Anatomy of a Phishing Scam

Spotting a phishing email isn’t as easy as it once was. From error-free text to accurate brand logos and images, these new attacks are highly successful at fooling even the savviest users and advanced email filters. So, what exactly are phishers doing differently? Everything! From the sender’s address to the footer. But don’t fret. You can still spot a scam, you just need to know where to look.

How to Detect a Phishing Email?

It’s time to put your Sherlock Holmes hat on and grab a magnifying glass as we dissect the anatomy of a phishing scam. 

Sender’s Address

Brand impersonation is a phisher’s favorite tool. Cybercriminals use email spoofing to create a fake email address that looks legitimate. With display spoofing, the recipient will only see the sender’s name because the actual email address is not visible. For example, the visible name might be “GTS Support Team,” but the hidden email address is “” The phisher hopes the recipient won’t expand the sender’s name to check the email address before responding to the email, giving them the information they need. Display name spoofing is especially effective on mobile because although the sender’s name is always visible on mobile, the email address often is not. 

Cousin domain is another more sophisticated form of spoofing where the sender’s address looks almost indistinguishable from a brand email address. This spoofing attack technique might involve using the .co domain extension instead of .com or by adding or subtracting a letter or word from the URL. For example, Grand Technology Solutions has the domain A hacker could register the domain or and fool a few email recipients. (See the extra “n” and the misspelled “connect” in those? These folks are tricky!!)

Subject Line & Tone

Phishing is used to spread malware or steal account credentials. So, phishers must convince their victims to log into the targeted account. One of the most important first steps in encouraging users to do this is with a well-written subject line. Cybercriminals like to impersonate financial institutions, government organizations, schools, social media companies, or streaming services for these scams. Therefore, they will frequently use alarming or intriguing subject lines like “Security Alert,” “Suspicious Behavior Discovered,” “New Login Detected,” “Account Suspended,” or “Invitation Waiting.” These subject lines are designed to cause alarm or excitement and encourage users to open them.


Most email filters look for known phishing URLs in the body of the email. So, to get around this, hackers will frequently hide the URL in an attachment. The victim is then informed in the email that they have received an invoice or a crucial document that has to be reviewed or approved. The document, often a Word doc or PDF, has the phishing URL in the text.

Some more sophisticated phishers are now using attachments to disguise phishing links. So, if a user clicks on the attachment to view or download it, malware or ransomware is automatically downloaded into the device, or the user is automatically sent to a phishing page.


A phishing link is a URL that takes users to a web page that appears to be a reputable company. With calls to action like “Sign in,” “View here,” “Click here,” and “Update account settings.” The URLs are usually hidden behind anchor text, which, if you hover over the links it, will reveal the phishing URL. Since many savvy email users have caught on to this trick, phishers will now try to disguise the URLs by using URL shorteners, URL redirects, and text-based images that look like the body of an email but it’s actually a clickable image.  

There is always a fresh social engineering fraud in the works, whether hackers are utilizing a health crisis, election news, Black Friday sales, fire inspections, or anything else. Learning how to spot these attacks is the first step in defending yourself. Here is a link to learn more about How to Avoid Social Engineering and Phishing Attacks.  

If you have questions or would like to schedule a security assessment, please give us a call at (904) 606-6011 or email


Paul May