Training employees to identify suspicious emails

Emails are a core part of what makes modern business practices possible. With projections in 2019 exceeding over 240 billion business-related emails a day, the ability to send messages rapidly around the world has reshaped multinational business proficiency.

The downside? It’s also an extremely lucrative tool for cybercrime.  Malicious cyber attackers commonly use email as a means of gaining access to an organization’s protected internal network.  Understanding the various email-based threats and how to identify a suspicious or potentially malicious email is a key part of protecting against these threats.

Common Malicious Email Objectives

Emails can be used for a variety of malicious purposes.  Two of the most common are to perform phishing attacks designed to steal sensitive information and as a mechanism for carrying malware into an organization.


Phishing emails are the most common type of cyberattack. Standard phishing attacks take a quantity over quality approach.  The phisher develops content that is likely to apply to a large number of people.  While this type of attack has a low likelihood of success for any given recipient, the sheer number of targets means that the attackers will have a reasonable number of successes and profit from the attack.

In general, phishing emails involve a hostile phisher sending a deceptive email that is designed to catch or trick the recipient.  Commonly, this involves clicking on a malicious link or downloading and opening an attachment. However, phishing is not a one size fits all attack.  Several different types of these attacks exist, all designed to give the attacker the data they want in different ways.

Spear Phishing

According to KnowB4, 91% of successful cyberattacks begin with a spear-phishing email.

With spear-phishing emails, rather than providing general content that can be aimed at many recipients, this method’s emails are precisely targeted to an individual or small group.  Building such an email requires more research by the phisher, but the increased credibility of the ploy increases the probability of success.


Whaling is a subset of spear phishing.  In this type of attack, the phisher masquerades as an executive from the target’s company.  Typically, these emails are sent to a single individual and are designed to request a specific action from the target, like transferring money to an account or providing a piece of sensitive information.  If the recipient believes that the email is legitimate, these types of phishing emails can be extremely lucrative for the attacker.

Malware Infection Vectors

Email is commonly used to give malware access and a foothold within an organization’s network.  An email with a malicious link or an attached file can be used to trick a user into installing the malware on the machine.  A cat and mouse game between attackers and cyber defenders has led to the development of some very sophisticated and subtle means of getting a file to run on a target machine.

One type of malware commonly spread by email is ransomware. More importantly, the number of ransomware attacks from email more than doubled between 2017 and 2018 and continues to increase and disrupt business operations in 2019.  A ransomware attack can be extremely damaging and expensive for an organization, so it’s important to identify a potential infection before it reaches its target.

Top 5 Warning Signs to Look for Before Opening Email

Phishing emails are designed to look as trustworthy as possible.  However, it is impossible to make a phishing email 100% accurate.  Employees should pause and take a few seconds to evaluate each email they receive. When gauging the authenticity of an email, there are several different warning signs to watch out for:

1. The Sender
• Is the email address of the sender correct? (i.e. spelling of the name)
• Does the email come from the correct domain (i.e. vs.
• Is the email address the right one for the context (i.e. using a professional vs. personal address)?

2. The Recipient
• Are you the only recipient?
• If not, does the group of recipients make sense?

3. The Subject
• Is the subject designed to provoke you to take some action?
• If the email claims to be a reply to a past email, did you send that email?

4. The Body
• Is the email addressed specifically to you or more generally?
• Does the spelling, grammar, and tone of the email match the sender?
• Does the email make sense? If so, do their targets make sense?

5. Attachments
• Does the file type of the attachment make sense in context (i.e. an “invoice” that is a ZIP file)?

These questions can help with identifying some of the warning signs of an email-based attack.  If an email passes these tests, it is much less likely to be malicious.  Nevertheless, it is important to continue to be cautious when dealing with unexpected and potentially suspicious emails. Additional reinforcement of quarterly training, frequent phish testing, and additional security training in lieu of annual training or reserved for the new on-boarding employees will further protect your organization.