Attackers have gotten incredibly good at this. Gone are the days of obvious misspellings and Nigerian princes. Modern phishing emails are tailored, convincing, and sometimes indistinguishable from legitimate communications — until you know what to look for.
Here's what your team needs to recognize before they click.
01 The sender address doesn't match the display name
This is the oldest trick and still the most effective. An email shows "Microsoft Support" as the sender name, but the actual address is something like support@micros0ft-help.net. Most email clients show the display name prominently and hide the actual address.
Train your team to hover over or click on the sender name to reveal the real address before trusting anything the email asks them to do.
↑ Red flag: The display name says "Microsoft" but the domain is a lookalike — not microsoft.com.
02 It creates artificial urgency
Phishing emails are designed to short-circuit your critical thinking. Phrases like "your account will be suspended in 24 hours," "immediate action required," or "verify now to avoid interruption" are pressure tactics. Legitimate companies — banks, Microsoft, your payroll provider — do not demand you click a link within hours or face consequences.
When an email makes you feel panicked or rushed, that feeling is the red flag. Slow down, go directly to the service's website by typing it manually, and check your account there instead of through the email link.
Most dangerous right now: Invoice fraud targeting small businesses. An email appearing to be from a vendor you actually work with, with a slightly different bank account number on the attached PDF. Losses can run into tens of thousands of dollars.
03 The link goes somewhere unexpected
Before clicking any link, hover over it and look at where it actually points. A link might say "Click here to verify your account" but resolve to something like login-verification.xyz/microsoft. The path after the slash can say anything — what matters is the domain.
A legitimate Microsoft link will always go to microsoft.com or a subdomain of it. If the domain is anything else, don't click it. On mobile, you can usually long-press a link to preview the URL before opening it.
- Hover before you click — check the URL in your browser's status bar
- Look at the domain only — ignore what comes after the first slash
- Watch for lookalikes — paypa1.com, rn icrosoft.com (rn looks like m)
- HTTPS doesn't mean safe — attackers use SSL too. Green padlock ≠ trustworthy
- When in doubt, go direct — type the website address manually
04 It asks for credentials or payment information
No legitimate service will email you asking for your password, credit card number, or banking details. Ever. Full stop. If an email links to a login page and asks you to enter your credentials, navigate to that service directly through your browser instead of using the link.
The same applies to wire transfer requests that arrive via email, even if the email appears to come from your CEO or a manager. This attack — called Business Email Compromise — is one of the fastest-growing financial crimes against small businesses. Always verify large payment requests with a phone call to the requester directly.
Quick rule: If an email is asking you to enter a password or send money, pick up the phone and verify with the person before doing anything.
05 The attachment is unexpected or mismatched
Attachments are a classic delivery mechanism for malware. The dangerous ones often look mundane: a PDF labeled "Invoice_March_2025.pdf," a Word doc titled "Updated Contract.docx," or a ZIP file from someone you half-recognize. If you weren't expecting an attachment, treat it as suspicious — even if the sender looks legitimate.
Particularly dangerous file types include .exe, .zip, .docm, .xlsm (macro-enabled Office files), and .js files. If you receive any of these unexpectedly, do not open them. Contact your IT provider first.
The fix that matters most: Multi-factor authentication (MFA). Even if an attacker gets your password via phishing, MFA stops them from logging in. Enable it on every account that supports it — especially email, banking, and any cloud services. This single control eliminates the majority of account takeover risk.
Security awareness isn't a one-time training. It's a habit. The businesses that avoid breaches aren't necessarily running more sophisticated software — they've just built a culture where employees pause before they click.