Anatomy of a Phishing E-Mail

Last Updated Jun 10, 2010 2:29 PM EDT


Phishing attempts come in all shapes and sizes. They're not always easy to spot, but sometimes they're just embarrassingly bad. And yet people fall for them all the time, usually because of their scare tactics. ("Your account has been compromised!" "Timmy's fallen down the well!")

The image up top is from a phishing e-mail I received just today. How did I know it was bogus? I've highlighted five dead giveaways, all of which you can and should take to heart when dealing with your own suspicious mail.


1. Broida.com is indeed my personal domain. But why would I be getting a warning e-mail from admin@broida.com? I'm admin@broida.com! A legitimate message would have come from, say, my ISP or hosting service.

2. I'm supposed to "run" an attached file (which is obviously just a Web link) in order to resolve my issue? That's insane. Under no circumstances should you open an attachment that you weren't expecting or looks suspicious.

3. "Dear Customer"? Any organization that knows me knows my name.

4. I count at least three spelling errors in this e-mail. Real companies can afford editors (if not spell-checkers).

5. What kind of signature is that? At least have the courtesy to use some kind of forged or copied company logo.

This is actually one of the worst phishing attempts I've seen. Usually they look a lot more official and do a much better job trying to scare me.

In any case, always, always think twice before you click a link (or open an attachment) in any e-mail of this nature. It's really easy to get taken, and it happens more often than you'd think.

Have you had any bad encounters with "phishers"? Share your horror stories in the comments.

  • Rick Broida On Twitter»

    Rick Broida, a technology writer for more than 20 years, is the author of more than a dozen books. In addition to writing CNET's The Cheapskate blog, he contributes to CNET's iPhone Atlas.