One Click Cost This Company $100 Million

In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call and a phishing email. Threat actors from the Scattered Spider group used social engineering to gain access, eventually deploying ransomware that disrupted operations for over a week. The estimated cost exceeded $100 million. It started with someone trusting a message they shouldn't have.

Knowing how to recognize a phishing email is the single most practical cybersecurity skill any person can develop. It doesn't require a technical background. It requires knowing what to look for and training your instincts. That's exactly what this post delivers — specific, field-tested red flags I've used to train thousands of employees, with real examples pulled from actual campaigns.

If you're responsible for protecting an organization, or even just your own inbox, this is the guide that cuts through the noise.

Why Phishing Still Works in 2026

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse. Phishing remains the top initial access vector for data breaches year after year. Despite billions spent on security tools, the inbox is still the front door.

Here's what I tell every CISO I work with: your firewall doesn't matter if an employee hands over their credentials willingly. Phishing emails are designed to bypass technical controls by targeting the human. They exploit urgency, authority, and trust — emotions that no spam filter can fully neutralize.

The emails have gotten better, too. AI-generated phishing messages have eliminated the broken grammar and obvious typos that used to be reliable giveaways. In 2026, you need sharper instincts and better training than ever.

What Exactly Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into taking a harmful action — clicking a malicious link, opening an infected attachment, or entering credentials on a fake login page. The goal is almost always credential theft, malware deployment, or financial fraud.

Phishing emails impersonate trusted entities: your bank, your IT department, Microsoft, Amazon, the IRS. The attacker crafts a scenario — your account is locked, a payment failed, a document needs your signature — that pressures you into acting quickly without thinking critically.

The 9 Red Flags: How to Recognize a Phishing Email

I've analyzed thousands of phishing campaigns during incident response investigations and phishing simulation exercises. These are the red flags that actually matter in practice.

1. The Sender Address Doesn't Match the Brand

This is the first thing I check every time. A message claiming to be from Microsoft that arrives from [email protected] is an immediate red flag. Hover over the sender name to reveal the actual email address. Attackers count on you reading the display name and ignoring the domain.

Legitimate companies send from their own domains. If the domain doesn't match, stop. Don't click anything.

2. Urgency That Demands Immediate Action

"Your account will be suspended in 24 hours." "Unauthorized login detected — verify now." "Payment failed — update immediately." Every one of these phrases is engineered to short-circuit your critical thinking.

Real organizations rarely give you a countdown timer. When you feel your pulse quicken reading an email, that's exactly when you should slow down.

3. Generic Greetings Instead of Your Name

"Dear Customer" or "Dear User" in an email from a company that definitely knows your name? That's a mass phishing campaign. Your bank knows your name. Your employer knows your name. A threat actor blasting out 50,000 emails usually doesn't.

This red flag has become less reliable as attackers scrape data from breaches to personalize messages, but it's still worth noting when combined with other signals.

Hover — don't click — over every link before you interact with it. The display text might say https://www.paypal.com/account but the actual URL could be https://paypa1-secure.phishingsite.ru/login. On mobile, long-press the link to preview the destination.

I've seen phishing kits that use legitimate-looking subdomains like microsoft.com.attacker-domain.net. The real domain is always the last part before the top-level domain extension. Train your eyes to read URLs right to left.

5. Unexpected Attachments

If you weren't expecting a file — especially a .zip, .exe, .docm, or .html attachment — treat it as hostile until proven otherwise. Malicious attachments remain one of the primary delivery mechanisms for ransomware.

Even PDFs can be weaponized. If a colleague sends you an attachment out of the blue, verify through a separate communication channel before opening it.

6. Requests for Credentials or Sensitive Data

No legitimate organization will ask you to reply to an email with your password, Social Security number, or multi-factor authentication code. Ever. If an email asks for this information, it's a phishing attempt. Full stop.

This applies to login pages too. If an email link takes you to a login form, close the tab and navigate to the service directly by typing the URL yourself.

7. Mismatched Tone or Branding

Look at the email design. Does the logo look slightly off? Is the font different from what you usually see? Are there inconsistencies in formatting — like mixed font sizes or odd spacing? Phishing kits replicate brand templates, but they rarely get every detail right.

I've caught phishing emails by noticing the footer said "© 2023" when the real company's emails had already updated to the current year. Small details matter.

8. The "Too Good to Be True" Offer

Gift cards, prize winnings, unexpected refunds, job offers you never applied for — these are social engineering lures. The FBI's Internet Crime Complaint Center (IC3) consistently reports that business email compromise and phishing scams using financial lures account for the largest dollar losses among cybercrime categories.

9. Pressure to Bypass Normal Procedures

"Don't tell anyone about this yet." "Handle this before looping in IT." "I need this done before the CEO's meeting." Any email that pressures you to skip your organization's normal verification process is almost certainly an attack.

Business email compromise campaigns are built on this tactic. The attacker impersonates a senior leader and relies on employees not wanting to question authority.

A Real-World Example You Can Learn From

In 2022, Twilio disclosed a breach that started with a phishing campaign targeting employees via SMS — a technique called smishing. Employees received messages that appeared to come from Twilio's IT department, directing them to a fake Okta login page. Several employees entered their credentials, giving attackers access to internal systems and customer data.

Let's apply the red flags. The messages created urgency ("your password is expiring"). They directed recipients to a URL that wasn't Twilio's actual SSO domain. And they asked for credentials through an unexpected channel. Every red flag was present — but without training, the employees didn't recognize them in the moment.

This is why security awareness isn't a checkbox. It's a practice. If you want to build this instinct across your entire team, structured phishing awareness training for organizations is the most effective way I've found to reduce click rates and build real resilience.

What to Do When You Spot a Phishing Email

Recognizing the email is half the job. Here's what comes next:

  • Don't click any links or open any attachments. This sounds obvious, but under pressure, people still do it.
  • Report it immediately. Use your organization's phishing report button (most email clients have one). If you don't have one, forward it to your IT or security team.
  • Don't reply to the sender. Replying confirms your address is active and monitored.
  • If you already clicked, act fast. Change your password immediately. Enable multi-factor authentication if it isn't already active. Contact your IT team and let them assess the damage.
  • Document what happened. Screenshots, headers, timestamps — all of this helps your security team investigate and potentially block the campaign for everyone else.

Why Technical Controls Aren't Enough

I've deployed email security gateways, DMARC policies, URL sandboxing — the full stack. They catch a lot. But they don't catch everything. Attackers specifically design campaigns to evade technical filters, using compromised legitimate domains, QR codes embedded in PDFs, and brand-new infrastructure that hasn't been flagged yet.

This is why a zero trust approach extends beyond network architecture. You need to apply zero trust thinking to your inbox: never trust an email implicitly, always verify through an independent channel, and assume that some phishing will get through.

The organizations I see with the lowest breach rates combine strong technical controls with consistent, ongoing training. Not a once-a-year compliance video — real, recurring cybersecurity awareness training that keeps employees sharp and gives them practice identifying threats in realistic scenarios.

How to Train Your Organization to Spot Phishing

Here's the framework I recommend based on what actually moves the needle:

Run Regular Phishing Simulations

Quarterly at minimum. Monthly is better. Vary the difficulty and the lure type — credential harvesting, attachment-based, BEC impersonation, QR code phishing. Track click rates over time to measure improvement.

Make Reporting Easy and Rewarded

If reporting a phishing email is harder than clicking the link, you've already lost. Deploy a one-click report button in your email client. Recognize employees who report — even if the email turns out to be legitimate. You want a culture where reporting is instinctive, not embarrassing.

Deliver Targeted Training After Failures

When someone clicks a simulated phish, don't shame them. Give them immediate, specific feedback: here's the red flag you missed, here's how to spot it next time. Bite-sized, in-the-moment training is far more effective than a 45-minute annual module.

Keep Leadership Engaged

Executives are prime targets for spear phishing and business email compromise. They need the same training — arguably more. I've seen organizations where the C-suite was exempt from phishing simulations. Those are the same organizations that end up in breach headlines.

The Technical Layer You Should Have in Place

Training and technology work together. Make sure these controls are active:

  • DMARC, DKIM, and SPF properly configured on your domains to prevent spoofing.
  • Multi-factor authentication on every account — especially email, VPN, and cloud services. MFA stops the vast majority of credential theft from being useful to attackers.
  • Email filtering with URL rewriting, attachment sandboxing, and impersonation detection.
  • Endpoint detection and response (EDR) to catch payloads that make it past email filters.
  • DNS filtering to block known malicious domains even if a user clicks a link.

CISA's Shields Up guidance provides additional hardening recommendations that complement these controls.

The Skill That Pays for Itself

Learning how to recognize a phishing email isn't a nice-to-have skill — it's a financial imperative. IBM's Cost of a Data Breach Report has consistently shown that organizations with trained employees and incident response plans reduce breach costs by hundreds of thousands of dollars.

Every employee who can spot a phishing email is a sensor in your security architecture. Every employee who can't is an open door. The math is straightforward.

Start with the red flags in this post. Practice them every time you open your inbox. If you manage a team or an organization, invest in structured training that builds this muscle through repetition and realistic scenarios — not just slides and quizzes.

The attackers aren't slowing down. Your instincts need to be faster.