Sepetember 2025
We've all received them. Those weird emails that seem like they're coming from someone or something important. Could be your bank, your internet service provider, or even a classic Nigerian prince. Jokes aside, while some phishing emails are easy to spot, others are not so easy. As part of my cybersecurity certificate, I performed a hands-on lab to analyze several phishing emails ranging from the obvious to the highly deceptive. This project allowed me to practice identifying key indicators of compromise and apply a systematic process to a common security threat.
The objective of this lab was to act as a security analyst and identify the red flags in four different suspicious emails. Each email was designed to test my ability to recognize common phishing tactics, and I was tasked with explaining what made each one a threat.
My analysis followed a tiered approach, starting with the most obvious indicators and then moving to more technical details.
The first email looked legitimate on the surface. It claimed to be from a well-known company, but a closer look at the sender's email address revealed a subtle but critical flaw. The domain was a common typo-squatting attempt: instead of ending in .com, it ended in .co. This small change is easy to miss but is a clear sign of a malicious domain designed to impersonate a legitimate one. Threat actors have become more clever, using domains that closely resemble who they are impersonating.
The second email had a number of spelling mistakes. The company that was supposedly sending this email would not have let an email with this many errors get out to its customers. A high number of spelling and grammatical errors is a classic and almost certain giveaway that the email is a phishing attempt.
The third email was a form of "whaling," a highly targeted phishing attack. It was made to look as though a colleague had sent me an urgent request to buy gift cards for a customer. The email then requested that I send the card details via email instead of giving them the physical cards. This combination of an unusual request, a sense of urgency, and the request for non-standard delivery methods set off immediate alarm bells.
The fourth email was probably the hardest to detect. It claimed my social media account had been locked due to unusual login activity and seemed to have come from the correct sender. However, by hovering my mouse over the "Verify Your Account" button, I was able to reveal the true destination URL. Instead of directing me to the social media platform's official site, it pointed to an entirely different and malicious domain. This technique, called URL spoofing, is a common and dangerous tactic that relies on the recipient not taking the extra step to verify the link's destination.
This lab was a valuable exercise in threat analysis. It taught me that a comprehensive approach is necessary to spot malicious emails. No single indicator is a guarantee, but a combination of suspicious signs—from typos and urgency to deceptive URLs and odd requests—can help an analyst confidently classify an email as a threat.
These are not just theoretical skills; they are directly applicable to roles like a Security Operations Center (SOC) Analyst or Incident Responder. My ability to identify, analyze, and report on these threats is a foundational skill in protecting an organization.
I hope you found this breakdown helpful. Stay vigilant, and always take a second look at your inbox. As always, keep learning!