The problem

Traditional awareness training typically teaches staff to search for a mix of the following exhaustive indicators, red flags, or otherwise to spot an email-based phishing attack:

  1. Suspicious sender's email address (e.g. misspelled company name, unusual domain, spoofed address)
  2. Generic or impersonal greetings (e.g. "Dear customer", "Dear user", "Dear valued member")
  3. Poor grammar
  4. spelling mistakes
  5. odd phrasing
  6. Suspicious links
  7. Suspicious attachments, especially .exe or .html files
  8. Requests for sensitive personal
  9. Requests for financial information
  10. Urgent calls to action
  11. Subject line tags of [external]
  12. warnings of consequences for not acting quickly
  13. Offers that seem too good to be true (e.g. prizes, discounts, free giveaways)
  14. Emails sent at unusual times like late at night or very early morning
  15. Emails with inconsistent branding, logos, signatures, etc.
  16. Emails with an unusual mix of recipients you don't recognize
  17. Being copied on emails with unknown recipients
  18. External banners