How to spot phishing emails

Email with a fake sender

Some phishing emails seem to have a legitimate sender. A distinction is made between the name of the sender and the email address. If the name and address do not match, this is very clear evidence of a phishing email.

Note: This information can also be falsified.

Eye-catching subject lines

Criminals try to get your data and therefore choose their subject lines in such a way that many readers click on th email.

Examples of frequently clicked subjects

  • Your order is on the way
  • Your account has been blocked
  • LinkedIn: your account is at risk!
  • Please change your password immediately
  • PayPal: complete your user information
  • You have a new encrypted message
  • FedEx/DHL: we missed you
  • Bill scan
  • New billing address
  • Your bill [...]

Salutation is impersonal

Most phishing emails use an impersonal form of address (e.g. "Dear customer"). The actual service providers know your name.

An acute need for action is simulated

You will be asked to act as aquickly as possible, e.g. "if you do not carry out a verification within the next two days, you account will be blocked". Or "if you do not do this, we will block your account...".

The actual service providers will explain any need for action in more detail and also offer you a contact option in order to be able to inquire about this.

Bad wording in the email

  • Strange content
    • Impersonal address 
    • Bad spelling / grammar
    • Threats or urgent need for action
    • Confidential data is requested

(e.g. "you have to fill in a form...", "... write in the TAN")

Text contains incorrectly resolved or missing umlauts

(e.g. only "a" instead of "ä" or "ae").

Links and attachements in the email

Phishing emails usually contain attachments with malicious code or links to fake websites, which can also contain malicious code or simply require the imput of sensitive data. The damage occurs when you click on the attachment or on the link.

Suspicious URLs

The address looks very similar to the real one, but contains unusual characters. Pages on which personal data is entered usually use HTTPS. A URL with HTTPS is not necessarily trustworthy!

It is best to always use a search engine to access the original website. You can now compare the URL or, better yet, log in there. You will then see whether you have a new message and whether there is actually a need for action.

Examples of suspicious URLs:

    This address does not belong to the Sparkasse Bank, banks use https.
    An "L" is used instead of an "i", even kundenservice.ent may not belong to AB-Bank.
    The actual website / domain is around the last point (before a slash), here and not

How to spot phishing websites

If you followed a link in the email, you either gor malware or you landed on a fake webiste where the data is supposed to be fished. You can also use some criteria to check whether it is a phishing website.

URL of the webseite

The link looks very similar to the real, but contains unsual characters. Example: or

More examples under  "Suspicious URLs".

If in doubt, access the original website using a different method (search engine).

HTTPS Connection

Many phishing sites do not use an encrypted HTTPS connection. If this is missing, proceed with caution.

An HTTPS connection alone is not trustworthy! The certificate must also be issued to the known website owner.

Screenshot certificate information

Registration always works

If you are unsure, try registering with fancy entries first. After all, phising websites want your information . If you get ahead despite obviously incorrect data, it is realtively certain that you are dealing with a fake website.

Unusual data retrieval

You will be asked to enter all possible personal and sesitive information such as:

  • Name
  • Address
  • Bank details
  • Credit card number

In addition, you are often forced to enter the data under time pressure.

Further information