Breaking Down a Sophisticated Phishing Email: 4 Advanced Warning Signs

August 31, 2020

LaNise Essick, Network Infrastructure Consultant, Sophicity

This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.

We’ve often talked about the warning signs of phishing and how to dissect phishing emails. However, phishing emails grow more sophisticated as hackers get better. During the COVID-19 pandemic, scammers are using fear and taking advantage of people working from home to attempt more aggressive and tricky phishing attacks.

KnowBe4 recently wrote about such an attack where the scammer poses as the “Johns Hopkins Center” and offers information about US COVID-19 deaths—specifically, a spreadsheet with a list of people who have died in the US from the coronavirus.

Does this sound strange and too good to be true? Good. It should. In fact, if you sensed something wrong with this information, you’re ahead of the game.

Unfortunately, many people get tricked by such phishing emails because they look legitimate and seem to provide interesting, useful, and timely information. Let’s look at the advanced warning signs in such a phishing email scam.\

1. An unsolicited email comes from a “credible source.”

Whether it’s the “Johns Hopkins Center” or the White House or your bank, ask yourself why a credible source singled you out with such an email. Instead of posting something to their website or telling media outlets, why would the Johns Hopkins Center send you an email with such information?

Obviously, credible sources will send you legitimate emails. How do you tell the difference? A few ways to vet such emails include:

  • Checking the sender’s email address: Often, the sender’s name might say Johns Hopkins Center but the email is something like hostps458@yahoo.com. That should be a clear sign that you have received a scam email. If the email doesn’t match the name of the organization, it’s likely a scam.
  • Asking yourself if you are expecting this information: If the sender’s email gets spoofed (i.e. looks like a legitimate email), you can also ask yourself if you are expecting this information. The United States has laws about opting in to receive information by email from legitimate organizations. If you signed up for Johns Hopkins Coronavirus Resource Center emails, then it’s likelier that an email from them is legitimate. If you never signed up for a newsletter or email updates, then it’s more likely a scam.
  • Asking yourself if this is like emails you receive: Even if you do receive regular emails from an organization, ask yourself if this looks and feels like a normal email. If not, it may be a scam.

If in doubt: Contact the source directly to see if the email is legitimate.

2. The information seems unusually enticing or urgent.

You might say, “Wow! A list of people in the United States who have died of COVID-19! But wait…wouldn’t that break healthcare privacy laws? Wouldn’t the media have reported it? And why would Johns Hopkins, a very respected university, be sharing such information? With me?”

Exactly the right questions to ask for this, or any, scam. Scammers try to entice you with “special” information or create a sense of unusual urgency with their message. Some questions to ask include:

  • Is this promised content too good to be true? If it’s too good to be true, then be very, very skeptical. This usually involves you getting money, special information, or a gift from out of nowhere.
  • Why are you getting this information? What makes you special? If there is no personalized reason why you are receiving something exclusive, then be very suspicious.
  • Is this information you can look up on the internet? Use a search engine to look up what content the email is promising you. You might find it’s a scam. You might find the information is already public. You might find the information doesn’t exist. Whatever you find, it’s likely you will debunk the entire premise of the email.

If in doubt: Look up the information mentioned in the email or contact the source directly.

3. There is an attachment you need to open.

Whether it’s a PDF, a Word document, an Excel spreadsheet, or another file, an unsolicited email requiring you to open an attachment should be a major red flag. Only open attachments from senders you 100% trust. Otherwise, attachments are how scammers deliver malware and viruses, leading you to open what you think is a legitimate document when it’s actually an executable file that runs malicious programs on your computer.

If in doubt: Contact the person or organization who sent you the file to confirm they sent it. If still in doubt, contact your IT helpdesk.

4. You must download or enable something.

Maybe it’s through an attachment, or maybe it’s through a website link. You get tricked or tempted and want the information the sender is providing you. Suddenly, you’re faced with a decision…

  • To view the content, you must download Software X Reader.
  • To view the spreadsheet, you must enable a macro.
  • To view the Word document, you must click on this link to activate the embedded video player.

To read content from a trusted sender, you should not need to download software or enable some weird function in commonly used files that you’ve never enabled before. When was the last time you had to “enable macros” in a work document?

If in doubt: Ask your IT helpdesk about any requests for downloading software or enabling some technical function within a file. Only IT professionals, centrally managing your technology, should download and install software—not you.


Scammers are working harder than ever to trick you, and their scams grow more sophisticated. Don’t let them trick you. Make sure city employees receive regular training on the latest tactics that scammers use and share this post to help them spot key warning signs when they receive suspicious emails.

Back to Listing