Two Obsolete Phishing Indicators

From Lance Spitzner, SANS Security Awareness.

These are typical indicators that have been recommended in the past, but we no longer recommend them.


Avoid using misspellings or poor grammar as an indicator, in today’s world you are more likely to receive a legitimate email with bad spelling than a crafted phishing attack. Misspellings will most likely become even less common as cyber attackers use AI solutions to craft and review their phishing emails and correct any spelling or grammar issues.


One method commonly taught is to hover over the link to determine if its legitimate. We no longer recommend this method except for highly technical audiences. Problems with this method include you have to teach people how to decode a URL, a confusing, time consuming and technical skill.

In addition, many of today’s links are hard to decode as they are re-written by phishing security solutions such as Proofpoint. Also, it can be difficult to hover over links with mobile devices, one of the most common ways people read email.

Finally, if you train every employee in your organization to hover over and analyze every link in every email, that is an extremely high-cost behavior to your organization.

Conditions on the ground change quickly, and we’re all just trying to keep up!

To read an updated list of the SIX current phishing indicators, check out this article.

Link to the article:

— Anthony Collette

Scroll to Top