How to Spot a Phishing Email: A Visual Guide

91% of cyber attacks start with a phishing email. Learn the red flags that separate scams from legitimate messages.

Phishing emails are the number one way hackers break into businesses. According to Verizon's Data Breach Report, 91% of successful cyber attacks start with a phishing email. No matter how sophisticated your firewall or antivirus, if an employee clicks the wrong link, the attackers are in.

This guide will teach you to spot the warning signs.

The Anatomy of a Phishing Email

1. Check the Sender Address (Not Just the Display Name)

Phishers often spoof the 'display name' to look legitimate, but the actual email address tells the truth.

• ❌ Display: 'Microsoft Support' Email: support@micros0ft-billing.com
• ✅ Display: 'Microsoft Support' Email: support@microsoft.com

Always hover over (or tap and hold on mobile) the sender name to see the real address. Look for:

• Misspelled domain names (micros0ft, arnazon, g00gle)
• Random subdomains (microsoft.support-tickets-uk.com)
• Public email domains for 'official' comms (microsoft_support@gmail.com)

2. Urgency and Threats

Phishing emails create panic to bypass your critical thinking:

• 'Your account will be suspended in 24 hours'
• 'Unusual sign-in activity detected - act now'
• 'FINAL NOTICE: Unpaid invoice attached'

Legitimate companies rarely threaten you. If you're genuinely concerned, log into the service directly (type the URL yourself, don't click the email link) and check your account.

3. Generic Greetings

Real companies know your name. Phishing emails often use:

• 'Dear Customer'
• 'Dear User'
• 'Dear valued member'

If your bank emails you, they'll say 'Dear John Smith', not 'Dear Customer'.

4. Suspicious Links

Before clicking ANY link, hover over it to see the destination URL:

• ❌ 'Click here to verify' → leads to malicious-site.ru/microsoft-login
• ✅ 'Click here to verify' → leads to account.microsoft.com/verify

Never enter passwords on a page you reached via an email link. Always navigate to the site directly.

5. Unexpected Attachments

Be extremely cautious of:

• Invoice.pdf.exe (executable disguised as PDF)
• Document.docm (macro-enabled Word document)
• ZIP files you weren't expecting

If in doubt, call the sender using a number you find independently (not from the email) to verify they sent it.

6. Poor Grammar and Spelling

While AI has improved phishing quality, many still contain:

• Awkward phrasing ('We have detected unusual activity in your account recently')
• Spelling errors ('recieve', 'occurence')
• Inconsistent capitalisation ('Microsoft ACCOUNT team')

7. Too Good to Be True

• 'You've won a £500 Amazon gift card!'
• 'Your tax refund of £2,340 is ready'
• 'Free iPhone - claim now!'

If you didn't enter a competition, you didn't win.

What to Do If You're Unsure

1. Don't click anything in the email
2. Forward it to your IT team (or us if you're a client)
3. Navigate directly to the service's website and log in normally
4. Call the sender using a phone number you find independently
5. Report it to report@phishing.gov.uk (UK) or reportphishing@apwg.org

What to Do If You Clicked

Don't panic, but act fast:

1. Disconnect from the network (WiFi off, unplug ethernet)
2. Change your password for the affected account (from a different device)
3. Enable MFA if not already active
4. Contact your IT team immediately
5. Scan your device for malware

The Role of Technology

While training is essential, technology provides an important safety net:

• Email filtering catches most phishing before it reaches inboxes
• Link scanning checks URLs in real-time when clicked
• Attachment sandboxing opens files in isolation to check for malware

Our Microsoft Business Premium deployment includes Defender for Office 365, which provides all these protections.

Make It a Habit

The best defence is a healthy scepticism about every email you receive. Pause before clicking. Verify before trusting. When in doubt, reach out.

Want to test your team's phishing awareness? We offer simulated phishing campaigns as part of our Cyber Security services.