In March 2024, a finance employee at a UK-based engineering firm wired $25 million to threat actors after a deepfake video call. The attackers had spoofed the company's CFO — but the entire attack chain started with a single phishing email. That first message contained at least four classic email phishing red flags that, if spotted, would have stopped the whole thing cold.

I've spent years dissecting phishing campaigns, running simulations, and training organizations that just suffered a breach. The pattern is always the same: the warning signs were there. Somebody missed them. Here's how to make sure your team doesn't.

Why Email Phishing Red Flags Still Catch Smart People

According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting via email accounted for over 70% of social engineering incidents. The median time for a user to fall for a phishing email? Less than 60 seconds.

Smart people get caught because modern phishing doesn't look like the Nigerian prince scams of 2005. Today's threat actors clone real login portals pixel-for-pixel, spoof legitimate sender addresses, and time their attacks to coincide with payroll runs, tax season, or vendor invoice cycles. The emails look real because they're designed to look real.

That's exactly why knowing the specific email phishing red flags matters more than vague advice like "be careful online." Your employees need a concrete checklist — not platitudes.

The 9 Email Phishing Red Flags Your Team Must Recognize

1. Urgency That Demands Immediate Action

"Your account will be deactivated in 2 hours." "Respond immediately or lose access." Artificial urgency is the oldest trick in the social engineering playbook, and it still works because it bypasses rational thinking. Legitimate organizations rarely threaten instant consequences via a single email.

When you see deadlines measured in minutes or hours paired with a demand to click a link or open an attachment, pause. That pressure is manufactured.

2. Sender Address Doesn't Match the Organization

The display name says "Microsoft Support," but the actual email address is [email protected]. I've seen domains that swap a lowercase L for the number 1, add hyphens, or use subdomains like paypal.com.attacker-site.net.

Train your team to actually click on the sender name and inspect the full email address. On mobile devices this is harder — which is exactly why attackers increasingly target mobile users.

3. Generic Greetings Instead of Your Name

"Dear Customer" or "Dear User" from a service that definitely knows your name is a red flag. Mass phishing campaigns blast thousands of emails at once. Personalization costs effort, so many threat actors skip it.

That said, spear phishing campaigns do use your real name, job title, and company. A personalized greeting doesn't guarantee safety — but a generic one should trigger suspicion.

Hover before you click. Every time. The anchor text might say https://yourbank.com/verify, but the actual URL points somewhere else entirely. On desktop, hovering over the link reveals the true destination in the bottom corner of your browser or email client.

Shortened URLs (bit.ly, tinyurl) in a corporate or financial context are almost always suspicious. Legitimate institutions send full, branded URLs.

5. Unexpected Attachments — Especially Office Files with Macros

An unsolicited invoice in a .xlsm file. A "contract update" in a .docm file. A .zip file "from HR." These are classic delivery mechanisms for ransomware and credential theft malware.

If you weren't expecting the attachment, verify through a separate channel before opening it. Call the sender. Slack them. Don't just reply to the suspicious email — that reply goes straight back to the attacker.

6. Requests for Credentials or Sensitive Data

No legitimate IT department, bank, or SaaS provider will ask for your password, Social Security number, or multi-factor authentication codes via email. Period. If an email asks you to "verify your identity" by entering credentials on a linked page, you're looking at a credential theft attempt.

This is especially dangerous when attackers impersonate internal IT or help desk staff. I've seen phishing simulations where over 40% of employees entered their real passwords on a fake internal portal.

7. Grammar and Formatting Inconsistencies

Mismatched fonts, broken logos, odd spacing, and awkward phrasing still appear in phishing emails — though less often than they used to, thanks to AI-generated content. Look for subtle issues: British spellings from a U.S. company, inconsistent capitalization, or a footer that doesn't match the organization's standard template.

In my experience, the formatting red flag that catches the most phish isn't a typo — it's a missing or incorrect email signature block. Compare it against past legitimate emails from the same sender.

8. "Reply To" Address Differs from the "From" Address

This is one of the email phishing red flags that even seasoned professionals miss. The email appears to come from your CEO, but the reply-to field routes your response to an external Gmail address. Most email clients hide this by default.

Business email compromise (BEC) attacks rely on this technique. The FBI's IC3 reported that BEC losses exceeded $2.9 billion in 2023 alone. Checking the reply-to field takes three seconds and can save millions.

9. Too-Good-to-Be-True Offers or Unexpected Windfalls

Gift card giveaways, unclaimed tax refunds, surprise bonuses — if it triggers excitement or greed, it's engineered to do exactly that. Social engineering exploits emotion, and positive emotions are just as exploitable as fear.

If you didn't enter a contest, you didn't win one. If your company hasn't announced a bonus, that email isn't from HR.

What Happens When You Miss Email Phishing Red Flags

A single clicked link can trigger a full-blown data breach. Here's the typical kill chain I've seen play out dozens of times:

  • Credential harvesting: The employee enters their username and password on a cloned login page. The attacker now has valid credentials.
  • Lateral movement: Using those credentials — especially without multi-factor authentication — the attacker accesses internal systems, email accounts, and shared drives.
  • Data exfiltration or ransomware deployment: Within hours, sensitive data is stolen or systems are encrypted. The ransom note appears. Or worse, the stolen data shows up on a leak site weeks later.

The CISA Stop Ransomware initiative confirms that phishing remains the number one initial access vector for ransomware attacks. Every ransomware incident has a patient zero — and it's almost always an employee who missed the red flags in an email.

How to Spot a Phishing Email: Quick-Reference Checklist

What are the most common email phishing red flags? Here's a scannable list you can share with your team today:

  • Urgent language demanding immediate action
  • Sender address that doesn't match the claimed organization
  • Generic greeting ("Dear User") from a service that knows your name
  • Hyperlinks that don't match their display text (hover to verify)
  • Unexpected attachments, especially .zip, .xlsm, .docm files
  • Requests for passwords, MFA codes, or personal data
  • Grammar errors, formatting mismatches, or broken branding
  • Reply-to address that differs from the sender address
  • Offers or rewards you never signed up for

Print this. Pin it in Slack. Put it on the break room wall. Repetition builds muscle memory.

Training Is the Only Reliable Defense

Email filters catch a lot. Secure email gateways block known malicious domains. But threat actors constantly rotate infrastructure, use compromised legitimate accounts, and craft messages that bypass technical controls. Your last line of defense is always a human being making a decision.

That human needs regular, realistic training — not a once-a-year compliance checkbox. Effective phishing awareness training for organizations uses real-world phishing simulations that test employees against the exact tactics current threat actors use. Simulations create the kind of experiential learning that slides and videos alone can't deliver.

Build a Zero Trust Mindset, Not Just a Zero Trust Architecture

Zero trust isn't only a network architecture concept. It's a mindset. Every email is untrusted until verified. Every link is suspicious until confirmed. Every attachment is potentially hostile until proven safe.

When your organization builds that culture — where questioning an email is praised, not penalized — your phishing click rates plummet. I've seen organizations go from 35% click rates to under 5% within six months of consistent training and simulation programs.

Where to Start If You Have No Training Program

If your organization doesn't have a formal security awareness program yet, you're already behind — but catching up is straightforward. Start with a comprehensive cybersecurity awareness training program that covers phishing, credential hygiene, social engineering tactics, and incident reporting procedures.

Then layer in phishing simulations quarterly. Measure click rates, reporting rates, and time-to-report. Those metrics tell you whether your training is actually working or just burning budget.

Beyond Red Flags: What to Do When You Spot a Phish

Recognizing email phishing red flags is only half the equation. Your employees also need to know what to do next:

  • Don't click, don't reply, don't forward. Interacting with the email in any way can trigger tracking pixels or confirm your address to attackers.
  • Report it immediately. Use your organization's phishing report button (most email clients support one) or forward it to your security team. Speed matters — the sooner the security team knows, the faster they can block the campaign across the organization.
  • If you already clicked: Don't panic, but act fast. Change your password immediately, enable multi-factor authentication if it's not already on, and notify your IT security team. The difference between a minor incident and a catastrophic breach often comes down to how quickly the compromised account gets contained.

The Threat Actors Aren't Slowing Down — Neither Should You

Phishing tactics evolve constantly. AI-generated phishing emails are now nearly indistinguishable from legitimate messages. QR code phishing ("quishing") bypasses link-scanning tools entirely. Voice phishing (vishing) follows up on email lures with phone calls that add fake credibility.

The fundamentals still work, though. The nine email phishing red flags I've outlined above catch the vast majority of attacks — even sophisticated ones — because attackers still need you to take an action. They need the click, the credential, the wire transfer. Every red flag you spot is a broken kill chain.

Invest in your people. Run simulations. Make security awareness part of your organizational DNA. The technology helps, but the human firewall is what actually stops breaches before they start.