The Times Australia
The Times World News

.

You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks

  • Written by Rick Wash, Associate Professor of Information Science and Cybersecurity, Michigan State University
You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks

An employee at MacEwan University got an email[1] in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals.

Fake emails that try to get people to do things they wouldn’t normally do, such as send money, run dangerous programs[2] or give out passwords[3], are known as phishing[4] emails. Cybersecurity experts often blame the people[5] who receive such messages for not noticing that the emails are fake.

As a cybersecurity researcher[6], I’ve found that most people are good at almost all of the skills[7] that computer security experts use to notice fake emails in their inboxes. Making up the difference comes down to listening to your instincts.

How the pros do it

In earlier research, I found that when cybersecurity experts received a phishing email message[8], they, like most people, assumed the email was real. They initially took everything in the email at face value. They tried to figure out what the email was asking them to do, and how it related to things in their life.

As they read, they noticed small things that seemed off, or different from what would typically be in similar email messages. They noticed things like typos in a professional email, or the lack of typos from a busy executive. They noticed things like a bank providing account information in an email message instead of the standard notification that the recipient had a message waiting for them in the bank’s secure messaging system. They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.

But noticing these signs isn’t enough to figure out the email is a fraud. Instead, the experts just became uncomfortable with the email message. It wasn’t until they saw something in the message that reminded them of phishing that they became suspicious. They would see an anomaly like a link that the email was trying to get them to click. In their minds, these are commonly associated with phishing emails.

Combined with the uncomfortable feeling about the email message, this reminder prompted the experts to recognize that phishing might explain the weird things they noticed. They became suspicious of the message and investigated to figure out if it was a fraud.

Good instincts

If that’s how experts do it, then what do regular people do? When I interviewed people without computer security experience, I found a similar process[9]. Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated.

My research found that people are good at the first two steps: noticing things in the email that seem weird, and becoming uncomfortable. Almost everyone I talked to noticed multiple problems when they saw a fake email, and told me about feeling uncomfortable with the message.

screenshot of an email message with overlaid annotations
Aspects of an email message that seem off should prompt you to consider the possibility of phishing. The trick is remembering that phishing exists. Rick Wash, CC BY-ND[10]

And if people thought about phishing, they were also good at investigating. Instead of looking at technical details, though, most people either contacted the sender or asked others for help. But they were still able to correctly figure out whether an email message was a phishing attack.

Phishing stories

Most phishing training teaches people to look for problems in email. But for most people, the hard part about phishing isn’t noticing the weird things in an email message. People often deal with weird but real emails. Many messages feel a little bit off. Sometimes your boss is having a bad day, or the bank changes its polices. No email message is perfect, and people are often attuned to that.

[You’re smart and curious about the world. So are The Conversation’s authors and editors. You can read us daily by subscribing to our newsletter[11].]

The challenge for most people was remembering that phishing exists, and recognizing that phishing might explain those weird things. Without that awareness of phishing, the weirdness in phishing messages can be lost in everyday email weirdness.

Most people I interviewed know about phishing in general. But the people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about. They told me about a time when someone at their organization fell for a phishing email, or about a news story of an incident like the one at MacEwan University.

Familiarity with specific phishing incidents helps people remember phishing generally and recognize that it might explain the weird things they notice in an email. These stories are key to people going from “something’s fishy” to “is this phishing?”

References

  1. ^ MacEwan University got an email (www.cbc.ca)
  2. ^ run dangerous programs (www.wsj.com)
  3. ^ give out passwords (www.nytimes.com)
  4. ^ phishing (www.consumer.ftc.gov)
  5. ^ blame the people (doi.org)
  6. ^ cybersecurity researcher (scholar.google.com)
  7. ^ people are good at almost all of the skills (www.usenix.org)
  8. ^ received a phishing email message (doi.org)
  9. ^ a similar process (www.ieee-security.org)
  10. ^ CC BY-ND (creativecommons.org)
  11. ^ You can read us daily by subscribing to our newsletter (theconversation.com)

Read more https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804

Times Magazine

Building an AI-First Culture in Your Company

AI isn't just something to think about anymore - it's becoming part of how we live and work, whether we like it or not. At the office, it definitely helps us move faster. But here's the thing: just using tools like ChatGPT or plugging AI into your wo...

Data Management Isn't Just About Tech—Here’s Why It’s a Human Problem Too

Photo by Kevin Kuby Manuel O. Diaz Jr.We live in a world drowning in data. Every click, swipe, medical scan, and financial transaction generates information, so much that managing it all has become one of the biggest challenges of our digital age. Bu...

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

The Times Features

Is our mental health determined by where we live – or is it the other way round? New research sheds more light

Ever felt like where you live is having an impact on your mental health? Turns out, you’re not imagining things. Our new analysis[1] of eight years of data from the New Zeal...

Going Off the Beaten Path? Here's How to Power Up Without the Grid

There’s something incredibly freeing about heading off the beaten path. No traffic, no crowded campsites, no glowing screens in every direction — just you, the landscape, and the...

West HQ is bringing in a season of culinary celebration this July

Western Sydney’s leading entertainment and lifestyle precinct is bringing the fire this July and not just in the kitchen. From $29 lobster feasts and award-winning Asian banque...

What Endo Took and What It Gave Me

From pain to purpose: how one woman turned endometriosis into a movement After years of misdiagnosis, hormone chaos, and major surgery, Jo Barry was done being dismissed. What beg...

Why Parents Must Break the Silence on Money and Start Teaching Financial Skills at Home

Australia’s financial literacy rates are in decline, and our kids are paying the price. Certified Money Coach and Financial Educator Sandra McGuire, who has over 20 years’ exp...

Australia’s Grill’d Transforms Operations with Qlik

Boosting Burgers and Business Clean, connected data powers real-time insights, smarter staffing, and standout customer experiences Sydney, Australia, 14 July 2025 – Qlik®, a g...