The Times Australia
The Times World News

.

You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks

  • Written by Rick Wash, Associate Professor of Information Science and Cybersecurity, Michigan State University
You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks

An employee at MacEwan University got an email[1] in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals.

Fake emails that try to get people to do things they wouldn’t normally do, such as send money, run dangerous programs[2] or give out passwords[3], are known as phishing[4] emails. Cybersecurity experts often blame the people[5] who receive such messages for not noticing that the emails are fake.

As a cybersecurity researcher[6], I’ve found that most people are good at almost all of the skills[7] that computer security experts use to notice fake emails in their inboxes. Making up the difference comes down to listening to your instincts.

How the pros do it

In earlier research, I found that when cybersecurity experts received a phishing email message[8], they, like most people, assumed the email was real. They initially took everything in the email at face value. They tried to figure out what the email was asking them to do, and how it related to things in their life.

As they read, they noticed small things that seemed off, or different from what would typically be in similar email messages. They noticed things like typos in a professional email, or the lack of typos from a busy executive. They noticed things like a bank providing account information in an email message instead of the standard notification that the recipient had a message waiting for them in the bank’s secure messaging system. They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.

But noticing these signs isn’t enough to figure out the email is a fraud. Instead, the experts just became uncomfortable with the email message. It wasn’t until they saw something in the message that reminded them of phishing that they became suspicious. They would see an anomaly like a link that the email was trying to get them to click. In their minds, these are commonly associated with phishing emails.

Combined with the uncomfortable feeling about the email message, this reminder prompted the experts to recognize that phishing might explain the weird things they noticed. They became suspicious of the message and investigated to figure out if it was a fraud.

Good instincts

If that’s how experts do it, then what do regular people do? When I interviewed people without computer security experience, I found a similar process[9]. Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated.

My research found that people are good at the first two steps: noticing things in the email that seem weird, and becoming uncomfortable. Almost everyone I talked to noticed multiple problems when they saw a fake email, and told me about feeling uncomfortable with the message.

screenshot of an email message with overlaid annotations
Aspects of an email message that seem off should prompt you to consider the possibility of phishing. The trick is remembering that phishing exists. Rick Wash, CC BY-ND[10]

And if people thought about phishing, they were also good at investigating. Instead of looking at technical details, though, most people either contacted the sender or asked others for help. But they were still able to correctly figure out whether an email message was a phishing attack.

Phishing stories

Most phishing training teaches people to look for problems in email. But for most people, the hard part about phishing isn’t noticing the weird things in an email message. People often deal with weird but real emails. Many messages feel a little bit off. Sometimes your boss is having a bad day, or the bank changes its polices. No email message is perfect, and people are often attuned to that.

[You’re smart and curious about the world. So are The Conversation’s authors and editors. You can read us daily by subscribing to our newsletter[11].]

The challenge for most people was remembering that phishing exists, and recognizing that phishing might explain those weird things. Without that awareness of phishing, the weirdness in phishing messages can be lost in everyday email weirdness.

Most people I interviewed know about phishing in general. But the people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about. They told me about a time when someone at their organization fell for a phishing email, or about a news story of an incident like the one at MacEwan University.

Familiarity with specific phishing incidents helps people remember phishing generally and recognize that it might explain the weird things they notice in an email. These stories are key to people going from “something’s fishy” to “is this phishing?”

References

  1. ^ MacEwan University got an email (www.cbc.ca)
  2. ^ run dangerous programs (www.wsj.com)
  3. ^ give out passwords (www.nytimes.com)
  4. ^ phishing (www.consumer.ftc.gov)
  5. ^ blame the people (doi.org)
  6. ^ cybersecurity researcher (scholar.google.com)
  7. ^ people are good at almost all of the skills (www.usenix.org)
  8. ^ received a phishing email message (doi.org)
  9. ^ a similar process (www.ieee-security.org)
  10. ^ CC BY-ND (creativecommons.org)
  11. ^ You can read us daily by subscribing to our newsletter (theconversation.com)

Read more https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804

Times Magazine

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

From Beach Bops to Alpine Anthems: Your Sonos Survival Guide for a Long Weekend Escape

Alright, fellow adventurers and relaxation enthusiasts! So, you've packed your bags, charged your devices, and mentally prepared for that glorious King's Birthday long weekend. But hold on, are you really ready? Because a true long weekend warrior kn...

Effective Commercial Pest Control Solutions for a Safer Workplace

Keeping a workplace clean, safe, and free from pests is essential for maintaining productivity, protecting employee health, and upholding a company's reputation. Pests pose health risks, can cause structural damage, and can lead to serious legal an...

The Times Features

Exploring the Curriculum at a Modern Junior School in Melbourne

Key Highlights The curriculum at junior schools emphasises whole-person development, catering to children’s physical, emotional, and intellectual needs. It ensures early year...

Distressed by all the bad news? Here’s how to stay informed but still look after yourself

If you’re feeling like the news is particularly bad at the moment, you’re not alone. But many of us can’t look away – and don’t want to. Engaging with news can help us make ...

The Role of Your GP in Creating a Chronic Disease Management Plan That Works

Living with a long-term condition, whether that is diabetes, asthma, arthritis or heart disease, means making hundreds of small decisions every day. You plan your diet against m...

Troubleshooting Flickering Lights: A Comprehensive Guide for Homeowners

Image by rawpixel.com on Freepik Effectively addressing flickering lights in your home is more than just a matter of convenience; it's a pivotal aspect of both home safety and en...

My shins hurt after running. Could it be shin splints?

If you’ve started running for the first time, started again after a break, or your workout is more intense, you might have felt it. A dull, nagging ache down your shins after...

Metal Roof Replacement Cost Per Square Metre in 2025: A Comprehensive Guide for Australian Homeowners

In recent years, the trend of installing metal roofs has surged across Australia. With their reputation for being both robust and visually appealing, it's easy to understand thei...