Skip to main content

How to Spot a Phishing Email: A Practical Guide for Your Team

Phishing Is Still the Number One Way Businesses Get Hacked

Despite years of awareness campaigns, phishing remains the most successful attack vector for cybercriminals. The reason is simple: it is far easier to trick a person than to hack a system. In 2024, over 90% of data breaches started with a phishing email. Teaching your team to recognise these attacks is one of the most cost-effective investments you can make in security.

What a Phishing Email Looks Like

Modern phishing emails are sophisticated. They no longer look like badly formatted messages from Nigerian princes. Today's attacks mimic Microsoft, your bank, your IT department, or even your CEO. Here is what to look for:

1. Check the Sender's Email Address — Not Just the Name

The display name can say "Microsoft Support" but the actual email address might be support@m1crosoft-alert.com. Always click on the sender's name to reveal the full email address.

2. Look for Urgency and Pressure

Phishing emails create artificial urgency. "Your account will be suspended in 24 hours." "Immediate action required." "Your payment failed." Legitimate organisations do not pressure you to act within hours.

3. Hover Over Links Before Clicking

Before clicking any link, hover your mouse over it and look at the URL that appears in the bottom of your browser. If the domain does not match the company the email claims to be from, do not click.

4. Watch for Generic Greetings

Phishing emails often use generic greetings like "Dear Customer" or "Dear User" because attackers are sending millions of emails and do not know your name. Your bank knows your name and uses it.

5. Be Suspicious of Unexpected Attachments

An invoice you were not expecting. A delivery notification when you haven't ordered anything. A "shared document" from someone you don't recognise. These are classic social engineering triggers — designed to make you curious enough to open the file.

6. Verify Requests for Money or Information Out of Band

If you receive an email from your CEO asking you to urgently transfer funds or share login credentials, call them directly to verify before doing anything. This type of attack — called Business Email Compromise (BEC) — costs businesses billions every year.

What to Do If You Receive a Suspicious Email

  1. Do not click any links or open attachments
  2. Do not reply to the email
  3. Report it to your IT team or manager
  4. In Microsoft 365, use the Report > Report Phishing button in Outlook to send it directly to Microsoft

Building a Phishing-Aware Culture

Decoding IT runs phishing simulation programmes that send your staff realistic (but harmless) phishing emails to test and train their awareness. Staff who click are shown immediate training material. Contact us to learn more about our security awareness training service.


Wondering how exposed your business actually is? We offer a free 30-minute cybersecurity review — we'll assess your current controls, identify the highest-risk gaps, and give you a plain-English action list. No obligation. Book your free review here.