminal pretends to be a high-level person at an organization to target other important players. The goal of this type of method is often stealing money or highly confidential information about people or businesses for monetary purposes.

Whaling is very similar to spear-phishing since it targets a specific group. However, whaling takes this even further by conducting fraudulent communications with targets by impersonating someone from their group.  This element of social engineering makes the cyberattack especially dangerous because the criminal appears to be trustworthy and can very quickly gain access to important business services and information.

Spoofed emails are one of the most common forms of whaling. They often involve a “senior manager” as a trustworthy figure and usually refer to an event that can be easily “verified” online. For example, if the criminal sees the target in a work-related social media post, this type of message may be sent: “Hi Lucy, it’s Martha from the MN office again – the conference was a real blast! Here’s a list of upcoming events. Let me know if you can join.”

Other highly sophisticated forms of whaling include the creation of convincing imitation websites and socially engineered phone calls. All whaling scams have one thing in common — a criminal slowly earning trust with prolonged communications, and then attacking once the opportunity presents itself.

How Email Phishing Works

The key to a successful phishing attack is feigned authenticity and an emotional trigger. Creating an email that looks professional and trustworthy makes it easy to deliver a malicious payload to the user, often without them realizing it until it’s too late. Here are a few of the most important steps that cybercriminals go through to create a convincing phishing attack.

1. Creating a Phishing Email
As we saw earlier, the sophistication behind phishing emails can vary from general to highly targeted. Here’s a quick look at how these phishing emails take shape.

  • Background research: Spear-phishing relies on more targeted attacks. To create sophisticated emails, cybercriminals often leverage public information found on people-search sites.

  • Believable email address: Most consumers are aware of common email red flags such as randomized email addresses. Receiving an unsolicited email from “” is far more suspicious than “”. Cybercriminals know this, and most try to use emails that seem authentic. This includes deceptive business emails like “”.

  • Alarming subject line: If the email seems authentic, then the next place you’ll probably look is the subject line. Using a subject line that elicits an emotional response is key to hooking you. Cybercriminals find a creating sense of urgency or fear particularly effective, using subject lines such as “Loan Notice: Final Warning.” Especially sophisticated subject lines are more subtle and believable, such as “Password Change Required Immediately.”

  • Convincing message: If the email address and subject line were effective, you’d likely scan the email text to figure out if this urgent matter is credible or not. Some cybercriminals may supply you with your own personal information (mined from the internet) to convince you that the request is authentic. Using professional formatting also helps create a convincing email.

  • Malicious payload: Here’s what it’s all about – all of the other pieces we’ve talked about are simply a trojan horse to deliver a malicious payload to your computer. This may be a link to an imitation website that will ask you to log in and then steal your credentials, or it could be malware disguised as an innocuous attachment. This is the most dangerous part of the email.

2. Delivering the Phishing Email
Cybercriminals use programs that automate the delivery of very large batches of emails. They can also send specialized emails to a small group of people or just an individual. These programs give them access to a proverbial ocean of fish. It may take time, but once they get someone on the hook, it’s all worth it.

3. Reeling in Targets
If the phishing email is effective in getting your attention and convincing you that it’s authentic or at least warrants further investigation, you’ll probably interact with it. This may involve clicking links, downloading attachments that claim to hold important information, or replying. In any case, the criminal will take notice and funnel energy toward reeling you in. Once they’ve earned your trust, it will be easy for them to accomplish the main goal of their cyberattack, whatever that may be.

How to Identify a Phishing Attack

With most phishing emails, there are a few common giveaways that you should look out for. Once you learn these, it becomes much easier to spot a dangerous phishing attack before you get on the hook:

  • Unrealistic offers: This is by far the easiest sign to spot. If a cybercriminal contacts you about an unrealistic offer, such as a large sum of money or a vague investment opportunity, completely ignore it and then report it.

  • Suspicious email address: If someone is pretending to be a major business or institution, such as Google, the email address will not be linked to the official domain. Check that the “From” address contains”[name]” and that the “Return-Path” also contains “[name]”.

  • Urgent content: Another red flag is urgency. Cybercriminals know that fear is a great way to trick targets into clicking links or downloading attachments. If the tone of the email is highly urgent, threatening jail time, overdue payments, alarming security concerns, proceed with caution.

  • Suspicious links: You don’t need to click a link to know if it’s safe. You can hover your cursor over a link to see the full URL that it directs to. Make sure the link starts with “https://” and not “http://”. Regardless, do not click on any links in a suspicious email.

  • Grammatical errors: If the email contains spelling, punctuation, and syntax errors, that’s a very clear giveaway that it isn’t authentic. Proceed with caution and immediately report the email.

To illustrate just how convincing phishing emails can be, here’s a real-life example of a high profile phishing scam.

Microsoft Spoofing Attack

In 2019, employees at Microsoft fell for a particularly sophisticated phishing email. The cybercriminals used “spoofing” to make the email look as authentic as possible, coping design elements that the company’s HR department used. 

The email also contained a powerful emotional trigger: money. Promising to present information about wage increases, employees had to click a link, which brought them to a false login screen that looked identical to Office 365. Once the targets entered their credentials, they were sent to the cybercriminal.

What to Do If You’ve Been “Phished”

Falling for a phishing attempt can be devastating, so it’s important to act quickly. Whether you’ve received a suspicious email and aren’t sure if you should interact with or if you have already downloaded attached files or entered your credentials in an imitated website, you can follow these tips to minimize damages.

  • Don’t interact with the email: If you notice that an email is a phishing attempt, don’t let your curiosity get the better of you. Do not click any links in the email, do not download any attachments, and do not reply. This will keep you safe and allow you to begin the process of reporting the email.
  • If you already interacted with the email: Take action immediately to secure your accounts. If you downloaded an attachment, do not execute it. Instead, use your security program to locate and uninstall it. If you’ve clicked on a link and entered your login credentials, immediately change your password for that account to ensure better password security and turn on two-factor authentication. Run security scans on your computer, enable firewalls, and lock down all of your most important accounts. Finally, report the sender to the email service used in the attack. If the scammer used a Gmail address, make sure you report abuse to Google.
  • Report phishing: Once you’ve secured your accounts to the best of your abilities, report the phishing attack. This will stop the cybercriminal from harming others with the same email and may provide relief if you’ve faced monetary loss.

– Report phishing email with FTC: You can file a report about phishing with the Federal Trade Commission (FTC).

– Report IRS phishing email: Go to the IRS report page, and then forward the phishing email to (Warning: do not interact with any links on the phishing email.)

– Report financial loss: Phishing that results in monetary loss can be reported to the Treasury Inspector General Administration (TIGTA).

– Report phishing emails to your email provider.
Here’s how to do it if you use Gmail.

How to Prevent Phishing Emails

As always, it’s better to prevent a problem than deal with the consequences. Thankfully, most phishing attacks are either automatically hidden from you in spam folders or are very easy to spot. However, there are also exceedingly cunning phishing attacks that will fool even the most vigilant users. Here’s what you can do to minimize the number of phishing attacks you receive:

  • Minimize your online presence: If you’re getting phishing emails, that means you’re already on a cybercriminals mailing list. They likely located your email from people-search sites, which aggregate your highly personal information into a profile that can be purchased. You can opt-out of these websites to keep your information private and cut down on phishing attempts. This can be done manually, but if opting out of hundreds of websites isn’t something you have time for, you can use OneRep’s privacy protection tool to opt-out automatically.

  • Use a strong email provider: Email providers that take security seriously often have strong preventative measures against phishing. For instance, Gmail and other major email providers automatically identify phishing attempts and sort them into your spam folder.

  • Tune into phishing news: It’s important to stay in the know about the latest phishing scams. Do some reading about recent phishing scams, and continue observing cybersecurity best practices.

  • Update your operating system: Most phishing attacks try to exploit known vulnerabilities within operating systems. By keeping your computer up to date, you can make sure you’re always using the safest version of your operating system possible.

FAQ about Phishing Emails

Is phishing email a data security breach?

Phishing attacks are the number one cause of data breaches, so they should be treated very seriously. Simply receiving unsolicited emails isn’t considered a data breach, but if an employee falls for the attack and is compromised, then a data breach likely occurred.

Can you get a virus just by opening an email?

Not quite. Simply opening an email cannot transfer malware to your computer. However, clever phishing attempts may trick you into clicking links or downloading attachments within the email. This can then infect your computer or steal your login credentials.

Can you get hacked by opening an email?

Hacking can start by opening an email. However, the simple act of opening a suspicious email cannot transfer and execute files on your computer. By using cunning phishing strategies, cybercriminals can trick you into interacting with links and attachments within emails, which then result in you getting hacked.

Can opening an email infect your phone?

Contents within an email can absolutely give your phone a virus, result in stolen log in credentials, and potentially lead to identity theft or monetary loss. However, simply opening an email will not infect your device. It’s only if you interact with dangerous links or attachments that this can occur.

Is it safe to forward a phishing email?

Only forward phishing emails if you’re reporting them to the proper channels of consumer protective entities, such as the FTC. Do not forward phishing emails to friends or families. The links or attachments contained within are still dangerous.

Wrapping Up

Even if you’re vigilant and computer-savvy, a carefully crafted phishing attempt can be really hard to spot. The best thing you can do is learn about warning signs to look out for and scrub your information from the internet using OneRep. We hope this guide has helped you keep your inbox (and your personal information) a bit safer.

Wish to explore this topic further? Take a few minutes to learn how to stop robocalls, avoid phone scams  and what to do if you are on the do not call list and still get calls

Remove your sensitive info from the web

OneRep’s algorithm scans 196 data brokers and removes your records from all people-search sites that publish them


Maria Shishkova

Digital Marketer & Privacy Expert at OneRep | LinkedIn