Skip to content Skip to navigation Skip to footer

5 Simple Tips for Phishing Email Analysis

Threats From Phishing: An Overview

Phishing attacks have been on the rise, and understanding how to recognize them is the first step in protecting your organization. 

During a phishing attack, scammers and hackers pretend to be someone representing an organization or company that you trust. This may include a well-known entity like the Internal Revenue Service (IRS), a social media company, or a bank. The hacker then sends out emails, and within them are links to fake sites or attachments with malware. The objective of the attack is to fool the recipient into providing personal information that will allow them to take control of the device.

Phishing email analysis tools can help combat these kinds of attacks. You can use them to take a proactive stance against phishing. Read on to learn how not to fall victim to a phishing cyberattack through the phishing investigation process, how to boost email security, and tips to spot suspicious emails, including those used in spear phishing, a more targeted form of phishing.

Which Type of Data/Information Is at Risk From Phishing Attacks?

The goal of a phishing attack is to steal personal or financial information. To understand which data in your organization is at risk, it is important to comprehend why hackers want it. Attackers attempt to obtain information that will somehow earn them a profit. There are three ways they can make money from your data:

  1. Steal data for personal gain: Hackers can use your personal or financial information to steal your money themselves. When they do this, however, they put themselves personally at risk. Therefore, they will either go for high-value data or financial information that can be exploited with as little risk to themselves as possible.
  2. Sell data: An attacker can take your data and sell it to somebody else. This is often done on the dark web, where there are markets for stolen information. Your data may be included in a package that includes the sensitive information of other people. For example, a hacker may sell a collection of 50 credit card numbers to someone else.
  3. Obtain data for another entity: A hacker can be paid by an organization to steal your information, cause an embarrassing breach, or provide cyber espionage services. At times, a third party may be involved, such as a government or even another company. In this situation, the hacker is given a job with specific objectives, and they get paid accordingly.

Given the above motivations, data and information at a high risk of being stolen through a phishing attack include credit card information, social security numbers, login information, information that can be used to answer two-factor authentication (2FA) questions (e.g., codes sent to a mobile device), full names, birth dates, addresses, company financial information, company secrets, future plans of a business, proprietary data and information (e.g., schematics, designs, and content), phone numbers and email addresses, passwords and numeric codes for a company’s physical and digital resources, and health records.

Impact of Phishing Emails in Remote Working Environments

The growth in remote working arrangements has exposed many companies to unique challenges. The cyber environment for your mobile and remote workforce has to be a primary concern when adopting phishing email analysis best practices.

In a traditional working environment, it is easy for an employee to get up from their desk and go ask someone if an email they received actually came from them. In the case of a phishing attack, this convenience can be enough to thwart it. In a remote working environment, however, if an email looks legitimate, even if the request inside it raises a red flag, the recipient is much less likely to reach out to verify the authenticity of the email.

Also, remote workers using their own personal devices are far less likely to maintain stringent cybersecurity measures. For instance, they may not have multi-factor authentication (MFA) systems in place for accounts that can contain personal information. This makes it easy for a hacker to impersonate a remote worker. They can access their social media accounts, collect facts about their personal or professional life, and weave these into an email that may make it seem like the sender is legitimate.

If an email that cannot be easily verified has a malicious attachment, an employee may think clicking on it will not bring any significant harm. But unless you have a sandboxing system in place, the malware can easily spread through your network.

Therefore, phishing email analysis steps should include:

  1. Checking the content of the email for anything that is uncharacteristic of the supposed sender
  2. Conducting email header analysis for phishing, such as checking for headers that are formatted differently than typical company emails
  3. Specifying to recipients that extra time can be taken between receiving an email and responding to it, specifically to allow time for a thoughtful phishing analysis process

Analysis of a Phishing Email: 5 Clues To Spot Scams

Phishing email analysis should be performed systematically. Here are five things to look for to spot scams: 

Suspicious Email Addresses, Links, and Domain Names

Email addresses, links, and domain names that come from a hacker are often easy to identify. Here are what to check for:

  1. Email addresses that are close to correct but a little off. For example, if someone’s real email address is, and you get an email from or, it may be a phishing attack. The attacker may even try to explain that they were given a new email address by the IT department. Regardless of what is in the email, double-check the identity of the sender.
  2. Links that reveal an unfamiliar address when you hover over them. Because so many emails contain links, it can be easy to accidentally trust the wrong one, especially if it appears to come from someone or an organization you trust. Always double-check the contents of a link before clicking on it, and keep in mind that links can download malware or bring you to a fake site that looks legitimate but is designed to install malicious software on your computer.
  3. Domain names that are close to those of a company or person but are not quite right. For instance, if someone sent an email from “,” with two zeros,” they could be phishing. Also, if an email address has a component that is designed to make it look trustworthy, it may be a phishing attempt. For example, if you got an email from, it may be a malicious email, particularly because there is no active domain run by IBM with that name.

Threats or a Sense of Urgency

Many phishing attacks try to convince someone to reveal personal information using scare tactics. An attacker may also try to make the target feel embarrassed, giving them no other choice but to take an action to prevent others from learning some supposed secret. For instance, they may claim that the victim has downloaded malware on their computer and needs to provide their login information so it can be removed by “the IT department.” To remedy the situation without having to reveal they made a mistake, an employee might accept the invitation to share this information.

Often, a threat will come from an organization that purportedly has the power to fix a situation. For example, a phishing email may come from a hacker pretending to be your financial institution. Within the message, they may say that your account has been compromised and you need to change your login information. You may then be instructed to click on a link that will bring you to a site that will facilitate the change you need to make. But when you go to the site and enter your login information, your data gets sent to a hacker.

Grammar and Spelling Errors

Some hackers have not mastered the language in which they are composing the email or its basic grammatical conventions. When an email comes from someone that you are supposed to trust or a professional organization, more than likely, the grammatical and spelling mistakes are either predictable or nonexistent. For example, someone you know at your job may occasionally write “i” in lowercase when referring to themselves or use colloquial words like “gonna” or “wanna.” Often, these are predictable elements of your communication.

With a phishing attack, the errors are often far more egregious, featuring mistakes such as:

  1. Misspelling the company name
  2. Misspelling your name—or even that of the supposed sender
  3. Reordering key elements of a sentence, such as putting an adjective after a noun instead of before it

Suspicious Attachments

Attachments in a legitimate email are usually alluded to within the body. The sender may say, for instance, “I am attaching the report.” This makes it easy to check the attachment because its name should correlate with what was mentioned in the message. With a phishing email, the attachment may have nothing to do with the contents of the body of the email. It may also be unnecessary. For example, an email that talks about a report but with an attachment containing instructions on how to reset your password.

Emails Requesting Login Credentials, Payment Information, or Sensitive Data

Any email asking for personal information should be viewed as suspicious. With many phishing emails, the information they are asking for is something they should already have access to, such as the contact information you have provided in the past.

Companies have also chosen to never ask for login information for payment data via email, specifically because this helps prevent phishing attacks. If you ever get an email that seems to be legitimate but is asking for personal or sensitive data, it is best to reach out to the company directly by composing a new email with the appropriate address, not responding to the one you were sent.


Take an Email Risk Assessment Today

Strengthen Your Email Security. Take an Email Risk Assessment Today.

Start Assessment!

How To Increase Employee Awareness About Phishing Emails

You can increase employee awareness about phishing emails by taking the following steps:

  1. Periodically run brief but informative training sessions about the most recent types of phishing attacks.
  2. Check in with employees from time to time to see if they have noticed any attacks. This will keep them on the lookout.
  3. Use a phishing simulation service, which launches phishing attacks at your employees and then analyze the results with everyone on the team.

How Fortinet Can Help

With FortiPhish, your company can take advantage of controlled and safe phishing simulations that use all the latest attack strategies. FortiPhish allows you to:

  1. Choose the kind of emails you would like to simulate
  2. Target specific users
  3. Set up the attack for a specific time
  4. Analyze the nature of the campaign and its results

You can then use this information to figure out ways to better educate the members of your team.


What is phishing email analysis?

Phishing email analysis involves studying the content of phishing emails to ascertain the techniques the attacker used.

What is a common indicator of a phishing email?

Common indicators of a phishing email include suspicious addresses, links, or domain names, threatening language or a sense of urgency, errors in the email, the inclusion of suspicious attachments, and emails requesting sensitive information.

How can you tell if it's a phishing email?

You can spot a phishing email by looking for uncharacteristic addresses, names, links, domain names, as well as verbiage intended to scare you, mistakes, requests for sensitive information, and suspicious attachments.