The Anatomy of a Phishing Email (With Examples)

Phishing is probably the most well-known method used by cybercriminals — and one of the most simple. It works because it leverages the power of urgency, trust and the human inclination to do more than a fancy algorithm. Knowing how emails sent to phishers are designed makes them more difficult to identify and avoid.

Below, I will break down the most common elements of a phishing email and provide examples of simulated scenarios (safe as well as educational) and explain the warning signs, and provide the practical steps to prevent it and reaction.

What is the reason to study the anatomy?

Since phishing isn’t simply “spam.” It’s often designed to be a well-crafted social engineering message that is designed to:

• You will be asked the click the link,

• open an attachment that is malicious, or

• discloses credentials or confidential information.

If you know how to recognize the basic building blocks and stop many attacks before they even begin.

The most common components of an email phishing

1. fake sender or display names
   A display name of the sender may appear genuine (e.g., “Bank Support”) but the actual sender address may be suspect or slightly modified.

2. A compelling topic sentence
   designed to draw attention or create emotion such as fear, urgency or curiosity.

3. Customization (real and false)
   Using your name, title of job or other information to appear authentic usually gathered from the internet or other violations.

4. Urgency or threats
   “Immediate action required,” “Account suspended,” “Final notice”–pushes you to act immediately without thought.

5. Links that are misleading or malicious
   The text of the link could show a well-known URL of a company, however the actual hyperlink is an unrelated domain (or an URL shortener).

6. Attachments (dangerous types of files)
   .zip, .exe, .js, or Office documents that contain macros are frequently employed to download malware. PDFs are also a weapon.

7. Social confirmation or a signal of legitimacy
   fake signatures and logos and employee names, or mentions to events or partners that are public to build confidence.

8. Demands to verify sensitive information
   “Confirm your password,” “Verify your bank details,” or requests for transfer of funds–red warnings of account takeover or fraud.

9. Bad writing and strange style of formatting
   Grammar errors, odd punctuation patterns, odd grammar or unorthodox styling are warning signs — although certain advanced phish are extremely refined.

10. The pressure to hide it
    “Don’t tell anyone” or “This must be confidential” to keep victims out and prevent any second opinions.

Simulated Examples (educational only)

It is important to note that The examples in this article have been recreated to train and provide common signals. These can be considered not authentic phishing schemes to be used in a malicious way.

Example A — Credential harvest (email style)

Subject: Urgent: Verify Your AcmeCorp Email Access — 24h Remaining From (display): AcmeCorp IT Support From (actual address): notifications@acme-helpdesk[.]secure-login[. ]online
Body (excerpt):

Hello Sarah,

We have detected suspicious activities within the account of your AcmeCorp account. To avoid suspension, verify your account immediately:
Verify Your Account

Failure to check within 24 hours could cause temporary suspension.

Thank you,
AcmeCorp IT

What makes this suspicious (red warnings):

• The real from-address isn’t the company domain.

• Need for Urgency (“24h left”) to prompt rapid action.

• The button’s text appears to be authentic, however that hyperlink (hover to see) indicates an unknown domain.

• Personalization is limited to an initial name (easy to make up).

Example B — Invoice / Business Email Compromise (BEC) lure

Subject: Invoice #4572 — Payment Overdue
From (display): Payment Services / vendor@payco[. ]com
Attachment: Invoice_4572.zip

Body (excerpt):

Dear Finance Team,

Check out the attached invoice for processing immediately. The total amount of the invoice is $9,450 and is due today. You must confirm the payment using the bank’s details on the attachment.

Regards,
John Matthews, Accounts

The reason this is alarming:

• Unexpected bill from a vendor who is not familiar with the company.

• Attachment is .zip (commonly used to cover executable and runtime files).

• A sense that there is a sense of urgency (“due this day”) encourages people to skip verification.

• No purchase order number, nor contract reference A poor description of an actual invoice from a vendor.

Example C – Confidence-builder based on social evidence

Subject: Re: Interview confirmation — Documents enclosed
From (display): careers@reputablejobs[. ]com
Body (excerpt):

Hi Priya,

It was a pleasure speaking to you. Attached are the documents that you received onboarding. Please complete and return. If you have questions, you can call Maria (HR) by calling +555-999-0123.

Best, Maria Lopez

The reason this could be suspicious:

• This telephone address or email address could be a part of a scheme to appear genuine.

• Attachments asking for signing may be malware-laden or trigger access to credentials on fake websites.

• Make sure you’ve actually applied or interacted with this business; unwelcome solicitations are common.

How to look over an email in a safe manner (quick checklist)

• Hover over hyperlinks (don’t hit them) in order to see the actual URL. Check for typos that are subtle as well as subdomains that aren’t there or IP addresses.

• Find the full sender’s address of email, and not only the display name.

• Review attachments and Refrain from .exe, .js, .zip and be aware of Office documents that ask for the ability to enable macros.

• Check for mismatched branding logos with low resolution incorrect fonts, inconsistency in footers.

• Consider: Did I expect this? Do I have a connection with this sender?

• Verify using alternative methods: call the company using a contact number from their website (not one that is in the email) or consult an internal database to verify the request of a colleague.

Organizations that deploy defensive controls should do so.

1. Filtering of emails and threat intelligence Block the known sender and attachements. Score suspicious messages, and then quarantine suspicious emails.

2. Link rewriting and URL scanning Security gateways change links and scan the click time to stop malicious sites.

3. Sandboxing attachments — view suspicious attachments in a secure and secure sandbox in order to spot malicious activity.

4. DMARC or DKIM SPF Implement email authentication to ensure that your domain is not spoofable.

5. Multi-factor authentication (MFA) — even if credentials have been phished, MFA can block account access.

6. Least privilege and session controls restrict the amount of damage a compromised account could do and impose short sessions.

7. Training of users and Simulations of phishing Regular realistic exercises dramatically decrease click-through rates.

8. Endpoint protection and EDR • Detect and block malicious payloads when an phishing attack can lead to an attack.

What can users learn? (plain language)

• Be cautious of urgent inquiries and unanticipated attachments.

• Avoid reusing passwords and make use of a password manager.

• Switch on MFA on every account that supports it.

• If an email prompts you for you to “verify” or “confirm” credentials, visit the website directly with an unbookmarked link. Don’t click on the link in the email.

• If you are unsure, contact IT or contact the company at the official contact information.

In the event that you (or your team) clicked or entered credentials, take immediate action.

1. Connect this device from the network or internet (or isolating it) to restrict access.

2. Change the passwords for the account affected on a different, secure device and rotate shared credentials.

3. Make MFA available If it is not enabled already.

4. Inform IT as well as your security staff immediately. Time is critical.

5. Check the device with the latest endpoint detection software and check for persistent (new user accounts and schedule tasks).

6. Track accounts for suspicious activities (bank email, administrator consoles).

7. Take into consideration the risk of credential stuffing — be aware that the reused passwords can be used elsewhere.

8. Keep the contents of your email (headers and the entire message) to conduct forensic analysis in the event of need.

Training concepts and the phishing awareness of the culture

• Conduct every month, short and nimble phishing exercises and then follow-up by micro-training for users who click.

• Utilize real-world scenarios such as invoices IT, HR delivery notices, invoices and not be obvious “free gift” scams.

• Recognize teams that have made improvements and establish the no-blame culture of reporting to allow people to are able to report suspicious emails with no worry.

• Offer the ability to provide a quick-report feature within mail clients that will forward suspicious emails to security, but keeps headers.

The final checklist Identify Phishing like an expert

• Verify the email address of the sender.

• Hover links; don’t click.

• Be sure to check for unusual attachments, and choose previews of files using reliable tools.

• Urgent questions to move money or alter credentials.

• Make use of password managers and MFA.

• Send suspicious emails to the IT/security department of your company.

Phishing focuses on speed and confidence. The most effective defense is a simple set of rules such as pause, look and verify with sophisticated technological controls. Learn to train your eyes to look for clues in the above, and you’ll see through the deceit when a fraudulent “urgent” email lands in your inbox.