The Colonial Pipeline Attack Started with a Single Compromised Credential

As I write this, Colonial Pipeline is still scrambling to restore fuel delivery to the southeastern United States after a ransomware attack that shut down 5,500 miles of pipeline. The FBI confirmed DarkSide as the threat actor. While the full details are still unfolding, early reports point to compromised credentials as the entry vector. Knowing how to recognize a phishing email is no longer optional — it's a survival skill for every person with an inbox.

Phishing remains the number one attack vector. The FBI IC3's 2020 Internet Crime Report logged 241,342 phishing complaints — more than any other category — with adjusted losses exceeding $54 million. And those are just the reported cases. I've investigated incidents at organizations where the phishing email sat in someone's inbox for less than four minutes before they clicked. That's the window you're working with.

This post breaks down the specific, practical signals that separate a phishing email from a legitimate one. Not theory. Not vague advice like "be careful." Real patterns I've seen across hundreds of phishing simulations and incident response cases.

What Exactly Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into revealing sensitive information — credentials, financial data, personal details — or into executing a malicious action like clicking a link or opening an attachment. Threat actors craft these messages to impersonate trusted entities: your bank, your boss, Microsoft, the IRS, a delivery service.

Phishing falls under the broader umbrella of social engineering — manipulating human psychology instead of exploiting technical vulnerabilities. The 2021 Verizon Data Breach Investigations Report found that 36% of data breaches involved phishing, up from 25% the year before. That trend isn't slowing down.

The 9 Red Flags That Give Away Every Phishing Email

I've run phishing simulations for organizations ranging from 50-person nonprofits to 10,000-employee enterprises. The emails that fool people share common traits — and the ones people catch share common red flags. Here's what to look for.

1. The Sender Address Doesn't Match the Brand

This is the single most reliable indicator. Hover over or tap the sender name to reveal the actual email address. A message claiming to be from Microsoft Support but sent from [email protected] is a phishing email. Legitimate companies send from their own domains.

Watch for subtle misspellings: paypa1.com instead of paypal.com, arnazon.com instead of amazon.com. Threat actors register these lookalike domains specifically to bypass quick visual scanning.

2. Urgency and Threats Drive the Message

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." "Failure to verify will result in permanent data loss." Every one of these is designed to short-circuit your critical thinking. Legitimate organizations rarely threaten you via email with tight deadlines.

In my experience, the urgency tactic works best on busy people — which is everyone. When you feel that spike of anxiety, pause. That emotional response is exactly what the attacker is counting on.

3. Generic Greetings Instead of Your Name

"Dear Customer," "Dear User," or "Dear Account Holder" should raise your suspicion immediately. Your bank knows your name. Your employer knows your name. Mass phishing campaigns blast thousands of emails and can't personalize each one — though spear-phishing attacks targeting specific individuals will use your real name, which is why this isn't the only signal to rely on.

Before clicking any link, hover over it. On mobile, press and hold. The URL preview should match the organization the email claims to be from. A "Verify Your Account" button that points to http://192.168.45.12/login.php or https://bit.ly/3xRandom is almost certainly malicious.

Also watch for HTTPS abuse. Threat actors now use SSL certificates on phishing sites, so the padlock icon alone doesn't mean a site is safe. It means the connection is encrypted — not that the destination is legitimate.

5. Unexpected Attachments

If you weren't expecting an attachment — especially a .zip, .exe, .docm, or .xlsm file — don't open it. Even PDFs can carry exploits. Ransomware frequently arrives as an email attachment disguised as an invoice, shipping notice, or HR document.

I investigated a case where an entire accounting department was locked out by ransomware that arrived as an "Updated W-9 Form." The attachment was a macro-enabled Excel file. One click, one macro enabled, and the network encryption started within minutes.

6. Requests for Credentials or Sensitive Data

No legitimate company will ask you to reply to an email with your password, Social Security number, or credit card details. If an email asks you to "confirm" or "verify" this type of information, it's a credential theft attempt.

This also applies to emails directing you to a login page. If Microsoft needs you to verify your account, go to microsoft.com directly — don't follow the link in the email.

7. Grammar and Formatting Errors

Poorly written emails with obvious spelling mistakes, inconsistent formatting, or mismatched fonts still account for a large percentage of phishing attempts. But don't rely on this alone. Sophisticated threat actors produce polished, pixel-perfect replicas of legitimate corporate emails. The 2020 phishing campaigns impersonating Office 365 were nearly indistinguishable from real Microsoft notifications.

8. Mismatched Display Names and Reply-To Addresses

An email might show "IT Help Desk" as the display name, but the actual reply-to address goes to a Gmail account. Always check both the From address and the Reply-To address. Business Email Compromise (BEC) attacks, which cost organizations $1.8 billion in 2020 according to the FBI IC3 report, frequently use this technique.

9. Too-Good-to-Be-True Offers

Gift card giveaways, unexpected tax refunds, prize winnings — these still work. They work because they exploit the same psychological lever as urgency: they create an emotional reaction (excitement) that overrides rational evaluation. If you didn't enter a contest, you didn't win one.

How to Recognize a Phishing Email: A Quick-Reference Checklist

When an email triggers even mild suspicion, run through this checklist:

  • Sender address: Does the domain match the claimed organization exactly?
  • Tone: Is the message creating urgency, fear, or excitement?
  • Links: Do the URLs match the legitimate website when you hover?
  • Attachments: Were you expecting this file from this person?
  • Request: Is the email asking for credentials, payment, or personal data?
  • Greeting: Is it generic or personalized?
  • Grammar: Are there formatting issues, typos, or awkward phrasing?
  • Reply-To: Does the reply address match the sender address?

If even one of these checks fails, verify the message through a separate channel. Call the sender. Open a new browser and go directly to the website. Don't trust the email.

Why Phishing Simulations Are the Best Teacher

Reading about phishing red flags helps. Actually experiencing a simulated phishing attack changes behavior. I've seen click rates drop from 35% to under 5% within three rounds of well-designed phishing simulations combined with immediate, specific coaching.

The key word is "specific." Telling someone they failed a test doesn't help. Showing them exactly which red flag they missed — the misspelled domain, the suspicious URL, the urgency tactic — builds the muscle memory that matters when a real attack hits at 4:47 PM on a Friday.

Organizations serious about this should look into phishing awareness training designed for organizational teams. Simulations, combined with targeted education, produce measurable results. NIST's guidance on building security awareness programs (SP 800-50) reinforces this approach.

What to Do When You Spot a Phishing Email

Recognizing the phishing email is step one. What you do next determines whether your organization stays safe or just gets lucky.

Don't Click, Don't Reply, Don't Forward

This sounds obvious, but I've seen employees forward phishing emails to colleagues asking "Is this real?" — which just spreads the attack surface. Don't do it.

Report It Through Your Organization's Process

Most email clients have a "Report Phishing" button. If your organization uses a security awareness platform, use that reporting mechanism. Every reported phishing email helps your security team identify active campaigns and block them across the organization.

If You Already Clicked, Act Fast

Change your password immediately — from a different device if possible. Enable multi-factor authentication if it isn't already active. Notify your IT or security team. Time matters. Many credential theft attacks rely on the gap between when you hand over credentials and when someone notices.

Why Multi-Factor Authentication Is Your Safety Net

Even well-trained people make mistakes. Multi-factor authentication (MFA) ensures that a stolen password alone isn't enough to compromise an account. According to Microsoft, MFA blocks 99.9% of automated credential attacks.

If your organization hasn't rolled out MFA on email, VPN, and cloud services, that's a bigger priority than any training program. But you need both. A zero trust security model assumes breach and verifies every access request — MFA is a cornerstone of that model.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2020 Cost of a Data Breach Report put the average total cost of a breach at $3.86 million, with phishing as the second most expensive attack vector at $4.65 million per incident. Lost business — customer churn, reputation damage, system downtime — accounts for the largest share of those costs.

I've worked with companies that spent more recovering from one phishing incident than they would have spent on a decade of security awareness training. That math doesn't require a finance degree to understand.

Building a culture where every employee knows how to recognize a phishing email starts with consistent, practical training. If you're looking for a starting point, cybersecurity awareness training from ComputerSecurity.us covers phishing, social engineering, credential theft, and more — all designed for real-world application.

Phishing Isn't Going Away — But Your Vulnerability Can Shrink

Threat actors innovate constantly. Phishing emails in 2021 are more convincing than anything we saw five years ago. They use real brand logos, legitimate-looking domains, and current events (COVID-19 vaccine appointments, stimulus payments) as lures. The CISA guidance on avoiding social engineering and phishing attacks is worth bookmarking.

But the fundamentals haven't changed. Check the sender. Hover over the link. Question the urgency. Verify through a separate channel. These habits, practiced consistently, are the difference between catching a phishing email and becoming the next incident report.

Your organization's security posture isn't determined by your firewall. It's determined by what your least security-aware employee does with the next suspicious email that lands in their inbox. Make sure they're ready.