How to Spot a Phishing Email Before You Click

4 min read

What Is Phishing?

Phishing is when someone sends you a fake email (or text, or message) pretending to be someone you trust — your bank, Microsoft, Amazon, a vendor — to trick you into giving up sensitive information or clicking a malicious link.

It's the #1 way businesses get hacked. Not through some movie-style hack of your server, but through someone clicking the wrong link in an email.

Why It's Getting Harder to Spot

Phishing emails have gotten incredibly convincing. They used to be obvious — bad grammar, weird formatting, a Nigerian prince asking for money. Those still exist, but the dangerous ones now:

  • Look exactly like real emails from real companies
  • Use AI to write perfect, personalized messages
  • Copy logos, formatting, and even sending addresses almost perfectly
  • Reference real orders, invoices, or conversations

The bar has gone up. You need to know what to look for.

Red Flags to Watch For

1. Urgency and fear

"Your account will be suspended in 24 hours!" "Unauthorized login detected!" "Payment failed — update now!"

Real companies rarely create this level of panic. If an email is trying to scare you into clicking something immediately, slow down.

2. Check the sender's actual email address

The name might say "Microsoft Support" but the email address is something like [email protected]. Always look at the actual address, not just the display name.

On a phone, tap the sender name to see the full address. On a computer, hover over it.

3. Suspicious links

Hover over any link before clicking. Does the URL match where you'd expect it to go? If an email from "Chase Bank" has a link pointing to chase-security-verify.com instead of chase.com, it's fake.

4. Unexpected attachments

Real companies rarely send unexpected attachments — especially .zip, .exe, or .html files. If you weren't expecting it, don't open it.

5. Asking for sensitive info

No legitimate company will ask you to email your password, Social Security number, or credit card number. Ever.

6. Generic greetings

"Dear Customer" or "Dear User" instead of your actual name can be a sign of a mass phishing campaign. But don't rely on this alone — sophisticated phishing often uses your real name.

AI-Powered Phishing: The New Challenge

AI has made phishing emails dramatically better. Attackers can now:

  • Write emails with perfect grammar in any language
  • Personalize messages using publicly available info about you or your business
  • Mimic the writing style of people you actually know
  • Generate fake invoices, receipts, and documents that look completely real

This makes the old advice of "look for typos" much less reliable. Focus instead on the behavior: is this email asking you to do something unusual or urgent?

What to Do If You're Not Sure

  1. Don't click anything in the email. If it says there's a problem with your account, go directly to the website by typing the address yourself — don't use the link in the email.
  2. Call the company. Use the phone number on their official website, not the one in the email.
  3. Check with your team. "Did anyone else get this?" is a perfectly reasonable thing to ask.
  4. When in doubt, delete it. If it was really important, they'll follow up through another channel.

Protecting Your Business

Beyond just spotting phishing, there are a few things you can set up:

  • Enable two-factor authentication (2FA) — Even if someone gets your password through phishing, they can't log in without the second factor
  • Use a password manager — If your password manager doesn't auto-fill on a phishing site, that's a clue the site is fake
  • Set up email authentication (SPF, DKIM, DMARC) — This helps prevent attackers from spoofing your domain to phish your customers
  • Keep software updated — Phishing links often exploit known vulnerabilities that patches have already fixed

The Bottom Line

Phishing is the most common threat to small businesses, and it's getting more sophisticated. The best defense is a healthy skepticism: slow down, check the details, and never let urgency override your judgment.

Want help securing your business email or training your team to spot phishing? We can help.

Last reviewed for accuracy: February 2026

Rate this article

Related Articles

Security

What is Authentication? Keeping Your Accounts Safe

Authentication is how websites verify you are who you say you are. Here's what you need to know — including passkeys, the future of passwords.

4 min read Security

What is SSL? The Lock Icon in Your Browser

That little padlock in your browser bar means your connection is secure. Here's what SSL is and why your site needs it.

3 min read Security

What Are Cookies and Tracking? A No-Nonsense Guide

Cookies, tracking pixels, and privacy banners — here's what's actually going on when websites ask to track you.

5 min read

Have questions? We're happy to help. Get in touch for a free consultation.