9 January 2020

10 Signs of a Spear Phishing E-mail

5 mins read

Table of Contents

Share post

Phishing e-mails are everywhere. We all get them, most of us can suspect when something is wrong but very few of us can actually identify a phishing e-mail through the telling signs.

Spear Phishing (very targeted attacks) has been part of an increasing trend used to target key personnel within organisations for several years now. Whilst spear phishing e-mails are much harder to identify, there are still common red flags which you can spot. Here are 10 signs it’s a Spear Phishing e-mail.

1. Sender Address

In a targeted attack, a criminal is likely to impersonate someone you know. They can obtain this information through many different methods, including research on social media (link social media guide), news articles, corporate websites and obtaining data on the dark web (link an article around data breaches). Often these types of e-mails use the familiar person in the sender name and e-mail address, but the domain will be registered elsewhere.

In more targeted spear phishing e-mails, the domain might look like something you recognise. Criminals use subtle letter and character changes to make it look very similar to an existing domain. This also enables it to be registered as a unique domain for as cheap as £5 a year! If your organisation was called ‘Beech Automobiles’ and your corporate domain was ‘’, the criminal might look to register ‘’ or ‘’ to send e-mails appearing from someone you know.

2. Time/Date of Receipt

The timing of a targeted attack plays an important role in it being successful and believable. Work-based e-mails appearing from a colleague or acquaintance that are sent out of working hours are notoriously suspicious. This also applies to personal e-mails from friends or family sent at questionable times. Every e-mail comes with a timestamp of when it was received. You should definitely pay attention to this as a red flag if the timing does not match up to the content of the e-mail.

3. Subject Line

Subject lines are used in all e-mails to summarise what’s enclosed and to get you to open it.

In phishing e-mails, they are no different and can be a very important part to determine the success of the attack. Subject lines in phishing e-mails written to draw you in utilise techniques such as threatening language, a sense of urgency, offers and intriguing language. If the subject line feels like it’s desperately reeling you in, be cautious of the e-mail.

4. Wording Choices

Typical phishing e-mails are notoriously worded in odd ways. This is one of the most blatant red flags, especially if the criminal is impersonating a reputable service or person that you would not expect this from. In Spear Phishing attacks, where more time is taken to craft the e-mail, wording might be closer to what you’re expecting. Look closer and you’ll often find inconsistent words and phrases that aren’t quite right. If you engage in conversation with the sender of the phishing e-mail, this becomes even more clear as the sender mailbox might be managed by several different people. Criminals are known to work in teams and this can sometimes be transparent in their e-mail attacks.

5. Spelling and Grammar

Similar to wording choices, phishing e-mails also tend to have poor spelling and grammar. If you notice spelling and grammatical errors and the e-mail is appearing from a reputable source, such as a well-established company or person you know, you can assume that it is not legitimate.

6. Demanding Language

Spear Phishing e-mails can be demanding. Every criminal behind every phishing e-mail has a purpose and it is their aim to get you there as quickly as possible. Demanding language such as “Send me”, “Click here” or “Open this” are all examples of a criminal trying to fulfil their purpose. Demands often come before the action they need you to take. Sometimes demands can appear as instructions. Any process which you are being demanded to do in an e-mail should be seen as a red flag if you have already identified some others.

7. A Sense of Urgency

Similar to demands, phishing e-mails often have a sense of urgency around the action the criminal needs you to take. This comes back to the purpose of getting you to act quickly. By adding a time constraint, a false sense of pressure is created which puts the recipient in a difficult position, hence they may miss all of the other red flags in the e-mail. If there is a clear sense of urgency in a suspicious e-mail you receive, you should slow down and analyse the e-mail before taking any action. In doing so, you’ll likely spot some of the other red flags we’ve talked about and identify it as phishing.

8. Threatening Language

The last of the “language” red flags, phishing e-mails that have a sense of urgency and demands also tend to have threatening language. When these three language techniques are combined, you may come across statements like “You must reset your password in the next 24 hours or your account will be locked” or “Pay your parking fine today or risk it being increased to £500”. Reputable companies and people are unlikely to issue threats via e-mail.

9. Malicious Links

Phishing e-mails are tailored towards making you click a malicious link. This is often all it comes down to. A single click on a malicious link can be all it takes for your PC/Mac to become infected with Malware/Ransomware. Criminals also use malicious links to send you to phishing websites. Here you could be tricked into entering sensitive information in “keylogged” fields, where everything you have entered is now visible to the criminal. Malicious links are the gateway to a successful attack. This is why they are the number one red flag to look for in a phishing e-mail. You can identify a malicious link by hovering over the URL or soft press and hold on a mobile device to reveal its real destination. Once the real URL is now visible, look for a HTTP/HTTPS connection, a suspicious domain (similar to spoofed domains in the Sender Address section of this article) and an uncommon Top Level Domain (such as .biz or .xyz). If the URL presented here does not match your expectations, this is a red flag.

10. Harmful Attachments

Less common now with security always evolving and improving, but criminals do also send harmful files directly to you in the form of attachments. Much like the link being what the entire e-mail is tailored towards, attachments are often the centre piece of certain attacks. They’re typically used in phishing e-mails where an attachment might be expected, such as an invoice or a file sharing attack. Harmful attachments are disguised as something else, and when opened, execute destructive macros which can inflict all kinds of damage on your device. This is the ultimate way to open the door to your device, company network or sensitive files for the criminal. When other red flags are identified in a phishing e-mail and an attachment is used, do not open it.


To summarise, red flags in phishing e-mails have remained largely the same throughout their existence, but have become more sophisticated in recent years, thus creating the more targeted Spear Phishing.

Security systems are useful for filtering out phishing, however when a criminal really wants to put an attack in front of you or your colleagues, they will find a way to get it through. This makes staff awareness to phishing and cyber-crime essential to keeping your organisation secure. To find out more about how we can help, visit our website and take a look at our market leading Security Awareness Training and Testing service.

Woman typing on laptop in a dark room with light overhead

12 February 2024

Penetration Testing vs Vulnerability Scanning: Why your organisation might need them

Man with glasses typing on laptop with light shining down

5 February 2024

Best Practice for Business Passwords 2024

Man and woman sitting opposite one another typing on laptops

18 December 2023

UK Small Businesses Need to Invest in Cyber Security