How to spot a phishing attempt

Phishing messages are designed to look legitimate, but they almost always contain subtle clues. Before acting on any email, pause and consider:

  • Sender address — Does it come from a domain you recognize? A slight misspelling (e.g. "supp0rt@") is a red flag.
  • Unexpected requests — Were you expecting this message? Unsolicited requests for credentials, payments, or personal data deserve scrutiny.
  • Tone and urgency — Phrases like "immediate action required" or "your account will be locked" are pressure tactics designed to override your judgment.
  • Link destinations — Hover over any link before clicking. If the URL doesn't match the organization it claims to represent, don't click.

When something feels off, trust your instinct and verify through an independent channel — call the sender, check with your team, or contact IT directly.

Recognizing dangerous content

Suspicious attachments
Not every attachment is safe. Be especially cautious with:
  1. Executable files (.exe, .js, .bat, .vbs, .scr) — these can run malicious code the moment you open them.
  2. Office files with macros — a .docx or .xlsm asking you to "Enable Content" may execute a hidden script.
  3. Double extensions — a file named report.pdf.exe is disguised to look harmless but is actually an executable.

If you weren't expecting an attachment, don't open it — even if the sender appears familiar.

Deceptive links
Links in phishing emails rarely go where they claim. Watch for:
  1. Look-alike domains — "micr0soft-login.com" or "google.security-check.net" are crafted to fool a quick glance.
  2. Subdomain tricks — "paypal.com.attacker.xyz" is owned by attacker.xyz, not PayPal.
  3. URL shorteners — bit.ly or tinyurl links hide the real destination entirely.
  4. Missing HTTPS — any login page served over plain HTTP should be treated as suspect.

When in doubt, open your browser and navigate to the site manually rather than clicking the link.

Social engineering tactics
Attackers exploit human psychology, not just technology. Common tactics include:
  1. Authority — impersonating a CEO, manager, or IT admin so you comply without questioning.
  2. Urgency — "Your account will be suspended in 1 hour" forces you to react instead of think.
  3. Curiosity — "See who viewed your profile" or "Your invoice is attached" entices you to click.
  4. Fear — threats of legal action or account closure are meant to bypass rational evaluation.

Whenever an email triggers a strong emotional reaction, that's your signal to slow down and verify.

What's at stake

A single click on a phishing link can have serious consequences for you and your organization:

Breach of confidential company and client data

Direct financial losses and fraud

Disruption of critical systems and operations

Reputational harm and loss of trust

If you receive a suspicious email

1

Don't interact — avoid clicking links, downloading attachments, or replying.

2

Report it — forward the email to your IT security team or use the built-in "Report Phishing" button.

3

Delete it — once reported, remove the message from your inbox.

4

If you already clicked — change your passwords immediately and notify your IT team so they can investigate.