Overview
Phishing emails are fraudulent messages designed to trick users into revealing sensitive information, opening malicious attachments, clicking unsafe links, sending money, or giving attackers access to company systems. Phishing messages often appear to come from trusted sources such as coworkers, executives, vendors, banks, cloud services, delivery companies, or IT support. This article explains common red flags to look for when assessing whether an email may be phishing.
When reviewing a suspicious email, slow down before taking action. Do not click links, open attachments, scan QR codes, reply, forward sensitive information, approve login prompts, or call phone numbers listed in the message until you have verified the email is legitimate.
Report the message using the Phish Alert Button in Outlook. If you already clicked a link, opened an attachment, entered credentials, or responded with sensitive information, contact the helpdesk or cyber team immediately.
Common Phishing Red Flags
1. Unexpected or Unusual Sender
Review the sender carefully. Attackers often impersonate trusted people or organizations.
Look for:
A sender you do not recognize.
A display name that looks familiar, but the email address does not match.
Slight misspellings in the domain name, such as
micros0ft.cominstead ofmicrosoft.com.External senders pretending to be internal employees.
Personal email accounts being used for business requests.
Vendor, client, or executive names that appear slightly different from normal.
Example red flag:
A message appears to be from “IT Support,” but the sender address is a free email account such as Gmail, Outlook, Yahoo, or another unrelated domain.
2. Urgent or Threatening Language
Phishing emails often create pressure so users act quickly without thinking.
Be cautious of messages that say:
“Immediate action required.”
“Your account will be disabled.”
“Payment is overdue.”
“Final warning.”
“You must respond within 30 minutes.”
“Failure to act will result in termination, legal action, or account suspension.”
Urgency alone does not prove an email is phishing, but it is a strong reason to verify before acting.
3. Requests for Credentials or Sensitive Information
Legitimate organizations should not ask you to send passwords, MFA codes, Social Security numbers, banking details, or confidential company data by email.
Treat the email as suspicious if it asks for:
Passwords.
One-time passcodes or MFA codes.
Security questions.
Payroll information.
W-2s, tax documents, or employee records.
Bank account or routing numbers.
Credit card numbers.
Customer data.
Confidential company documents.
Remote access details.
Never share MFA codes or approve unexpected MFA prompts. Attackers may already have your password and may be trying to bypass multi-factor authentication.
4. Suspicious Links
Phishing emails often include links to fake login pages, malware downloads, or credential-harvesting sites.
Before clicking, check whether the link destination matches the message. On a computer, hover over the link to preview the URL. On mobile, press and hold the link to preview it without opening it.
Look for:
URLs that do not match the claimed sender.
Misspelled domains.
Extra words or characters in the domain.
Shortened links, such as Bitly or TinyURL.
Links that redirect through unfamiliar services.
Login links you were not expecting.
Links asking you to “verify,” “re-authenticate,” “unlock,” or “restore” an account.
Example red flag:
The email claims to be from Microsoft, but the link goes to a domain that is not owned by Microsoft.
5. Unexpected Attachments
Attachments can contain malware, malicious macros, or fake documents designed to steal credentials.
Be careful with unexpected attachments, especially if the email asks you to open the file urgently.
High-risk attachment types include:
.exe.scr.js.vbs.bat.cmd.iso.zip.rarMacro-enabled Office files, such as
.docm,.xlsm, or.pptm
Also be cautious with ordinary-looking files, such as PDFs or Word documents, if the message is unexpected or unusual.
6. Unusual Business Requests
Some phishing attempts do not contain links or attachments. Instead, they attempt to manipulate the recipient into completing a business action.
Verify requests involving:
Wire transfers.
Gift card purchases.
Changes to direct deposit details.
Vendor bank account updates.
Invoice payment changes.
Confidential document sharing.
Urgent approvals.
Requests to bypass normal procedures.
Requests from executives asking for secrecy or speed.
Use a known, trusted communication method to verify the request. Do not verify using contact information provided in the suspicious email.
7. Poor Grammar, Formatting, or Branding
Many phishing emails contain visible quality issues. While some phishing emails are highly polished, poor formatting can still be a warning sign.
Look for:
Spelling or grammar errors.
Awkward wording.
Broken images.
Low-quality logos.
Inconsistent fonts or spacing.
Generic greetings such as “Dear User” or “Dear Customer.”
Branding that looks slightly wrong.
Unusual email signatures.
Do not rely only on grammar. Modern phishing emails may be well-written and convincing.
8. Mismatched Tone or Context
Consider whether the email fits the sender’s normal communication style and the current business context.
Ask yourself:
Was I expecting this message?
Does this request match the sender’s role?
Is the tone unusual for this person or company?
Is the timing strange?
Is the sender asking me to do something outside normal process?
Has this person contacted me this way before?
A message from a real account can still be dangerous if the account has been compromised.
9. External Warning Banners
Many organizations add warning banners to messages sent from outside the company.
If you see an external sender warning, take extra care before trusting the message. Attackers may impersonate internal staff, executives, vendors, or tools used by the company.
An external warning does not automatically mean the message is malicious, but it does mean the sender is not from the internal email system.
10. QR Codes in Emails
Phishing emails increasingly use QR codes to bypass link scanning and move users from a company computer to a personal mobile device.
Be cautious of emails that ask you to scan a QR code to:
Log in.
View a document.
Reset a password.
Accept a policy.
Confirm account activity.
Receive a delivery or payment update.
Do not scan QR codes from unexpected emails. Verify the request through a trusted channel first.
Safe Verification Steps
When in doubt, verify the message before acting.
Use these methods:
Contact the sender using a known phone number, chat, or email address already on file.
Go directly to the official website by typing the address into your browser.
Use bookmarks or approved company portals instead of email links.
Check with your manager, IT, Security, Finance, HR, or Procurement if the request involves money, credentials, employee data, or sensitive information.
Report the email using your organization’s approved phishing-reporting process.
Do not reply directly to the suspicious email for verification. If the message is malicious, your reply may go to the attacker.
What Not to Do
Do not:
Click suspicious links.
Open unexpected attachments.
Enable macros.
Enter credentials from an email link.
Share MFA codes.
Approve unexpected MFA prompts.
Reply with sensitive information.
Call phone numbers listed only in the suspicious email.
Forward the email to coworkers unless your organization’s reporting process requires it.
Delete the email before reporting it, unless instructed by IT or Security.
Quick Phishing Checklist
Before acting on an email, ask:
Do I recognize the sender and the email address?
Was I expecting this message?
Does the request make sense for the sender?
Is the message creating urgency or fear?
Is it asking for passwords, MFA codes, money, or sensitive data?
Do the links go where they claim to go?
Are there unexpected attachments?
Is the sender asking me to bypass normal procedures?
Is the tone, grammar, branding, or formatting unusual?
Have I verified the request through a trusted channel?
If one or more answers raise concern, treat the message as suspicious and report it.
Examples of Common Suspicious Email Scenarios
Example 1: Fake Password Reset
An email claims your account will be locked unless you reset your password immediately. The link points to an unfamiliar website.
Red flags:
Urgent language.
Unexpected password reset request.
Suspicious link.
Possible credential theft attempt.
Recommended action:
Do not click the link. Go directly to the approved company login portal or contact IT.
Example 2: Executive Gift Card Request
An email appears to come from a senior leader asking you to buy gift cards urgently and keep the request confidential.
Red flags:
Unusual request.
Urgency.
Secrecy.
Financial transaction outside normal process.
Recommended action:
Do not purchase anything. Verify through a known phone number or internal messaging channel.
Example 3: Vendor Bank Account Change
An email from a vendor says their banking details changed and asks future payments to be sent to a new account.
Red flags:
Change to payment instructions.
Financial impact.
Potential vendor impersonation or compromised account.
Recommended action:
Follow your organization’s vendor change verification process. Confirm using a trusted contact method already on file.
Final Guidance
Phishing detection is about identifying risk patterns. A single red flag may not prove an email is malicious, but multiple red flags should increase suspicion. When an email involves credentials, payments, confidential information, urgent action, or unusual behavior, pause and verify before proceeding.
When uncertain, report the email to IT or Security.