Typical indicators of phishing e-mails

• E-mails written in bad language: Another way to identify phishing e-mails is often the poor language quality (bad grammar, spelling mistakes). Those who use mail clients in offices often apply spelling correction.

• E-mails demanding immediate action: Be careful with e-mails threatening the loss of an opportunity or other negative consequences that can only be averted if immediate action is taken. These are often phishing e-mails. Attackers frequently use this method to put recipients under pressure in order to carry out harmful action before the e-mail recipient has the opportunity to examine the e-mail more closely for possible inconsistencies.

• E-mails with an uncommon salutation or greeting: E-mails exchanged between office employees usually have a well-known greeting. E-mails beginning with "Dear XY", or other salutations that look unusual for office communication, originate from senders who don't know about the informal rules of your specific office communication style and thus should be treated with caution.

• Suspicious e-mail addresses: Finding discrepancies in e-mail addresses, links and domain names is another way to identify phishing e-mails. Does the e-mail really come from the sender or company with which frequent e-mail traffic takes place? If so, check whether the sender address matches the sender addresses of previous e-mails from the same company. Or you can click on the reply button in your e-mail client and check the plausibility of the address inserted by the e-mail program in the To: field without sending the e-mail. Does this correspond to the sender's expected e-mail address? Check whether a link contained in the e-mail is correct by moving the mouse cursor over it to see where the link points. If an e-mail supposedly comes from Google, for example, but the domain name (link) is different, report the e-mail as a phishing e-mail. In general, you should not click on links in e-mails unless absolutely necessary. For signed e-mails, you should check the signature, i.e. the e-mail program will show you whether the sender address is real or not.

• Suspicious attachments: Work-related file sharing usually takes place using tools like Dropbox or OneDrive. Therefore, internal e-mails with file attachments should always be classified as suspicious, especially if the attachments have unusual file extensions such as .zip, or .exe, which are quite often used for malware attacks. Regarding documents (e.g. from Word, Excel, Powerpoint) you should deny the execution of macros ("content") when asked. Contact IT Service Group immediately if you accidentally opened a bad file.

• E-mails requesting sensitive data: You will never be asked by your IT department or bank for your (login-) password in an e-mail. Of course, this also applies if you are asked about it on other channels (e.g. videocall, telephone). Exceptional caution should be taken with e-mails that ask the recipient to carry out any type of order. We recommend to contact the sender (using another channel like video call or phone) to verify whether the order is genuine. E-mails that come from an unfamiliar or unexpected senders. Sensitive data should be treated with caution. Fraudsters, for instance, imitate a fake login page or a page for changing a password. Whenever an e-mail recipient is guided to a page requesting a password, you should refuse from entering any relevant information unless you are 100% sure that the email is genuine.

• E-mails promising a reward: Such e-mails give the recipient a strong incentive to click on a link or open an attachment, promising kind of a reward. If the sender of the e-mail looks unusual, there is a high probability that it is a phishing e-mail.

See also

https://ethz.ch/staffnet/en/news-and-events/internal-news/archive/2022/12/how-to-recognise-phishing-emails.html