How to Spot Email Impersonators, Spoofers, and Phishers

How to Spot Email Impersonators, Spoofers, and Phishers

One of cybercriminals’ most effective email tactics is impersonation (AKA “spoofing”). Here are some tips to protect your business from the fakers and phishers. 

Email is an essential part of doing business today. It’s a convenient, ubiquitous channel for connecting with customers, vendors, and colleagues, but it can also be an entryway for phishers and other cybercriminals into your business

No one willingly invites fraudsters, extortionists, and hackers into their network, so cybercriminals have learned to conceal their true identities—often behind the guise of trusted contacts. Email impersonation (AKA “email spoofing”) is one of the digital underbelly’s most effective tactics. 

By impersonating known contacts or corporate entities, criminals can fool unsuspecting recipients into handing over proprietary information and credentials, fraudulently redirecting legitimate payments, or downloading malicious software.

In this blog post, we’ll explore some ways to identify if the person emailing you is truly who they claim to be.

Verify the address info

Look for w0rd impersonations: Fraudsters often use email addresses similar to legitimate ones—but with a few tiny tweaks. Check for subtle changes such as switched letters or additional characters in the address and domain (e.g., "" instead of "[email protected]").

Domain diligence: Business emails should always be sent from business web domains. Be suspicious of emails purportedly from an established company sent from consumer email domains, e.g., "" or "”

Analyze the language and content

Verifying domains and email addresses is an important way to identify spoofed accounts, however, that defense falls flat if a phisher commandeers a legitimate email account. Discerning if a legitimate account is taken over requires additional layers of scrutiny.  

Poor sppeling and grammar: Email-based attacks can be launched remotely—and cheaply—from anywhere in the world. They’re often (but certainly not always) enacted by non-native English speakers in other countries. Unusual grammar, misspellings, and awkward phrasing can be red flags, especially if they're not characteristic of previous communications.  

Spot the robots: Generative AI platforms such as ChatGPT make it easy for anyone to create polished, error-free emails in just about any language. These are getting harder and harder to spot, but some signs may be:

  • overly generic language
  • a lack of depth or personality
  • repetitive phrases

Overall, be on the outlook for language that doesn’t quite fit in with how real live humans communicate. 

Tone and style: Something seem off with an email? Ask yourself the following questions:

  • Is the tone of the email consistent with past interactions?
  • Is there a misplaced level of formality, i.e. is it too formal (or too casual) for the nature of the ask.
  • Does the request seem at odds with the sender’s role, e.g., would a CEO of a vendor company reach out personally to ask for a change to a payment account? 

Looking for tone discrepancies is less a science than an art–it’s more about being attuned if something doesn’t feel right.

Calls for secrecy and/or confidentiality: Scammers will often ask to keep information confidential so recipients won’t be tempted to verify details through other channels (see section below). 

While there may be reasons to maintain confidentiality or secrecy, it’s doubtful that, for example, changing banking information couldn’t be shared with members of you or the sender’s organizations.

Unnecessary urgency: Criminals often insist on the need for quick action to create a sense of urgency. This heightened anxiety can cause unprepared recipients to act without applying due diligence that might otherwise interrupt the scam. Requests to bypass standard procedures should always raise suspicions.

Have doubts? Verify

Consequential actions like changing banking information should always be partnered with additional steps in place as a matter of protocol (e.g., always verify over the phone or have multiple internal stakeholders sign off on changes). However, if there is doubt about the legitimacy of any emailed request, there are steps you can take:

Take it out of the inbox: If you’re suspicious that an email is spoofed, reach out to the sender directly to confirm through alternative communication channels (e.g., in-person, on the phone, or through a messaging app). Be sure to use contact information, such as phone numbers, that you have previously used to engage with the sender, NOT information in the suspicious email, as that may be fraudulent as well.

Internal verification: Ask colleagues if they're aware of the request, especially if it involves financial transactions or sensitive information. 

Implement additional security layers

Employee education: Train employees on how to recognize phishing attempts and the proper procedures for dealing with suspicious emails.

Multi-factor Authentication (MFA): Implement MFA (sometimes referred to as two-factor authentication or "2FA") for all critical systems and services. This adds an extra layer of security even if login credentials are compromised.

Lean on security experts

As a business owner, you’re already stretched thin without having to keep up with evolving cyber threats. But you don’t have to do it alone. Upfort Shield delivers enterprise-grade defenses to organizations of all sizes including state-of-the-art, inbox defenses that identify social engineering attempts and block malicious downloads.  

Sign up for a free Cyber Risk Assessment and see what vulnerabilities Upfort’s military-inspired AI can surface in your network. Subscribe to our monthly Level Up Security Newsletter and keep up with the latest cybercriminal trends impacting small businesses.

Sign up for our newsletter