In May 2021, a single phishing email led to the shutdown of Colonial Pipeline — the largest fuel pipeline in the United States. One compromised credential. One employee who didn't catch the red flags. The result: fuel shortages across the East Coast, a $4.4 million ransom payment, and a national security crisis. If you've ever wondered how to spot a phishing email, that incident is the most expensive argument I can give you for learning right now.

I've spent over a decade helping organizations dissect phishing attacks after the damage is done. The pattern is always the same: someone opens an email that looked legitimate, clicks a link or downloads an attachment, and hands a threat actor the keys to the kingdom. The good news? Phishing emails share common traits. Once you know what to look for, you'll catch most of them in seconds.

This post breaks down the exact red flags, real-world examples, and practical steps you need to protect yourself and your organization.

Why Phishing Is Still the #1 Attack Vector in 2026

According to Verizon's Data Breach Investigations Report, phishing and pretexting via email remain the dominant initial access methods in confirmed data breaches — year after year. Threat actors don't need to hack a firewall when they can simply trick a human.

The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most-reported cybercrime category, with hundreds of thousands of complaints annually. Business Email Compromise — a sophisticated cousin of phishing — has cost organizations billions in cumulative losses.

Phishing works because it exploits trust, urgency, and habit. You check email on autopilot. Threat actors know that. They craft messages designed to bypass your critical thinking and trigger an immediate response.

A phishing email is a fraudulent message designed to trick you into revealing sensitive information — such as passwords, credit card numbers, or access credentials — or into downloading malware. Attackers impersonate trusted entities like banks, coworkers, software providers, or government agencies. The goal is credential theft, financial fraud, ransomware deployment, or unauthorized network access.

The 9 Red Flags: How to Spot a Phishing Email Every Time

I've reviewed thousands of phishing emails during incident response investigations and phishing simulation campaigns. These are the indicators that show up again and again.

1. The Sender Address Doesn't Match the Brand

This is the single fastest check you can make. Hover over or tap the sender's email address. Does it actually come from the domain you'd expect? A message claiming to be from Microsoft that arrives from [email protected] is an obvious fake. But threat actors are getting subtler — look for transposed letters, extra hyphens, or unfamiliar subdomains.

I've seen phishing emails use domains like paypa1.com (with a numeral one instead of the letter L) that fooled even experienced professionals at a glance.

2. Urgency and Fear Tactics

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." "You must verify your identity immediately or lose access." Phishing emails manufacture panic. They want you to react before you think. Legitimate organizations rarely threaten immediate account closure via a single email.

3. Generic Greetings

"Dear Customer." "Dear User." "Dear Account Holder." Your bank knows your name. Your employer knows your name. A generic greeting on a message that claims to be personal should raise your suspicion immediately.

4. Suspicious Links That Don't Match the Display Text

This is critical. Before you click any link in an email, hover over it. The URL that appears in the bottom-left of your browser or in the tooltip should match the organization the email claims to be from. If the display text says "Login to your account" but the actual URL points to hxxps://sketchy-domain.ru/login, you're looking at a phishing attempt.

Even links that look correct at first glance deserve scrutiny. Threat actors register domains like amazon-security-verify.com that appear plausible but aren't owned by Amazon.

5. Unexpected Attachments

If you weren't expecting a file — especially a .zip, .exe, .docm, or .html attachment — don't open it. Ransomware commonly arrives as an email attachment disguised as an invoice, shipping notice, or HR document. One click can encrypt your entire network.

6. Spelling and Grammar Errors

This red flag is less reliable than it used to be, thanks to AI-generated content. But many phishing campaigns still contain awkward phrasing, odd punctuation, or inconsistent formatting. A legitimate email from your payroll provider shouldn't read like it was translated twice.

7. Requests for Sensitive Information

No legitimate organization will ask you to email your password, Social Security number, or full credit card number. Ever. If an email asks for this, it's social engineering. Period.

8. Mismatched Branding and Formatting

Phishing emails often get logos, colors, and formatting close — but not exact. Look for blurry logos, outdated branding, inconsistent fonts, or footer information that doesn't match what the real company uses. Compare suspicious emails side-by-side with legitimate messages from the same sender.

9. The "Too Good to Be True" Offer

"You've won a $500 gift card!" "Claim your tax refund now." "You've been selected for an exclusive reward." These are social engineering lures designed to override your judgment with excitement. If you didn't enter a contest, you didn't win one.

Real-World Phishing Examples That Bypassed Smart People

Phishing doesn't just trick careless users. It tricks security-conscious professionals who are busy, distracted, or having a bad day.

The Google Docs Attack (2017)

Millions of Gmail users received what appeared to be a legitimate Google Docs sharing notification. The email came from a known contact. The link led to a real Google OAuth page. Clicking "Allow" gave attackers full access to the victim's email and contacts — which then propagated the attack further. It was social engineering at scale, exploiting trust in a platform people use daily.

COVID-Era Health Phishing

During 2020-2021, CISA issued multiple alerts about phishing campaigns impersonating the CDC, WHO, and state health departments. These emails offered fake vaccine appointment links, COVID test results, and stimulus check updates. The urgency was real — and threat actors exploited it ruthlessly.

Payroll Diversion Scams

I've personally investigated cases where an HR employee received an email that appeared to come from a coworker requesting a direct deposit change. The email address was spoofed. The language was casual and natural. HR updated the banking information, and the next paycheck went straight to the attacker's account. No malware involved — just pure social engineering.

What to Do When You Spot a Phishing Email

Knowing how to spot a phishing email is only half the equation. Here's what to do next.

Don't Click, Don't Reply, Don't Forward

Resist every impulse. Don't click links, don't open attachments, don't reply to the sender, and don't forward it to colleagues with "Is this real?" — you're just spreading the threat.

Report It Immediately

Use your email client's built-in "Report Phishing" button if available. Notify your IT or security team. In organizations running phishing simulation programs, this is exactly the behavior that gets measured and rewarded.

Verify Through a Separate Channel

If the email claims to be from your bank, call the number on the back of your card — not the number in the email. If it claims to be from a coworker, walk over to their desk or send a separate message. Verification through an independent channel defeats most phishing attempts instantly.

Change Credentials If You Clicked

If you already clicked a link and entered credentials, change your password immediately. Enable multi-factor authentication if it isn't already active. Alert your security team so they can check for unauthorized access and begin containment.

Building Organizational Resilience Against Phishing

Individual awareness is essential, but organizational defense requires a systematic approach. A single trained employee can stop one attack. A trained workforce operating within a zero trust framework can stop thousands.

Run Regular Phishing Simulations

The most effective way to teach employees how to spot a phishing email is to send them realistic test phishing emails and measure the response. Organizations that run regular phishing awareness training for their teams see measurable drops in click rates over time. Simulation builds muscle memory that no lecture can replicate.

Implement Technical Controls

Layer your defenses. Deploy email filtering, DMARC/DKIM/SPF authentication, and URL sandboxing. Require multi-factor authentication on all accounts. Restrict macro execution on endpoints. Technical controls catch the phishing emails that humans miss — and human awareness catches the emails that slip past filters.

Make Security Awareness Training Ongoing

Annual compliance training isn't enough. Threat actors evolve their techniques constantly. Your training needs to keep pace. A strong cybersecurity awareness training program delivers regular, scenario-based education that keeps security awareness top of mind — not buried in a once-a-year slideshow employees click through while eating lunch.

Create a No-Blame Reporting Culture

If employees fear punishment for clicking a phishing link, they'll hide it. And a hidden compromise is exponentially more dangerous than a reported one. Reward reporting. Celebrate the catches. Make it safe to say "I think I made a mistake" — because early detection is everything in incident response.

The Multi-Factor Authentication Safety Net

Even the best phishing detection skills aren't perfect. You'll have a bad day. You'll be rushing. You'll click something you shouldn't. That's why multi-factor authentication is non-negotiable.

MFA ensures that a stolen password alone isn't enough for a threat actor to access your accounts. It's the single most effective technical control against credential theft from phishing. If your organization hasn't deployed MFA everywhere — email, VPN, cloud apps, admin portals — you're leaving the door open.

CISA's guidance consistently lists MFA as a top recommendation. It won't prevent every attack, but it dramatically raises the cost for threat actors and buys your security team critical time.

Phishing Will Get Harder to Detect — Here's How to Stay Ahead

AI-generated phishing emails are here. They're grammatically perfect, contextually aware, and increasingly personalized. The old advice of "look for typos" is becoming less reliable by the month.

That means the other red flags — sender address mismatches, suspicious URLs, urgency tactics, unexpected requests — become even more important. And it means that ongoing training, simulation, and a healthy sense of skepticism are your most durable defenses.

Here's my practical advice: treat every unexpected email that asks you to click, download, or provide information as suspicious until verified. That single habit will protect you from the vast majority of phishing attacks, no matter how sophisticated the lure.

Start building that habit today. Review the red flags in this post. Share them with your team. And if your organization doesn't have a formal security awareness program yet, that's the gap threat actors are counting on.