How to Spot Phishing Emails

91% of cyber attacks start with a phishing email. Learning to recognize these deceptive messages is one of the most important things you can do to protect yourself and your business.

What is Phishing?

Phishing is a type of social engineering where attackers send fraudulent emails designed to trick you into revealing sensitive information, clicking malicious links, or downloading malware. The emails are designed to look like they come from legitimate sources—your bank, Microsoft, Amazon, or even your boss.

Why Phishing Works

Phishing exploits human psychology, not technical vulnerabilities. Attackers use:

• Urgency — "Your account will be closed in 24 hours!"
• Fear — "Unusual sign-in detected on your account"
• Authority — "Message from the CEO" or "IT Department"
• Curiosity — "You have a package waiting" or "See who viewed your profile"
• Greed — "You've won!" or "Unclaimed refund"

Red Flags to Watch For

Train yourself and your employees to spot these warning signs:

Check the Sender Address

Hover over the sender's name to see the actual email address. Phishing emails often use addresses like "[email protected]" or "[email protected]" that look legitimate at first glance but aren't from the real company.

Look for Spelling and Grammar Errors

Many phishing emails originate overseas and contain awkward phrasing or spelling mistakes that legitimate companies wouldn't make. However, AI is making phishing emails more sophisticated, so don't rely on this alone.

Hover Before You Click

Before clicking any link, hover over it to see where it actually goes. The displayed text might say "www.paypal.com" but the actual link goes somewhere completely different.

Be Suspicious of Attachments

Unexpected attachments, especially .zip files, Office documents asking you to "enable macros," or executable files (.exe, .scr, .bat) are major red flags. Even PDFs can contain malware.

Generic Greetings

Legitimate companies usually address you by name. "Dear Customer" or "Dear User" often indicates a mass phishing campaign sent to thousands of people.

Types of Phishing Attacks

Spear Phishing

Targeted attacks using personal information gathered from LinkedIn, company websites, or social media. These are harder to detect because they reference real details about you or your company.

Business Email Compromise (BEC)

Attackers compromise or impersonate a business email account to request wire transfers, W-2 information, or other sensitive data. This cost businesses $2.7 billion in 2022 alone.

Smishing and Vishing

Phishing via text message (smishing) or voice call (vishing). The same principles apply—verify independently before providing any information.

What to Do If You Receive a Suspicious Email

1. Don't click anything — No links, no attachments, no images
2. Verify independently — If it claims to be from your bank, call the number on your card, not the one in the email
3. Report it — Forward to your IT department or report as phishing in your email client
4. Delete it — Once reported, delete the email

What to Do If You Clicked

If you accidentally clicked a link or opened an attachment:

1. Disconnect from the network immediately
2. Contact your IT support right away
3. Change your passwords from a known-safe device
4. Monitor your accounts for suspicious activity
5. Run a full antivirus scan

Protecting Your Business

Technical controls can catch many phishing attempts before they reach employees:

• Email filtering — Advanced filters that scan for malicious links and attachments
• Security awareness training — Regular training with simulated phishing tests
• Multi-factor authentication — Even if credentials are stolen, attackers can't access accounts
• DMARC/SPF/DKIM — Email authentication to prevent spoofing of your domain