How to Spot a Phishing Email: A Guide for Non-Technical Teams
Phishing is how most cyberattacks start. The good news: once you know what to look for, most phishing emails are easy to spot. Here is how to train your team to catch them before they click.
The Numbers
90% of successful cyberattacks start with a phishing email. 1 in 3 employees will click a phishing link without training. With training, that drops below 5%.
The 7 Red Flags: A Checklist for Every Email
Train your team to run through this mental checklist before clicking any link or downloading any attachment. It takes 10 seconds once it becomes a habit.
1. Check the Sender's Actual Email Address
This is the single most reliable way to catch phishing. The display name might say "Microsoft Support" or "Bank of America," but if you click or hover on the sender name, you see the actual email address. Look for:
- Misspelled domains:
@micr0soft.cominstead of@microsoft.com - Strange domains:
@microsoft-support-help.ru - Free email accounts for business communications:
@gmail.comwhen it should be from a company domain
2. Urgency That Does Not Make Sense
Phishing emails create artificial urgency to make you act without thinking. Watch for phrases like:
- "Your account will be suspended in 24 hours!"
- "URGENT: Unauthorized login attempt detected"
- "You must update your payment information immediately"
Legitimate companies do not threaten to close your account via email. If you are concerned, go directly to the website by typing the URL yourself — do not click the link in the email.
3. Hover Over Links Before Clicking
On a computer, hover your mouse over any link or button. The actual destination URL appears in the bottom-left corner of your browser. On mobile, press and hold a link to see the URL. Check if the domain matches who the email claims to be from.
4. Unexpected Attachments
Be extremely cautious with attachments you were not expecting, especially: .exe, .zip, .scr, .js, .iso, .docm (macro-enabled Word documents), .xlsm (macro-enabled Excel), and password-protected ZIP files. When in doubt, call the sender and ask if they sent it.
5. Generic Greetings
Legitimate companies you have accounts with will use your name. Emails that start with "Dear Customer" or "Dear Sir/Madam" are often mass phishing attempts.
6. Poor Grammar and Spelling
While AI-generated phishing is getting better, many phishing emails still contain awkward phrasing, grammar errors, and spelling mistakes that a legitimate company would never send. Read it out loud — if it sounds wrong, it probably is.
7. Requests for Sensitive Information
No legitimate company will ever email you asking for your password, credit card number, or Social Security number. If an email asks for this information, it is a scam. Full stop.
What to Do If You Suspect a Phishing Email
Give your team a simple, clear procedure:
- Do not click anything. Do not click links. Do not open attachments. Do not reply.
- Verify through a different channel. If the email claims to be from your bank, call the number on your card — not the number in the email. If it appears to be from a coworker, message them on Slack or call them.
- Report it to whoever handles IT. Forward the email as an attachment (not a regular forward — this preserves the email headers for investigation). Then delete it.
What to Do If Someone Already Clicked
Do not panic, but act fast:
- Disconnect the computer from the network (turn off Wi-Fi, unplug the Ethernet cable)
- Change passwords for any accounts that may have been compromised — use a different, clean device to do this
- Run a full antivirus scan
- Check for any rules or forwarding set up in your email accounts (attackers often set up forwarding to monitor your communications)
- Notify your bank and any financial service providers
How to Train Your Team
Reading about phishing is not the same as practicing. Here is how to build real awareness:
- Monthly phishing quiz: Show your team 5 real examples — some legitimate, some phishing — and ask them to identify which are which. Takes 5 minutes in a team meeting.
- Simulated phishing: Use free tools from your email provider (Google Workspace and Microsoft 365 both include phishing simulation) or services like KnowBe4 to send harmless fake phishing emails and see who clicks. Use the results for training, not punishment.
- Create a "security wins" channel: When someone catches and reports a real phishing attempt, celebrate it. Positive reinforcement works better than shaming people who fall for them.
The Bottom Line
Your employees are not your weakest link — they are your first line of defense. Give them the tools, training, and procedures to spot phishing, and make it safe for them to report mistakes. A team that knows what to look for and is not afraid to speak up is far more secure than one protected by software alone.