Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The Phishing Game - Five Signs It’s a Phish

To start Cyber Security Awareness Month this October, we’re sharing our best advice on how to spot a phish, including the top five signs to look for.

The Internet is great isn’t it? It enables you to communicate so easily with friends and family and to do business without leaving your chair (or bed, or pool). But the downside is that it lays you open to all the con-artists around the world who also no longer need to leave their sun loungers to get their hands on your money. So let’s talk about phishing.

The methods the bad guys use are many and varied, but one of the most common routes to your door is email. They can send you a phishing email that tries to trick you into giving away info that might be useful to them, or lets them take over your computer. But how do you know that an email is fake when it’s mixed in with all the other emails that hit your inbox? One way is to play the Phishing Game and score it on five counts to decide if it’s likely to be a phish or not.

Here's a Phish...

Below is an example phishing email we’ll use to play the game.

Example of phishing email

Now let’s score this email on the following five counts.

Count 1 - It’s unexpected

Did you know this email was coming? Did you have a chat with your old friend Mr John Garry last night when he told you all about this opportunity and said he’d send an email confirmation?

No? In that case Phish Score 1 out of 1 so far.

Note – watch out for coincidences that make you think the email is expected, such as getting one about an Amazon delivery just after you’ve ordered something from Amazon.

Count 2 - It’s impersonal

Is it obvious that this person knows who you are and has included some relevant information about you? Or does it look like it’s been sent to everyone and their dog? If it doesn’t make you feel special, it could be a phish.

Phish Score 2 out of 2.

Note – with personal information freely available from social media it’s getting easier to personalise phishing emails, so be careful.

Count 3 - It seems too good to be true

Hurray! You’re going to get five million dollars. Or it could be an iPad, or a phone, or Amazon vouchers, or something else you like the sound of, but haven’t earned. In today’s world of extremes and conspiracy theories, it’s easier to believe the unusual. But let’s be honest – you’re not that lucky.

So if it seems to good to be true – that’s because it is.

That’s a 3 out of 3.

Count 4 - It’s urgent

Act now! Act now! Don’t think – just do. If you have a strong FOMO Drive then you may be tempted to just click on the link, or open the interesting attachment because you don’t want to be the one that’s not in the know. Are you being rushed into taking action? Then alarm bells should be ringing in your ears.

Phish Score – 4 out of 4 so far.

Count 5 - It wants something from you

Emails that just want to be read, and nothing else, are generally not a threat – that’s just spam and you can grunt and carry on with your life. But emails that need you to do something such as open an attachment, click on a link, reply with information or call a number, those are the ones to be careful of. In our example, if you email them back with the info requested (so that you can get your five million dollars before the deadline runs out) you can bet you’re going to get some follow up, either by email again or by phone. And then you’re in the con-artist’s pipeline as a potential sucker. And they will tell their friends too, so look out for a phishing frenzy.

Total Phish Score – 5 out of 5.

Conclusion? It’s a Phish! Well spotted!

What to do with a Phish

If you spot a phishing email it should be either deleted straight away or forwarded as a warning to an email address your IT support maintains for such items, if they do that. Don’t send it to your friends because not everyone is as smart as you.

Warning – the game is getting harder

The people who design and send phishing emails have been getting better at it over the years since they became a thing, but recently they have been handed a golden goose in the form of freely-available artificial intelligence, like ChatGPT (other AIs are available). Although the main parts of a phishing email will still meet the counts described above (so the game is still valid), expect them to get more convincing as time goes by. For example, bad spelling and grammar will no longer be signs of a phishing email because AI can write better than most humans. The upside is that AI will also be used more effectively to spot phishing emails before they reach your inbox, so all is not lost.


Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

More Cyber Security Resources

If Cyber Security Awareness Month has inspired you to take action, we have some useful resources to help.

  • Cyber Security Blogs – We have a host of useful content relating to all things Cyber Security.
  • Cyber Essentials Toolkit -Align to the UK scheme with help from our document toolkit, including all the templates and guides required to comply.
  • ISO27001 Toolkit – Align to the ISO27001 standard for an Information Security Management System with help from our toolkit. Including 180+ documents, guides and templates, and unlimited email support.

We’ve helped more than 4000 businesses with their compliance


Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.

View all Testimonials