Detecting Phishing Emails

Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“:

Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are “off” about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email — usually, the presence of a link requesting an action — triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.

Posted on November 6, 2020 at 6:28 AM17 Comments


Anders November 6, 2020 8:34 AM

I’m lucky that i’m Estonian. I recognize the phishing mails
because they are mostly in very bad Estonian and non of my
friends write that awful “Google translation grade” text.

Second giveaway is the mail header i have habit to check.
Wrong time zone, wrong servers, wrong mail client – this
all hints that something is fishy, or more precisely – phishy.

Third giveaway is writing style. This is very hard to fake.
in time you learn the style of your friends, the words and
expressions and sentences they prefer, how they use slang
or abbrev. This is very hard to fake for a opportunistic

Clive Robinson November 6, 2020 12:44 PM

@ Anders,

I’m lucky that i’m Estonian. I recognize the phishing mails
because they are mostly in very bad Estonian…

I’m English which makes things harder, that is you have to look for oddities, some are easy like “what, what” but others harder “that, that” and the wrong use of pronouns with tense. Then there are “above the average”-v-“the average above” and then “right”-v-“wright”-v-“write”-v-“rite”, but the best by far is the lack of colloquialisms.

However there is a simpler solution to “Phishing Emails” that I adopted even before they got the name which is “7bit ASCII no attachments” but apparently enforcing that on people makes them unhappy even though it’s RFC Complient (or was a little over a quater century ago).

So I figured some years ago the solution to email problems of all kinds was to dump the whole kit and kaboodle down the crapper. Which is what I have done.

Effextively more than a decade ago I ditched personal EMail and refused to sign up to social media. The result is a more peaceful life…

Now the problem I have is telling people I’m not sufficiently stupid to sign up to “secure messaging apps”… You can not believe the nonsense I get from people… So I simply say “Your choice your funeral, don’t try dragging me on your pyre, I see no reason to be burned by your vanity”.

Which is why the EncroShat debacle made me so delightfully happy 😉

Maybe people will start thinking, but in all honesty I think they will just keep deluding themselves that they are somehow better than the scammers and other attackers.

Thus the Phishing and similar problems are not going to go away, in fact I suspect they will get better, thus worse (as crime is not going down, the brighter criminals are going on line). So it probably won’t be that long before “Phishing by Estonians for Estonians” comes along.

Jedi Knight November 6, 2020 2:09 PM

Detecting Phishing Emails – really?
I’m very disappointed with this poor choice of topic.
Even though the topics here are always at least a few days old, at least most of them have a specific point.
Today’s does not – it’s just forum click bait.
You’re a better man than this Bruce – not happy!

Phaete November 6, 2020 5:18 PM

So legitemate posts are getting deleted but off topic irrelevant 3 line circle jerk does not.
I’m gone, this is nothing more then facebook for people who don’t want facebook.

Terry November 6, 2020 8:25 PM

Detecting Phishing Emails is a legitimate and important study as the large majority of people have very poor security skills.

Regardless if it is an automated or targeted phishing expedition, family members or colleagues are likely to hand out email addresses to unverified websites or contacts. They are also more likely to fall victim to a phishing scam, as statistically security skills are lacking, and the vast majority have little training or experience.

Any kind of study that can improve information that might lead to development of techniques to inhibit phishing campaigns helps combat the threat. The email address of someone inside an organization is often the staging point of attacks before they move laterally. Targeting someone’s family members, friends, and colleagues is often a first step for discovering an internal email address.

Curious November 7, 2020 4:21 AM

I don’t understand why so many of the the seemingly legit emails sent to me, solicit for me to click some button in the email, even from businesses that I think should know better.

And I thought url shorteners was bad for security because you couldn’t readily know where you would end up if you cliked the url, so why are url link shorteners still used?

Curious November 7, 2020 4:25 AM

To add to what I wrote:

I often delete seemingly legit emails that has some url structure I find looking odd or implausible. This especially for questionaires that apparently uses some url that is not associated with the familar brand name and its common internet url address, because the questionaire is made by some third party.

Clive Robinson November 7, 2020 5:12 AM

@ Curious,

I don’t understand why so many of the the seemingly legit emails sent to me, solicit for me to click some button in the email, even from businesses that I think should know better.

It’s shockingly simple when you realise.

It’s at the direction of the largest business sector –apart from maybe religion– who have an unreasonable level of influance mainly by using FUD…

This sector is full of those who’s advice is at best very self interested, if not wrong more than nine times out of ten…

You call them “sales and marketing”, and they demand renumeration and budjets which is a polite way of saying “a tax to far”…

Their argument for ludicrous levels of funding and influance is similar to the one used for defence spending, and can neither be tested or proved…

Clive Robinson November 7, 2020 9:08 AM

@ Anders,

If it would be up to me, i’d ban the HTML email everywhere

That would be just one of the things, getting rid of any kind of attachments would help as well…

I will now go and hide under the stairs and wait for the marketing peoples ire to pass over head (they can not hit their targets any way 😉

But the real issue, is Email was designed as a working solution a long time ago, back when 8bit computing was still what PC’s ran on, and no real thought about where ot was going to go, or how it was going to get their safely…

So it was designed “to constraints” thay is use minimal resources, which ment it was never designed to be “overloaded” with all the junk it carries today, nor was it ever designed to be secure in any way.

And it need not have been that way…

I remember people “poo pooing” the work of OSI X committees (of which X.500 gave us LDAP and X.200 the seven layer model) back then. I still have my copy of the UK National Computing Centre publication ‘Why Distributed Computing’ and the NPL network “design guidence” docs that much X committee work was based off, sitting moldering in the bottom of a file cabinet. So yes back in the 1960’s and 80’s we knew how to build large systems that would have provision to expand safely and importantly securely.

Because the OSI bods actually thought about what “world wide connectivity” actually ment from the infrustructure side and mostly they got it right. Whilst the IETF RFC’s are still very much playing catch up, especially as they still “Put the cart before the horse”, and we pay the price over and over not just as technical debt, but as lost opportunity debt.

Oh and that’s before all the fraud and criminality rapes pillages and plunders it’s way more or less untouchably across jurisdictional borders.

And people wonder why I don’t play those silly games. Which was the advice from the 1983 movie “Wargames”, and I was, shall we say an experienced “computer security investigator” with a few years “investigating” under my belt before they even started making the movie (and yes I’m older than both Ally Sheedy and Matthew Broderick).

SpaceLifeForm November 7, 2020 2:58 PM

@ Anders

Since your English is quite fine, do you get phishes written in bad English?

Or, are the phishers targeting based upon location only?

Ismar November 7, 2020 4:19 PM

Things here are turned upside down.
It should not be the responsibility of the end user to have to deal with these threats.
The OS manufacturers, email providers and browser developers should have the responsibility of building a system that doesn’t allow this kind of explanation – period.
Any other type of discussion leads us to the path similar to a driver of a car being blamed for having it stolen by a third person because they tuned to a particular radio station on their car radio.
Why is it that the software development industry can get away with these things that would be considered laughable in any other industry?

Anders November 7, 2020 6:24 PM


Mostly i get the phishing emails either in very, very bad
Estonian (clearly misspelled words or horribly misconstructed
sentences) or in perfect Russian. I don’t get them in
bad English, i think because they target people by
location (my email address ends with .ee so clearly
there’s no point for them to address me in English).
Occasionally there’s also some Chinese/Korean/Japanese
emails containing hieroglyphs.

So i have a little advantage here. I can safely skip
any Russian email because although i have Russian friends
and i read Russian perfectly, i write with mistakes so i
communicate with them either in English or in Estonian.
I can also safely skip any email that contains hieroglyphs.
I recognize bad Estonian and i also recognize bad English
if there will be any such a phishing email. Moreover, there
are only handful of people who send me emails in English so
again, any email outside of that group will raise suspicion.

BP November 8, 2020 9:43 AM

Worse are the phishing phone calls I get from hospitals and doctors or even their calls wanting my birth date and or ssn. before they will talk over the phone. There’s no way to verify the phone number but they want incredibly detailed info when they call me. Maddening. Staying alive might become impossible in the US.

Jesse Thompson November 9, 2020 5:11 PM

X-step process to determine whether or not an email is phishing.

Here is my process.

Don’t click a link in the email.

Treat any attachments in any email identically to how I might treat downloads from a warez site (I have a straightforward process for vetting files from less-than-trusted sources).

If email claims to be X trying to reach me to discuss Y (and email is not laughably obviously fake), find X’s main website or telephone number through out of band means and contact them that way.

Ultimately this is primarily an authentication problem, the broader scope of which is nothing more than “how to tell party X is who they say they are”.

In that approach, investigating the content and headers of the email is like poring over the legitimacy of a person’s proffered ID document. Why pit your forgery-detection skills against their forgery production skills when you could instead test the primary method of legitimately reaching who they claim to be and put the issue to rest in one stroke?

Malcolm November 9, 2020 8:45 PM

@Jesse Thompson – this is effectively the same process I use for door-to-door salesmen offering to lower my utility bills or whatever … they’ll have had time to master their pitch and see how J Random Public will respond in a variety of ways which I’ve not been party to, so I just … don’t engage.

If they did get some of their spiel across and I were genuinely interested in their purported product then would I do as you have done and request that they leave a pamphlet or some other marketing material for me to research at my leisure … usually this doesn’t help them as they don’t get their name on the sale, however, so most are reluctant … funny, that …

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.