The problem
Traditional awareness training typically teaches staff to search for a mix of the following exhaustive indicators, red flags, or otherwise to spot an email-based phishing attack:
- Suspicious sender's email address (e.g. misspelled company name, unusual domain, spoofed address)
- Generic or impersonal greetings (e.g. "Dear customer", "Dear user", "Dear valued member")
- Poor grammar
- spelling mistakes
- odd phrasing
- Suspicious links
- Suspicious attachments, especially .exe or .html files
- Requests for sensitive personal
- Requests for financial information
- Urgent calls to action
- Subject line tags of [external]
- warnings of consequences for not acting quickly
- Offers that seem too good to be true (e.g. prizes, discounts, free giveaways)
- Emails sent at unusual times like late at night or very early morning
- Emails with inconsistent branding, logos, signatures, etc.
- Emails with an unusual mix of recipients you don't recognize
- Being copied on emails with unknown recipients
- External banners