What is Email Phishing?


Email phishing is a form of deceptive cyber attack. The attacker uses email to impersonate a legitimate entity, such as a bank, to deceive the victim into clicking on a harmful link, downloading malware, or providing sensitive information.


The concept is simple. An unsuspecting email user receives an email that appears to be from their bank, credit card company, or some other service or brand. The email is meticulously designed to appear wholly legitimate, with the correct logo, branding, and even domain (at least apparently).


Typically, the email will ask users to confirm their details, update their banking information, or some other seemingly routine request. However, the provided data is instead sent to cybercriminals who then use it for nefarious purposes.


Another common form of email phishing occurs when the user is asked to click on a link. Assuming that the email is from a legitimate brand, the user expects to be directed to the company website. Instead, the user is sent to a malevolent site that installs malware on their device.



A Brief History of Phishing

Phishing attacks were among the earliest forms of internet scams. Early AOL email users in the 90s were bombarded with fraudulent emails seeking sensitive information. As the number of email users grew, so did phishing scams.


Today, consumers use the Internet for banking, purchasing, and subscriptions. etc. And this has given cybercriminals a virtually infinite pool of potential victims. Modern email technology allows them to send mass phishing emails and it only needs one victim out of thousands of recipients to turn a profit.


Email phishing takes advantage of online user behavior. Internet users tend to trust brands and may assume that the email is genuine. Also, since people are so used to entering their credit card and banking details into online forms, the request doesn’t appear unusual.


6 Common Types of Email Phishing


  1. Spear Phishing:

    This occurs when cybercriminals target a specific individual or brand. For example, a phisher will seek employees with access to sensitive data, such as company account information or website access. They will then target them with personalized emails, citing their name, job title, etc. The content of the email will appear as though the sender knows the intended victim personally.

  2. Whaling:

    Similar to spear phishing, this type targets senior individuals within an organization. I.e. the CFO, CMO, or VP. This is potentially highly lucrative for the attacker given the access levels of the victim

  3. Email Spoofing:

    This is the most common type of phishing attack. Senders will ‘spoof’ a domain, i.e. use a domain that appears genuine (e.g. paypa1.com instead of paypal.com). In most fonts, the “1” and “l” are almost identical, and only discerning users will notice the difference.

  4. Content Engineering:

    This is when the email content includes a sense of urgency and fear. For example, it warns users their account will be closed if they don’t update their details.


    Or, it threatens the recipient with impending legal action in case of non-compliance. Another common tactic is to offer a reward, i.e. “renew your subscription today for a 50% discount), etc.

  5. Fake Attachments:

    This is potentially the most harmful form of phishing attack. The email prompts the receiver to download an attachment – something innocuous like a PDF supposedly listing new T&Cs. However, it installs harmful malware on their device.

  6. Pretext Phishing:

    This type of attack creates a false scenario to trick the recipient into taking action. For example, the email might impersonate IT support requesting remote access to fix a nonexistent issue.


How to Protect Yourself from Phishing

Other forms of cyberattack are avoidable by using antivirus software or MFA. However, phishing requires human vigilance.


Here are some tips:

  • Be Wary of Unsolicited Emails:

    Don’t click on links or download attachments from emails you don’t recognize.

  • Verify the Sender's Addresses:

     Always check that the sender is legitimate. A known brand will use a custom domain that’s linked to their website

  • Don't Be Pressured by Urgency:

    Legitimate companies won’t pressure you into immediate action via email.

  • Hover Over Links (Without Clicking):

    Most email clients display the actual target URL when you hover over a link. Make sure the target URL matches what you’d expect

  • Go Directly to the Source:

    Login to your account to ensure that the required action comes from the source

  • Familiarize with Common Phishing Email Subjects:

    Brands use professional communication etiquette. If the email subject looks like this, it’s probably a scam:


    • “Urgent Action Required: Verify Your Bank Account”
    • “Your Social Security Number Has Been Compromised!”
    • “Congratulations! You’ve Won a Free Gift Card!”
    • “Important Notice: Your Netflix Account Will Be Suspended”

Gain Communication Clarity with Spike