How to spot a phishing email: 7 signs to check before you click
To spot a phishing email, check the real sender address (not just the display name), hover over links before clicking, watch for urgency or fear, and never act on a request to move money or change bank details without verifying by phone first.
Most phishing emails are caught by a thirty-second habit, not by expensive software. The trick is knowing exactly where to look. Here is the checklist we wish every employee ran before clicking a link — short enough to remember, specific enough to actually use.
1. Check the real sender address, not the display name
The display name is free to fake. "Microsoft Account Team" can sit on top of any address at all. Hover over (or tap and hold) the sender to reveal the true address. A login alert from [email protected] is not from Microsoft, no matter what the name says.
2. Look for look-alike domains
Attackers register domains that read correctly at a glance:
paypa1.com(a number one instead of an "l")rnicrosoft.com("rn" looks like "m")yourcompany-billing.com(your name as a subdomain of their domain)
When money or credentials are involved, read the domain character by character.
3. Hover before you click
Before clicking any link, hover to preview where it actually goes. The visible text might say https://yourbank.com, while the real destination is something else entirely. On mobile, press and hold to see the URL. If the preview does not match the text, do not click.
4. Watch the emotional temperature
Phishing runs on two emotions: fear and urgency.
- "Your account will be suspended in 24 hours."
- "Unusual login detected — verify now."
- "Your payment failed, update your details immediately."
Legitimate companies rarely threaten you into acting within minutes. Urgency is a manipulation tactic designed to bypass your judgment.
5. Be suspicious of unexpected attachments
A .zip, .html, or macro-enabled Office file you did not ask for is a red flag — especially with a vague message like "see attached." When in doubt, confirm with the sender through a channel you already trust before opening anything.
6. Notice generic or slightly-off language
"Dear Valued Customer," awkward grammar, or a tone that does not match how that person normally writes can all signal a fake. Modern phishing is more polished than it used to be, but mismatched details still leak through — a supplier who always signs "Cheers, Dave" suddenly writing a formal corporate paragraph, for example.
7. Question any request to change how money moves
This is the highest-stakes one. New bank details, a different payment portal, a request to buy gift cards, a change to payroll deposit — treat every one as unverified until you confirm it by phone using a number you already have on file. Not the number in the email.
A simple rule that beats the checklist
When something feels off, slow down and verify through a second channel. Call the person. Type the website address yourself instead of clicking. Ask a colleague. Phishing depends on you acting fast and alone — removing either one defeats it.
If an email creates urgency and asks you to click, log in, or pay — that combination is the attack pattern itself. Stop there.
Why training is necessary but not enough
The honest problem: people are busy, and the best phishing emails are specifically designed to look routine. Even well-trained teams click eventually, because the attacker only has to win once.
That is why this checklist works best alongside email security that screens messages before they reach the inbox — flagging look-alike domains, impersonation, and suspicious requests automatically, so a human checklist is the backup rather than the only line of defense. CIVRA does this for small teams that do not have an IT department to lean on. The goal is simple: by the time an email reaches you, the obvious traps are already marked.
FAQ
What is the easiest way to spot a phishing email?
Check the real sender address behind the display name, and hover over any link before clicking. A mismatch between what is shown and where it actually goes is the clearest giveaway.
Are phishing emails always full of spelling mistakes?
No. Modern phishing is often well-written and personalized. Judge an email by its sender address, its links, and any unusual request — not by grammar alone.
What should I do if I receive a suspicious email?
Do not click links or reply. Verify any request through a separate channel, such as a phone number you already have, and report the email to your IT contact or email security tool.
What is the difference between phishing and business email compromise?
Phishing usually tries to steal credentials or deliver malware at scale. Business email compromise is a targeted, payload-free email that impersonates someone you trust to trick you into sending money.
Stop the email that gets through.
CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.
Start free →