How to spot a phishing email before it costs you
Phishing is the number-one way small businesses get breached. It's not glamorous hacking — it's a convincing email that tricks a busy person into typing their password on a fake page or wiring money to the wrong account. One click can hand over your logins, your bank details, or your whole network.
The good news: almost every phishing email gives itself away. Here's what to look for.
The 7 red flags
1. The sender isn't who it claims to be
The display name says "Microsoft" but the actual address is billing@micros0ft-secure[.]com. Always check the real email address, not just the name — and watch for lookalike domains that swap a letter (a zero for an "o", "rn" for "m").
2. It manufactures urgency or fear
"Your account will be suspended in 24 hours." "Overdue invoice — pay immediately." "The CEO needs this right now." Scammers rush you so you act before you think. Real companies rarely threaten you into a snap decision.
3. A generic greeting
"Dear Customer" or "Dear User" from a company that knows your name is a tell. So is an internal email that suddenly sounds oddly formal.
4. Links that don't go where they say
Hover over any link (on a phone, press and hold) to preview the real destination before clicking. Watch for misspelled domains, random strings, and URL shorteners hiding the address. When in doubt, don't click — type the website in yourself.
5. Unexpected attachments
Especially .zip, .html, or Office files that ask you to "Enable Content" or "Enable Macros." That prompt is often the whole attack. If you weren't expecting a file, confirm with the sender through a different channel first.
6. It asks for credentials, payment, or gift cards
No legitimate vendor, bank, or boss will ask you to confirm your password, wire funds urgently, or buy gift cards. Those requests are scams almost every single time.
7. Small things feel off
Odd grammar, a slightly wrong logo, strange formatting, or a reply-to address that differs from the sender. Trust that gut feeling — it's usually right.
- Do I actually know this sender, and is the address exactly right?
- Was I expecting this message and any attachment?
- Is it pushing me to act fast or keep it secret?
- Does the link preview match the real company?
Any "no" or "not sure"? Stop and verify through a phone number or website you already trust — not one from the email.
What to do if someone already clicked
- Don't panic, and don't hide it. Fast reporting limits the damage.
- Change that password immediately — from a different device — and anywhere the same password was reused.
- Turn on multi-factor authentication (MFA) if it wasn't already.
- Disconnect the device from the network if you suspect a malicious attachment ran.
- Tell your IT team (or us) so accounts can be checked for forwarding rules and logins from odd locations.
- Watch for follow-ups — attackers often use one compromised inbox to phish everyone else.
Any email asking to change bank/payment details, wire money urgently, or buy gift cards deserves a phone call to verify — using a number you already have, not one in the email. "Business email compromise" like this costs companies more than any other scam.
The one setting that stops most of this
Even if someone hands over their password, multi-factor authentication usually stops the attacker from getting in — they'd also need the code on your phone. If you do one thing after reading this, turn on MFA for email and anything with money attached.
Want it set up across your whole team, plus phishing training so this stuff gets caught automatically? That's exactly what we do.
Worried an email got through?
We'll check your accounts, lock things down, and train your team — free 20-minute assessment.