I often take time to warn about phishing attacks, and for a very good reason: THEY’RE EVERYWHERE!
Email scams have significantly surged during the pandemic, exploiting our fear, confusion, and remote working situations. Two million new phishing websites registered in early 2020, and the hoaxes have further expanded this year.
Instead of stressing consequences or tech countermeasures, today’s tip focuses on the language of lies these “phishermen” spin. A recent analysis covering thousands of bogus emails has identified their most prominent go-to words and phrases, letting us study the vocab for better detection.


Phishing attacks work by tricking us into actions that undermine our security: clicking on links, downloading code, or changing settings to make us more vulnerable. As the deceptive messages must seem legitimate to avoid suspicion, they aim to mimic recognized senders.
That’s why the best ones are tough to spot – they’re crafted like everything else in your mailbox. Yet even sophisticated phishing attacks are still scams at their core and rely upon recognizable tactics.


Hackers use a variety of methods to win our TRUST. They’ll often start by impersonating a known contact (even spoofing web addresses and logos), then use subject lines that sound somewhat familiar. These subject lines will also include URGENT language, prompting us to open the message and complete some ACTION quickly.
The specific words and phrases used will vary by context, but studies show they’re most likely to fall into one of these categories:
Professional Messages
Security Messages
These emails offer to help with protection (or alert you to hacking) while aiming to corrupt your system.
Buzzwords | Verify | Reset | Compromised | Validate | Suspicious |
---|---|---|---|---|
Update | Login | Unauthorized | Password | Activity |
Headline Messages
Buzzwords | COVID | Vaccine | Lockdown | Virus | Ransomware |
---|---|---|---|---|
Stimulus | Corona | Checks | Quarantine | Mandate |
Personal Messages
These buzzwords alone don’t make an email phishy but should raise suspicion. More so when they’re coupled with phrases that prompt quick action or accompanied by poor grammar and misspellings (many scams originate overseas with non-native speakers).
Ironically, language can be either the camouflage that masks a convincing scam or the flaw that gives it away! Whenever in doubt, don’t click on anything — close the email and independently navigate to verified domains.
To learn all the ways of spotting phishing attempts, make sure your team has security awareness training. Meanwhile, enabling two-factor authentication and monitoring the Dark Web can provide notice and protection if your credentials do fall into hackers’ hands.
Be careful, be alert, and stay safe…and get all the help you can!