Headshot of Chris White

Digital Security Awareness - Email Phishing: the Classic Social Engineering Technique

Estimated read time: 3 min

Email Phishing - The Most Common Cyber Attack

Email phishing is the most common technique attackers use to steal personal information or inject malware into workstations.

What is email phishing?

Phishing is a scam where attackers impersonate trusted entities to trick you into sharing sensitive information via email. This attack is often exploited to trick users into downloading malware attachments as well.

How it works

You receive an email that appears to come from a trusted source, like a bank, online retailer, or popular social media platform. The message claims there’s an issue with your account and asks you to take some action to resolve it. The action might be clicking a link that redirects you to a copycat website where you’re asked to enter login details or other sensitive information.

Example: You get an email from “PayPal Support” stating your account has been compromised and asking you to verify your login information. You’re redirected to a site that looks just like PayPal, but it's a logging site designed to steal your login credentials.

Example: You receive an email from “HR Department” with a subject line saying, “Urgent: Employee Benefits Update.” This email includes an attachment labeled “Benefits_Overview.pdf.” The PDF silently installs malware on your computer when opened.

How to protect yourself

Double-check email addresses: phishing emails often come from addresses that look similar to legitimate ones but have subtle differences. Always verify the sender’s email.

Be skeptical of urgent requests: phishing emails often create a sense of urgency, like threatening to close your account unless you act fast. If you're unsure, contact the company directly using a phone number or website you trust.

Don’t click on links in suspicious emails: hover over links before clicking them to see where they actually lead. If anything seems off, don’t click.

Exercise caution when doing this. Malware can be executed on hover, but well-designed email clients prevent scripts from running on hover. Do not attempt on mobile. Long-pressing a link provides similar functionality, but the risk of accidental execution is high.

Multi-factor authentication: enforce the use of multi-factor authentication. Although many providers offer SMS-based MFA, you should prefer to use an authenticator app to prevent account takeover via SIM swap.

Keep your software up to date: security patches protect your systems from software vulnerabilities exploited by malware.

Email phishing is easily exploited to to obtain personal details, account credentials, and even inject malware. Avoid falling victim by arming your organization with the knowledge and tools required to recognize phishing. Employee training and awareness significantly reduces the risk of successful attacks, transforming employees from potential vulnerabilities into a robust line of defense.

This follow-up post is part of a blog series I'm writing called Digital Security Awareness for Non-Technical Professionals.