Contact us: +45 32 67 26 26
English
Back to blog
5 min read

8 Tells, that Show You Caught a Phishing Email

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security | 12 December

It gets harder and harder to spot a phishing email. You can't just look at the sender domain and the URL to conclude if it's yay or nay. 

Therefore, we collected 8 tells that you and your colleagues can look for in every email. If you learn how to spot these tells, it will be easier to spot the dangerous emails.

Table of content

  1. What are the 8 tells of a phishing email?
    1. Social engineering tricks
  2. Rewards
  3. Do the right thing
  4. Curiosity
  5. Media
  6. Fear
  7. Context
  8. Trust
  9. Time sensitivity
  10. We build our phishing mails on these tells
  11. Summary

What are the 8 tells of a phishing email?

Before jumping into the 8 tells, it's important to note that it's not a definitive list. There's more than 8 tells out there, but the tells we've included are the ones we see the most. We had to draw the line somewhere. 

It's also important to note that these tells are in the content of the email. We are not diving into the technical tells, which could be the URL in the email, the sender domain, or the IP address. These are all important to look for, but not a part of this article.

Social engineering tricks

Instead, the 8 tells are social engineering methods. They're tricks and tactics that influence our behavior, emotions, and psychology. It's how the emails try to manipulate us to click. As mentioned, we've collected the 8 ones we see used the most. If you can spot them, you've gotten a long way.

It's also important to note, that one phishing email can have many of these tells in them. Often, they have more than one.

Let's dive into it. 

 1. Rewards

Rewards are the first tell. If you receive an email where you are offered a reward in some way. This should be a warning sign.

Who doesn't like to get a reward?

We've all gotten the message: "You've won a new iPhone."

Hopefully, you won't believe the message, unless you've actually signed up for a competition. 

But the trick is still useful for hackers because the reward can be scaled up and down. For example:

  • You are the employee of the month
  • You've been chosen for our closed-circle group
  • Here's a gift card because you are beautiful

If the award is right, it will trigger happiness, making you more likely to lower your guard and click the link. 

2. Do the right thing

You want to help people. You want to do good things. You want to do the right thing. If somebody tries to get you to do a good thing. It might be a warning sign.

We all want to do what's considered good in our society. We are all ethical people (at least most of us).

But hackers know and use this.

They try to trigger us to do something by making us think we are doing something good. 

They could make you think you are donating money to refugees. Or they could try to make you think you are helping a colleague. 

If you get an email where somebody is trying to get you to do something "good," then it should raise a flag, and you should probably investigate if it's true or not.

And if it is true, then please do the right thing, of course ;) 

 

Risk

3. Curiosity

If an email sparks your curiosity. It could be a phishing tell.

We can't deny that we are curious people. We all love gossip. You only have to glance at the list of most searched keywords every year to know it's true. Or just take a look at most newspaper articles or YouTube videos.

Almost all the titles are filled with clickbait. 

Why?

Because it makes us click.

Journalists and content creators know it. Hackers know it as well. They use the same tricks.

If you get an email where the content sounds clickbaity, it should be a potential red flag.

Maybe it's fine, because as mentioned many medias use curiosity in their titles. We use it ourselves to some degree - heck, this blog post's title tries to trigger your curiosity.

But you need to be aware when you see this. Why are they doing it? Who is it from? It could be a sign of phishing.

4. Media

Does it make sense, I'm getting this message in this way? If no, be careful.

This tell is closer to a technical tell than the language or emotions the previous ones tried to use.

In phishing emails, we get a message, maybe even an attached file.

The email is the media you get it with (even though, vishing and smishing could be other medias).

This tell is about the media. You need to ask yourself, does it make sense?

The message I'm getting - am I supposed to get this message through an email?

Maybe you receive an email about a new password system in your company - but you know that normally you wouldn't get this kind of information in an email. Then this should raise a red flag as well.

Or if your "bank" writes you an email, or the "police" calls you on your phone. Would they do that? Maybe they would, but that's the question you and your colleagues always need to ask yourselves.

5. Fear

The next tell is fear. 

In many ways, you can think of it in the same way as rewards. Fear is a strong emotion, and we want to be "become safe" again. This means we often want to react if we feel fear. 

Maybe  you are scared of missing out on something, or making a mistake that will make your boss or colleague angry. 

The hackers will try to write something that triggers these kind of fears in you and your colleagues. 

This means, that if you feel fear after reading an email, you should question if the email is legit. 

Often, this goes hand in hand with curiosity and us wanting to do the right thing. 

6. Context

Context - this is about everything else than the phishing email itself. 

An email doesn't exist in it's own little world. It's a part of our everyday life - and hackers know that as well.

Maybe they write an email about something super relevant happening in the world or something closely related to your company. 

Think of scammers using Black Friday to scam people. They use the context of Black Friday, because peoples' guards are down. They expect good offers, so they are more likely to click good offers. But it could also be a that a hacker researched you company, knew you were going to some event, and then sent you an email about that. 

You and your colleagues need to learn to spot and think about the context. Does it fit, or is there something suspicious going on? 

Yes, your company might use a "vendor" who is "writing" to you, but you might not be the normal recipient, so something may be off here.

If something could be off, remember to confirm it somewhere else before jumping on it. 

7. Trust

This one normally doesn't come as a surprise either.

The tell, trust, is when hackers use somebody we trust or somebody with authority to make us click. E.g., by impersonating them. 

A classic example is when you get an email from "GLS", but you haven't ordered anything. Or your bank writes to tell you that your bank account has been compromised.

CEO fraud is also an example of this.

The reason they do this is that we tend to lay down our defenses and listen to authorities - because we trust them.

This means, that you should actually be MORE on your guard if somebody you trust writes to you.

Is it actually them?

Confirm it through other channels if you're in doubt. 

8. Time sensitivity

The last tell is time sensitivity - we can also call it urgency. 

Basically, it's when message writes something like:

  • Hurry up and do this, and something AWESOME will happen
  • Hurry up and do this, or something BAD will happen

The hackers try to rush us into doing something. This is also a tactic we see used in marketing, so we know that it can be for real - e.g., "the first 50 to sign up get a free t-shirt."

But...

Every time you see a message where somebody says you need to something fast.

It should get you thinking: Is this a scam?

Because it's a method hackers use all the time.

We build our phishing emails on these tells

These tells aren't just in the phishing emails circulating from scammers.

It's also the tells we are using in our own phishing emails. In our phishing training, we test your employees and we teach them to spot exactly these tells. 

You can spot most phishing mails through the sender domain or url's, but sometimes you can't, and then you are left with your common sense and ability to spot that something is off in the message itself. This is where the tells come in and why they are so important to know.

If you're curious about our training, you can check out our phishing training page or even check out a few of our phishing emails

Summary

Those are the 8 tells.

As you might have figured out, all of these 8 tells are used in phishing emails. But they are also used in completely harmless communications.

It's not a clear checklist where you and your colleagues can say: 

"If this, then this."

But it's an analytical framework. 

If you start to spot these kinds of tells, you can start analyzing them.

You will start to spot more phishing emails.

And you will also start to see when Temu is trying to get you to buy something crappy. It's a win-win.
Back to blog
Recent articles
Cyber Security How To Do Good Phishing Simulations

Phishing simulations and phishing training is a way to make sure your team learns how to spot dangerous e-mails in their inbox. But how do you make good phishing simulations?

Sarah Hofmann 7 min read - By Sarah Hofmann
Cyber Security Spear Phishing: What Is It And How Do You Prevent It?

Phishing is a dangerous threat but spear phishing is an even bigger threat. Spear phishing is targeted phishing. Read what it is and how to prevent it.

Gillian Loones 4 min read - By Gillian Loones
Cyber Security Should You Phish Your Colleagues? We Think So!

Phishing is the biggest security threat that companies are facing today. That's why you should train your employees in recogninsing phishing attempts.

Sarah Hofmann 7 min read - By Sarah Hofmann