Anatomy of a Phishing Email – What to Reel In and What to Let Go

Anatomy of a Phishing Email – What to Reel In and What to Let Go

Everyone has a favorite pastime, right? For some it’s fishing. For hackers, it’s phishing. There may only be two letters of difference between the two, but their meanings couldn’t be further apart. We all know what fishing is, but phishing is a different animal entirely. It’s the act of a cyberattacker looking to gain confidential information and/or access to private networks via an avenue we all use every day – email.

And make no bones about it – phishing is a professional sport for hackers. It involves strategy, practice and certainly an end game. If the opponent (or the victim in this case) engages with a phishing email, they could compromise their sensitive information (including passwords, personal identification information, etc.), the device they are working on or even an entire network of systems. And in that case, the hacker wins.

But that’s not the outcome we want for credit unions or their members. You see, there is a defense to phishing emails, and that’s being aware. If you understand the anatomy of a phishing email and what red flags to look for, you’re much more capable of defeating the cyberattacker and sending him or her home without the benefit of credit union data or access to systems.

So what does a phishing email actually look like? How do you know which emails are safe to “reel in” and which ones to let go because of the harm they could cause? In other words, how can you tell the difference between a legitimate email and a malicious one? Here are seven areas to look for and questions to ask yourself to determine whether an email is good or bad:

From field. The From field shows who the email is from. It might display a name or an email address, but it’s not always giving accurate information at first glance. Remember, hackers are devious, so they never show their hand. Try hovering over the From field to see the actual email address of the sender to see if it is legitimate, and then ask yourself these questions:

  • Do I recognize the sender’s name or email address?
  • Is this someone I normally communicate with?
  • Is it coming from someone inside the credit union or a vendor or partner I recognize? And if so, does it seem out of character?
  • Was the email expected from this person or not?

To field. This field will show your email address, but check to see if any others are listed as well. It may be that you received an email as a CC recipient. Questions to consider…

  • If sent to a group of people, do I recognize any other names or email addresses? If so, does it seem like a reasonable group of people to send to or does the group feel like it was chosen at random?
  • If not sent to a large group, does it make sense that the email came only to you from the sender?

Date. It’s always wise to check the date of an email. Timing may have more of an impact to an email’s legitimacy than you may think. Just ask yourself this:

  • Is this an email I would normally get at this time or does the timing seem off?
  • Is this in my time zone or another?

Subject. The subject of an email can be very telling. Many times, a phishing email may have a direct call to action in the subject line and display a sense of urgency. For example, if the subject line is “Money needed now,” it might be worth a once over to check it as a phishing scam. In addition, look for spelling and grammar errors here, as they can tip off a phishing attempt as well. Here are some questions to ask yourself regarding the subject line…

  • Does the subject line match the message of the email, or does it seem irrelevant?
  • Does the subject imply that the email is in response to something you never sent?
  • All in all, does the subject make sense or does it seem suspicious in any way?

Attachments. Beware of attachments in emails. These are oftentimes where hackers hide viruses and trojans. And once you click on an attachment, you can’t take it back. By that point, the malicious entity has already been released. So before opening an attachment in any email, be sure to ask the following:

  • Does the attachment fit with the message of the email? Does it make sense that there would be an attachment based on the content?
  • Is the file type safe? (Quick tip: Attachments designated as .txt are the only file types that are always safe to open)
  • Looking back to the sender, would they send me this type of attachment?

Hyperlinks. Another area where hackers hide malicious content is in hyperlinks. If your email contains a hyperlink, double check it. Not only that, but also be sure to hover over it to see if it actually goes to the website advertised. Finally, spelling counts here as well. You definitely don’t want to click on a hyperlink for ABC Credit Union if the spelling in something like, for example. Things to ask yourself about hyperlinks include:

  • Does the link match the text or does it try to go to a totally different URL?
  • Is a hyperlink the ONLY text in the email or is it accompanied by a message?
  • Is the hyperlink really long and complicated?
  • Does the link contain any misspellings?

Content. Last, but not least, the content of the email is very important. This is where the hacker can try to reel you in with a persuasive message, so be hypervigilant and take the text with a grain of salt. Just like the subject line, the content can try to override our defenses with a display of urgency and negative consequences. For example, if the text eludes to a past due invoice for your credit union that needs paid within 48 hours or the account will be closed, be wary. When looking at the content, think about these:

  • Does the text ask me to click on a link or attachment to avoid some sort of negative consequence or to gain something of value? Does the act of clicking on either of these things match the intent of the message or does it seem out of place to do so?
  • Are there any obvious spelling or grammar mistakes?
  • Is the content in regard to something I was aware was coming or does it seem out of left field?
  • Is there anything uncomfortable about what the content is asking me to do?

The important thing to remember about phishing emails is that they are quite common these days and they are becoming more and more sophisticated all the time. But if you know the components (aka, the anatomy) of a phishing email, you can identify whether anything seems suspicious. And that means you’ll be well on your way to beating the cyberattackers at their own game and protecting your institution.

Now that’s a pastime all credit unions can get behind!

For more information, please contact the risk management team at

Robert Gentry works as an information security analyst for Vizo Financial Corporate Credit Union, providing information security risk assessments, security awareness training and incident response planning services to credit unions. Mr. Gentry also delivers tailored training and consulting services for credit unions, assisting them with their specific information security needs.