How to spot a phishing email: 9 red flags

Most phishing emails share the same handful of tells. Once you know them, suspicious messages start jumping out. Here are nine red flags worth teaching every employee.

The 9 red flags

• A sense of urgency or threat — 'act now or your account will be closed.'
• A mismatched sender — the display name says one thing, the real address another.
• Lookalike domains — micr0soft.com, paypa1.com, or an extra word in the domain.
• Generic greetings — 'Dear customer' instead of your name.
• Unexpected attachments or links you didn't ask for.
• Requests for credentials, payment, or gift cards.
• Spelling and grammar that's just slightly off.
• A link whose preview URL doesn't match the text you see.
• Anything that pressures you to bypass normal process 'just this once.'

What to do when you spot one

Don't click, don't reply, and don't open attachments. Use your report button (or forward to your security team) so they can warn others and pull the message from other inboxes. Reporting is the single most valuable action an employee can take — one report can protect the whole organization.

When you're not sure

Verify through a separate channel. If 'your bank' or 'your CEO' emails an unusual request, confirm it by phone or a known-good app — never by replying to the message itself. A thirty-second check beats a six-figure mistake.

Red flags rarely appear alone. The more boxes a message ticks, the more confident you can be that it's phishing — and the faster you should report it.