How to spot a phishing email: 8 checks every employee should know

Phishing emails still work because they are designed to trigger quick reactions. The goal is usually simple: get someone to click a link, open an attachment, or hand over sensitive information.

The good news is that most phishing emails still leave clues behind. You do not need to be a security specialist to spot them. You just need a consistent way to review suspicious messages before you act.

1. Start with the sender, not the logo

A phishing email can look polished. It can copy a brand name, visual style, and tone. That does not make it genuine.

Before you click anything, look closely at the actual sender address. If the message claims to be from a bank, delivery service, software vendor, or colleague, the email domain should make sense. A suspicious variation, extra word, or unusual domain ending is a strong warning sign.

2. Treat urgency as a red flag

Phishing works best when people feel rushed. Messages often say your account will be locked, your parcel will be returned, or you must confirm details immediately.

Pressure is not proof of fraud on its own, but it should slow you down. If a message is trying to force a quick decision, stop and verify it before doing anything else.

3. Do not trust links just because the text looks normal

Many phishing emails hide the real destination behind reassuring text like “Review document” or “Confirm account”.

If your device allows it, hover over the link and check where it actually goes. If the destination does not match the organisation you expect, do not click. If you are unsure, open the company website yourself in a new tab instead of using the link in the email.

4. Be cautious with attachments you did not expect

Unexpected attachments are one of the easiest ways to deliver malware.

If you were not expecting a file, or if the email is trying to push you into opening it quickly, stop. That is especially important if the message claims to contain an invoice, delivery document, secure message, account file, or urgent update.

5. Watch for requests for passwords, payments, or sensitive details

A suspicious message becomes much more dangerous when it asks you to do something sensitive.

Be extra careful if the email asks you to:

• log in through a link
• reset a password
• approve a payment
• change bank details
• share internal information
• confirm card or payroll details

That kind of request should always be verified through a trusted route.

6. Verify through a channel you already trust

If the message might be real, do not reply directly and do not use contact details inside the message.

Use a phone number, web address, or support channel you already know is legitimate. This is one of the simplest ways to avoid being pushed onto a fake site or into a fake conversation.

7. Report suspicious emails instead of just deleting them

Deleting a suspicious message protects one person. Reporting it helps protect the team.

If your company has a reporting process, use it. If not, set one up. Suspicious emails are useful security signals, especially if multiple employees receive the same message.

8. Build the habit of pausing before acting

The best phishing defence is not fear. It is repetition.

Employees do not need to become analysts. They need a habit: pause, inspect, verify, report. The more often teams practise that workflow, the lower the risk of a real compromise.

A simple rule to remember

If a message is unexpected, urgent, or asks you to click, open, log in, or pay, treat it as suspicious until proven otherwise.

That is exactly why phishing simulations work. They help teams build better reflexes before a real attacker gets the chance.

Sources

• FTC: How to Recognize and Avoid Phishing Scams
• FTC: Spotting scammy emails
• NCSC: Phishing
• CISA: Recognize and Report Phishing