Back to overview

Phishing emails: Seeing through the bait

24. April 2024

Phishing is a (more or less) sophisticated scam and continues to be the biggest gateway into company networks. We take a look at the stylistic quirks and “fails” – and, above all, how to spot these scams in time.

Phishing is a targeted manoeuvre to obtain personal information and/or cause financial damage or loss of reputation. The primary goal is often to trick unsuspecting recipients into revealing confidential data such as passwords, credit card information or personal identification data. Victims are usually directed to fake websites and asked to enter sensitive information. This information is then used by criminals for fraudulent activities, be it the theft of money or identity theft, blackmail or infiltration of corporate networks. Sometimes, when a link is clicked (e.g. to a fake Zoom call), malware is installed directly on the computer.

The tactics are varied. They range from fake emails (or text messages – although this article is limited to the still most widespread attack tool, email) pretending to come from banks, authorities, trustworthy service providers, customers, the boss or employees, to supposed prize notifications. Phishing aims to exploit the recipient’s emotional response – be it fear, curiosity or greed – in order to trick them into taking actions that they would not take under normal circumstances.

When phishing gets creative

Phishing emails sometimes surprise with their strange creativity. Whether bad translations (“For your protection, we have suspended your credit card” or “Açtion Required”), exaggerated claims (everyone knows the scam with the Nigerian prince by now) or adventurous stories (“Someone has just tried to log into your account with your password. We have blocked it, but for your security, please check your account transactions – link here”) – the attempts at manipulation can seem quite bizarre. But behind the facade of bizarreness lurks the danger of serious threats.

The biggest “fails” – lessons learnt from phishing mishaps

Even in the world of internet fraud, deception masters are not infallible. Unintentional spelling mistakes, strange orography (such as “ç” or “ß” in supposedly Swiss-German texts), inconsistent sender and domain addresses and other slips (such as “Sent from my iPad” under a known signature or texts written in a language other than the company’s usual language) are telltale signs. These mishaps are not only amusing, but also instructive.

How can I recognise phishing emails?

Recognising a phishing attempt requires some experience and common sense. Look out for suspicious sender addresses, especially if they do not match the alleged organisation. Be suspicious of unexpected attachments or links (never click on them!) and check the URL carefully for typos or inconsistencies. You should also be suspicious of attempts to create a sense of urgency and threats of consequences, such as loss of money, criminal charges or blocking of your credit card. Sentences such as “Click now, otherwise…” should always make us sit up and take notice and trigger a healthy dose of scepticism.

AI-generated deception – a new dimension of threat

With the advancement of AI technology, the sophistication of phishing emails is reaching a new level. AI tools are now able to generate human-like text and make traditional phishing attacks more realistic by avoiding spelling and grammatical errors and using a convincingly professional writing style. This makes it even more difficult to distinguish real from fake messages. In addition, chatbots & co. can create and spread phishing campaigns much faster than humans ever could on their own, which increases the attack surface enormously. On the other hand, AI – in the sense of “fighting fire with fire” – can strengthen defences. When used correctly, AI tools are particularly suitable for recognising AI-supported phishing attempts. Generative AI models can also make awareness training much more individualised, efficient and effective.

Vigilance pays off

Phishing emails are becoming increasingly sophisticated, but many attacks can be recognised and fended off with a trained eye. Technical security measures such as spam filters or two-factor authentication offer additional protection, but are not enough on their own. Ultimately, it is people who make the difference: recognising the typical characteristics and establishing internal processes for detection and reporting can significantly reduce the risk. The combination of technical protection and continuous employee awareness is crucial.

Ready for the next step?
Let’s talk about your digital strategy.

For Europe’s digital future - with sovereign cloud solutions, end-to-end IT security, scalable digital solutions, and intelligent automation powered by AI. Let’s discuss how we can help your business become more resilient, secure, and future-proof.

Get in Touch

More articles from the category

Cyberattacks in Europe: Pressure on Digital Platforms in Switzerland
Security Services

Cyberattacks in Europe: Pressure on Digital Platforms in Switzerland

Read more
Workflow Automation in Enterprise IT: Roles, Architecture, and Ownership
Security Services

Workflow Automation in Enterprise IT: Roles, Architecture, and Ownership

Read more
Identity and Access Management as a Structural Control Instance of Modern Platform Architectures
Security Services

Identity and Access Management as a Structural Control Instance of Modern Platform Architectures

Read more
Security Architecture for Sovereign Cloud Platforms
Security Services

Security Architecture for Sovereign Cloud Platforms

Read more
Incident Detection and Response in Modern IT Landscapes
Security Services

Incident Detection and Response in Modern IT Landscapes

Read more
M365 Security 2025: Transitioning to Phish-Resistant MFA and Stricter Policies
Security Services

M365 Security 2025: Transitioning to Phish-Resistant MFA and Stricter Policies

Read more

Find your solution

To top