Skip to main content

Common email phishing tactics

Tactic #1: An urgent request for action from someone within your organization

Emails are easily manipulated to appear they are coming from a legitimate source, including the company CEO or a direct supervisor. Never rely on the displayed name and always check that the email you received is from an email address you recognize. Typically, there are additional red flags to alert you to a scam or fraud attempt:

Example of a common email phishing attempt:

Example of a Common Email Phishing Attempt
Red Flags:
  • Employee name is shown, but the email address is not a company email address.
  • Sentences are poorly written or contain basic grammatical errors.
  • The email creates a sense of urgency, suggesting immediate action is required.
What You Should Do:
  • Do not reply to the email.
  • Forward the email to your IT or Fraud Department. They are the best equipped to identify if the email is legitimate or not.
  • When in doubt, use a different channel to reach out to the party in question. Calling the person who supposedly sent the email is a great way to confirm or deny the validity of the email.

Tactic #2: Fake 'Password has expired' or 'Credential reset required' emails

Never click on links in an email without first confirming they are from a legitimate source, even if they appear to be real or from a company you recognize. Fake password or credential reset emails have become more prevalent in recent years and are one of the most common ways for intruders to gain access to critical business accounts.

Example of a fake 'Credentials Expired' email:

How to Spot a Fake Reset Credentials Email
Red Flags:
  • Employee or business name is used, but the email address is not a company email address, or the name contains a spelling error.
  • The email creates a sense of urgency, suggesting immediate action is required.
  • Sentences are poorly written or contain basic grammatical errors.
  • You were not expecting a password or credential reset email.
What You Should Do:
  • Do not click on any links contained within the email and do not reply to the email.
  • Forward the email to your IT or Fraud Department. They are the best equipped to identify if the email is legitimate or not.
  • When in doubt, use a different channel to reach out to the party in question. Calling the person who supposedly sent the email is a great way to confirm or deny the validity of the email.


What to do if you suspect your email has been compromised:

  1. Stop using your email account and computer. Call your IT Department to explain the situation.
    • Your IT Department can help identify the extent of the compromise, and the appropriate next steps to resume business functionality
  2. Call your business partners to notify them of the compromise. Business partners may include your:
    • Bank or Other Financial Institutions
    • Third party payroll provider
    • Investment Advisor
    • Benefits Coordinator
  3. After your IT Team has verified that it is safe to login to your work computer, create a new and strong network/email password:
    • Use a passphrase instead of a password – long, complex passwords are hard to remember and easier to crack than a passphrase. Including punctuation, upper and lower cases, and special characters make your passphrase even harder for cracking tools to decode.
    • Create a unique password or passphrase that is not used for any other systems.
    • If you used your compromised password to log in to any other system, change the password to those systems. The compromised password should never be reused.
    • Setup Multi-Factor Authentication (MFA) if your system supports it – Typical MFA solutions will generate a one-time passcode via text message or an authenticator app to provide an additional layer of security during the login process.

If you have limited IT or Information Security Resources and suspect a breach or security incident:

  1. Call whatever IT resources you have available.
    • Consider contacting a third-party vendor that specializes in Digital Forensics
  2. Gather any system logs you can find. System logs are beneficial at identifying the What, When, and How of a security incident. Below are some sample log sources that may contain pertinent information during a cybersecurity incident.

    Note: Not all system logs are enabled by default and not all logs are not kept indefinitely.

    • Windows Event log
    • Firewall logs
    • Anti-virus detection logs
    • IPS/IDS logs
  3. Restrict who can log in to your corporate network until the full extent of the breach can be properly identified.
  4. After you have determined the threat has been contained and remediated, reset any employee accounts that may have been impacted during the security incident.

Resources for your employees:

  1. Follow all department policies and procedures.
  2. When in doubt – call your customer directly with the contact information on file. Never reply to a suspected fraudulent email, text message, or phone number.
  3. Encourage good password habits:
    • Use passphrases instead of passwords. Password cracking tools are well adapted to decoding shorter yet complex passwords and are not well suited to long passphrases including punctuation, upper- and lower-case characters, and special characters.
    • Check for known compromised passwords. Websites such as haveibeenpwned.com maintain a list of known data breaches and compromised passwords.
    • Password managers help to suggest passwords that are hard to crack while encouraging users to select unique passwords or passphrases for each system.
  4. Be cautious about what you share with customers over email.
    • Assume an individual’s email account could be compromised at any time.
      • Limit the amount of sensitive information you share over email communication.
    • By default email is sent unencrypted.
      • Sharing sensitive information over email should only be used as a last resort via a secure (encrypted) email solution.


If you suspect your customer’s account was compromised:

  1. Stop contacting the customer over email
  2. Notify your IT Department and direct supervisor ASAP
    • Your IT Department or supervisor will be better equipped to help you identify what happened and the appropriate next steps.
    • The IT Department can help share pertinent email logs with the customer to better identify the extent of the security incident.

If you suspect fraud on your account, please give us a call right away.