A case study on how to spot a phishing email
It’s easy to feel skittish about swimming in murky water — especially if you are in the actual Amazon river and know that creatures like this Piranha are lurking just below the surface.

It’s no surprise then, that I occasionally receive emails from anxious friends telling me things like, “Amazon just got hacked!” In our modern day world we as consumers are starting to expect a regular stream of news about massive data breaches, leading us to be a little skittish as well. After all, you as a consumer don’t actually know when you’re being surrounded by a “school of hackers” until one of them bites, and it is hard to tell the difference between a phishing scheme and a legitimate email.
How to spot a Phishing email
To my friends and fellow netizens, here is a case study on an email from Amazon.com, with three tips for determining when you have received a phishing email

Tip #1 — Make sure you recognize the sender’s domain address
A typical phishing email would come from a free email service that is quick to set up like Gmail or Yahoo. When compared against the real thing it is obvious to see the difference:
- amazon-security@gmail.com (fake)
- security-update@amazon.com (real)
A more sophisticated hacker might go so far as to purchase a near match to the actual domain, making it harder to spot in a quick visual scan, but still obvious on a deeper look. This could be something like:
- amzn.com (fake)
- amaazon.com (fake)
- amazonsecurity.com (fake)
Tip #2 — Does they email have it good grammar? :)
Bad grammar is usually a dead ringer for spotting a phishing email. No self-respecting major corporation would allow an email to go out with the type of terrible grammar displayed in this tip’s title, but for whatever reason this is something that consumer hackers haven’t figured out.
Spear phishing attacks, which are a more targeted and sophisticated method of phishing, however, can be far more difficult to spot. These types of attacks are far less likely to be perpetuated on a massive scale as they require a good deal of research on the individual and a coordinated approach. More on spear phishing here.
Tip #3 — Mind the invitation in the email
In the screenshot from the REAL Amazon (above) there is never an invitation to provide the email sender with your sensitive information or click on a suspicious link. Hackers want you to click on links because that is how they download their malware to your computer, or take you to a spoofed website where they’ll try to get you to enter sensitive information.
This VALID email, however, invites you to follow the typical path you would encounter when logging into Amazon, meaning that they are obviously not trying to get you to click on a link.
If you’d like to speak with a Whistic representative, please click here to schedule a conversation.
About Whistic
Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.
For more information about Whistic, visit: https://www.whistic.com.
