Click or Treat? How not to fall for phishing emails this Halloween

Spooky season is upon us. But while we’re busy carving Jack-o-Lanterns, donning witches’ hats, and hanging glow-in-the-dark skeletons, something far more sinister lurks in the shadows. The dreaded phishing email.

Cybercriminals don’t take a break from spamming consumer inboxes with fake  emails at any time of the year, and they’ll likely be using the spooky holiday and hike in Halloween sales as just another opportunity to pump out phishing scams to unsuspecting victims.

So to help you avoid scary scammer scenarios this Halloween and keep your personal information, bank account, credit card, and hardware safe, here’s some advice on what not to fall for in phishing emails this All Hallows’ Eve.

Cybercriminals can wear convincing costumes

Everyone knows that poorly impersonated domains (i.e. are suspicious, but an email that comes from an address that matches a company’s exact domain is always safe, right? Wrong.

Exact domain impersonation – when a criminal spoofs a business’ domain and sends fake emails pretending to be them – accounts for a hauntingly huge percentage of successful phishing attacks. And businesses are wide open to this criminal costuming, unless they have a strong DMARC policy in place. When fully configured, DMARC (Domain-Based Message Authentication, Reporting, & Conformance) is the only email authentication protocol that stops exact domain impersonation.

But terrifyingly, as of May 2021, only 6% of the world’s top global retailers are fully DMARC compliant, meaning the remaining 94% could be impersonated at any time, and a phishing email from their domain could soon crawl its way into your inbox.

So don’t assume that an email is legitimate just because it comes from a business’ exact domain. If you’re unsure, you’re best off flagging the email to your security team. You can also check whether a business is DMARC compliant here.

And if you’re worried about your personal email address being impersonated, you don’t need to. DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), meaning the majority of global consumer inboxes are protected.

Beware! Don’t click suspicious links or attachments

In terms of advice on how to spot phishing emails, this is an oldie but a goodie. Phishing attacks are becoming more sophisticated, with many scammers using ‘social engineering’ and ‘spear phishing’ to trick victims into taking the bait. But most phishing emails will still use a phoney link or malicious file to gain access to private information or money. If in doubt, don’t click, and report the email immediately to your security team. If this is an email to your personal address try to find another way to access the information being shared in the email, for example navigating to the company’s homepage and going from there.

It’s worth remembering that more traditional rules-based file scanners and spam detection technologies can only do so much to stop bad apples dropping into your inbox. So your company should also have security awareness training and – ideally – advanced threat protection in place to help stop employees being tricked to click.

Double, double, toil, and be sure to double check that from address

While many attackers spoof exact domains to send their phishing scams, there are those that still rely on ‘lookalike domains’ to target victims. This form of email impersonation involves using a well-known or reputable brand (i.e. and changing it slightly to trick the recipient into clicking (i.e. See the difference? It’s sometimes harder to spot than you might think, especially if you’re in a hurry.

To avoid falling victim to the clutches of these sneaky scammers this Halloween, we recommend always double checking the sender’s domain name and ‘from’ address. If they look suspicious, that’s probably because they are.

Is this a trick?

Business email compromise is a big hit with cyber attackers. This is when the email pretends to be from your CEO, a senior member of staff, or someone else of importance in your business. These will often be bubbling over with urgency. Again, this type of scam is most effective when the business being targeted isn’t DMARC protected, meaning the attacker can impersonate its exact domain and it’s very hard for the victim to tell it’s fake.

It’s amazing how many people fall for an email purporting to be from their ‘CEO’ or ‘bank’ in the heat of the moment. But when you receive one of these out of the blue, it’s important to take a step back and question whether it actually makes sense given the context. Does it relate to any conversations you’ve been having recently? Does the supposed sender usually talk this way? Does it coincide with anything already happening in the business? And what’s the rush?

If you’re unsure, then checking to confirm with the individual it’s supposedly from in person or over the phone – and then reporting it to your IT team if it hasn’t been sent by them – is a good idea.

Leave it to the experts

We hope we’ve provided some useful tips on how to stay safe in the inbox this Halloween. But at Red Sift, we don’t believe it should only be down to the individual to spot the signs of a phishing attack, when technology can help to do the job better. Find out more about our email security products and what we do below.


Sabrina Evans

28 Oct. 2021



Recent Posts


Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more