Email phishing: the 3 most common techniques

by Aug 6, 2019Cybersecurity0 comments

Email phishing: the 3 most common techniques

by Aug 6, 2019Cybersecurity

I’m sure you’ll agree with me when I state that email phishing & receiving scams are almost a daily occurrence in 2019.

Cybercriminals are always finding better ways to bypass IT security systems no matter how good your IT system is.

As such, email phishing is the new norm.

In this article we’re going to outline the three most common email phishing techniques cybercriminals use so you know what to look out for and don’t get caught out.

Number 3 on the list is something you should make your colleagues and associates aware of as it’s becoming more common and becoming a victim of this attack is highly likely.

1 Spoofing

Email spoofing is when a cybercriminal sends out a mass email to an extensive list of email addresses pretending to be from another sender. An excellent example of this which we see regularly is emails that have been designed to appear to come from well-known technology companies.

These include:

  • Microsoft Office 365
  • Apple ID Login
  • Amazon
  • Google
  • Adobe

Here is a perfect example of a spoofed email from what appears to be Office 365.

The only way to know that this email is legitimate or not is to look closely at the sender’s email address. 

In the example above the sender is, which is not a domain owned by Microsoft. 

That’s the first error.

The second is the “resolve issue now” button.  Hovering over this link will reveal the URL that the link goes.  It is essential to check all links manually before you click.

2 Cloned Website

A cloned website is usually the 2nd part of a spoofed email.  When you click a malicious URL in an email, it will take you to a page that looks like a genuine login screen for an online service you may use. 

These cloned websites are easily created by cybercriminals and can be replicated to many website domains.

Again, check the URL in the address bar if it is an official website or not. This is the only real way to know.

If you are in doubt, then it’s worth raising a support ticket with your IT provider or department.

Many online services now attempt to block malicious websites once reported.

Both Google & Microsoft have services which monitor and will warn if you are visiting a malicious website.

This feature does not detect all malicious websites, so again check with your IT.

3 Manual Smart Attack

Smart attacks can come in many forms, and it can leave you second-guessing yourself.

An excellent example of a smart attack we recently encountered was an email sent to an HR manager just before payroll was about to be run.

The email in question appeared to be from a senior director in the company instructing the HR manager if he could update his bank details for payroll.

The email itself looked legitimate. The only thing that stopped the instruction going through was the HR manager who asked the senior director to confirm.

This attack was so smart that there’s no real way for software or systems to overcome it.  As such, it’s essential that staff must be aware of the threats that can come in many forms from email.

For a free dark web scan to see if you have any credentials for sale, please email or call 1300 766 455.