Phishing emails

How Can You Identify a Phishing Email?

Phishing scams are designed by opportunist criminals with the aim of catching you off guard and making you relinquish your personal data. Unless you have a plan b like ransomware protection, your only defence is you and your team’s ability to easily spot these attacks. AKA “a human firewall”. A weak human firewall is what phishing scammers are praying for. Read our previous blog for more information on your human firewall and types of phishing attacks. And read on to learn about the seven ways of spotting a scam and answering the question: how can you identify a phishing email?

The domain isn’t from a legitimate looking business

An email might say that that it’s from PayPal or your bank in the sender field, but a scammer can call themselves whatever they like. To really see who’s sending the email, look at the address and check that it’s not from a public email provider; no legitimate business will send communications from Official Google emails will be from,, etc. Also, be wary of scammers trying to get as close to the real thing as possible. E.g. might appear legit, but It’s not Netflix and not to be trusted.

Questionable links and attachments

Just as you should check the validity of the sender’s URL, you should check the validity of any link you’re told to click on or attachment you’re told to download. Hover your mouse over both and if it looks like anything besides what you’d expect, don’t engage with it. Also remember, legit senders won’t typically send you unsolicited emails with attachments. 

Poor graphic design

This should almost go without saying but worth quickly mentioning to be on the safe side. Any legitimate business has the resources to ensure its logo and emails look neat and professional. If the design looks in any way scruffy, it’s almost definitely a scam. 

Poor spelling, grammar, or clunky language

Similarly, poor writing is a dead giveaway. Legit businesses hire professional copywriters and proofreaders. Criminals don’t, or at least they’re much less likely to. Poor writing can be harder to spot than poor design so make sure you pay closer attention to the fine details.


No personalisation 

Legitimate companies will often start their emails with your first name. Phishing emails on the other hand will often start with something generic like “Dear, Sir or Madam,” or “To whom it may concern.” That’s because phishing emails are sprayed out to anyone who’ll open them. However, with spear phishing or whaling, there will be more personalisation so ensure you’re aware of the other phishing signs too. 

A blatant request for your personal information

Another sign that almost goes without saying is when you’re outright asked for something you would never normally give out. No bank will ever ask for personal information by email, nor will most businesses. 

A sense of urgency

Probably the biggest sign to watch out for. A clever scammer may find ways to avoid the previous six signs, but most scammers will often try and rush their victims into making a decision. Calls to “act now” and the message that “time is running out” are designed to make a reader act quickly and not question the legitimacy of the email for fear of missing an opportunity. 

Cyber security training for your team will keep them alert and help them spot a phishing scam a mile off. This should be top of your cyber security list since your employees are your first and your weakest line of defence; cyber criminals find it way easier to trick people than trick firewalls. This means your human firewall needs to be your priority as that’s the primary target every cyber-criminal is aiming for and you can’t rely on technology to protect your business.

Also, asking “how can you identify a phishing email?” should be the first of many security questions as you could have many other gaps that need attention. Whether you’re just getting started or you want to plug some problem areas, Novem’s team of experts is here to help.

Book a meeting with one of the team, at a time that works for you.