In July 2021, a single phishing email gave attackers access to an employee's credentials at a Florida managed service provider, which cascaded into the massive Kaseya VSA ransomware attack affecting up to 1,500 businesses worldwide. One click. One employee who didn't know how to spot a phishing email. That's all it took to trigger one of the largest supply-chain compromises we've seen this year.

I've spent years training organizations to recognize these attacks, and here's the uncomfortable truth: phishing emails are getting dramatically harder to identify. The sloppy Nigerian prince scams haven't disappeared, but they've been joined by surgically crafted messages that fool experienced professionals daily. The 2021 Verizon Data Breach Investigations Report found that 36% of all data breaches involved phishing — up from 25% the year before.

This guide breaks down the specific red flags I teach in every training session, with real examples from actual campaigns. Whether you're protecting yourself or building a security awareness program for your team, these are the techniques that actually work.

Why Phishing Still Works in 2021

Phishing isn't a technology problem. It's a human problem. Threat actors don't need to defeat your firewall when they can simply ask an employee to hand over their password.

The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most common cybercrime complaint in 2020, with 241,342 incidents — more than double the count from 2019. Those numbers are tracking even higher in 2021.

The reason is simple: it works. A well-crafted phishing email exploits urgency, authority, and trust — the same social engineering principles that con artists have used for centuries. The delivery mechanism just happens to be your inbox now.

The Anatomy of a Phishing Email: 8 Red Flags

Knowing how to spot a phishing email comes down to training your eye to catch specific signals. Here are the eight I drill into every training I run.

1. The Sender Address Doesn't Match the Brand

This is the first thing to check and the easiest to miss. A phishing email claiming to be from Microsoft might come from [email protected] or [email protected]. Always look at the full email address, not just the display name.

In my experience, roughly 60% of phishing emails I analyze use a domain that's close — but not identical — to the legitimate one. Hover over the sender name. Read every character. One swapped letter is all it takes.

2. Urgency That Feels Like a Threat

"Your account will be suspended in 24 hours." "Unauthorized login detected — verify now." "Your payment failed — update immediately."

Legitimate companies rarely threaten you over email with tight deadlines. Threat actors manufacture panic because panicked people don't pause to think. If your heart rate goes up reading an email, that's your cue to slow down — not speed up.

3. Generic Greetings Instead of Your Name

"Dear Customer." "Dear User." "Dear Account Holder." Your bank knows your name. Amazon knows your name. If a message claims to be from a service you use and doesn't address you personally, treat it with suspicion.

That said, more sophisticated spear-phishing campaigns do use your real name, pulled from LinkedIn or data breaches. A personalized greeting doesn't guarantee safety — it just means this one check passed.

This is the single most important skill I teach. Before clicking any link in an email, hover your cursor over it and read the actual URL in the bottom-left corner of your browser or email client.

A button labeled "Sign In to Your Account" might actually point to http://login-verify.sketchy-domain.ru/microsoft. The attackers count on you clicking without looking. Don't give them that win.

5. Attachments You Didn't Request

Unexpected attachments — especially .zip, .exe, .docm, or .html files — are a classic malware delivery method. Ransomware operators love macro-enabled Office documents. If you weren't expecting the attachment, don't open it. Call the sender through a known phone number to confirm.

6. Spelling and Grammar Errors (But Don't Rely on This Alone)

Yes, many phishing emails still contain awkward phrasing, misspellings, and broken grammar. But the quality has improved significantly. Some of the most dangerous campaigns I've analyzed in 2021 are nearly flawless in their language.

Use grammar errors as a signal, not a filter. A clean email can still be a phishing email.

7. Requests for Sensitive Information

No legitimate organization will ask you to email your password, Social Security number, or credit card details. Period. If an email asks for credentials or personal data, it's a phishing attempt or a company with security practices so poor you should stop doing business with them.

8. Mismatched or Missing Branding

Phishing emails often get logos slightly wrong — blurry images, outdated branding, inconsistent colors. Compare suspicious emails to legitimate ones from the same sender. If the footer is missing, the logo looks off, or the formatting is different from what you normally receive, that's a signal.

What Does a Phishing Email Actually Look Like?

Here's a scenario straight from a real campaign I reviewed earlier this year. An employee at a mid-size accounting firm received an email with the subject line: "[Action Required] Your M365 password expires today."

The email used Microsoft's logo, matched their typical color scheme, and included a "Update Password" button. The sender address was [email protected] — close enough to the real microsoftonline.com that the employee didn't notice the extra word.

They clicked the button, entered their current credentials on a convincing fake login page, and the attacker had their username and password within seconds. From there, the threat actor accessed the firm's email, found client tax documents, and launched a credential theft campaign against the firm's clients.

The total damage: six figures in incident response costs, mandatory breach notifications to clients, and a regulatory investigation. All from one email.

How to Spot a Phishing Email: The 10-Second Rule

I teach a technique called the 10-Second Rule. Before acting on any email that requests action — clicking a link, opening an attachment, replying with information — spend 10 seconds checking these three things:

  • Sender: Is the full email address legitimate? Character by character?
  • Link: Does the URL match the claimed destination? Hover, don't click.
  • Context: Were you expecting this email? Does the request make sense?

If any one of those checks fails, stop. Report the email to your IT team or delete it. You can always navigate directly to the service's website through your browser instead of clicking an email link.

Ten seconds of caution is worth more than ten months of breach recovery.

Beyond Spotting: What to Do When You Find One

Don't Just Delete — Report

Most email clients have a "Report Phishing" button. In Outlook, it's under the Junk menu. In Gmail, it's the three-dot menu next to Reply. Use it. Your report helps the email provider block the campaign for other targets.

If your organization has a security team, forward the email to them — ideally as an attachment to preserve the headers. Many organizations now use dedicated phishing report inboxes like abuse@ or phishing@.

Already Clicked? Act Fast

If you clicked a link and entered credentials, change that password immediately — and every other account where you reused it. Enable multi-factor authentication on the compromised account right now. Then alert your IT team. Speed matters here. The faster you respond, the less damage the attacker can do.

Lock Down Your Organization with Training

Individual awareness is essential, but organizational resilience requires structured training. Running phishing simulations on a regular schedule trains employees to recognize attacks in a safe environment — before a real threat actor tests them.

Our phishing awareness training for organizations uses real-world campaign templates to test and educate your team. It's designed to build muscle memory, not just check a compliance box.

The Technology Layer: Why Awareness Alone Isn't Enough

I'd be irresponsible if I told you that training alone stops phishing. It doesn't. You need layers.

Multi-factor authentication (MFA) is the single most impactful control you can deploy. Even if an employee falls for a phishing email and hands over their password, MFA stops the attacker from logging in. Microsoft reported in 2019 that MFA blocks 99.9% of automated credential attacks. Deploy it everywhere — no exceptions.

Email filtering catches the bulk of phishing before it reaches inboxes. Solutions like Microsoft Defender for Office 365 and Google Workspace's built-in protections use machine learning to flag suspicious messages. They're not perfect, but they reduce the volume dramatically.

Zero trust architecture assumes no user or device is trusted by default, even inside the network. This limits the blast radius when a phishing attack succeeds. NIST's Zero Trust Architecture publication (SP 800-207) is the foundational reference if you're building this into your environment.

These technologies don't replace awareness. They complement it. The best security programs layer human training on top of technical controls.

Building a Culture That Catches Phishing

The organizations I've seen with the lowest phishing click rates share one trait: they've made reporting easy and blame-free. If an employee is afraid of punishment for clicking a bad link, they won't report it. And an unreported compromise is far more expensive than an admitted mistake.

Create a clear reporting process. Celebrate employees who report suspicious emails. Share anonymized examples of phishing attempts that were caught by staff. Make security awareness part of your culture, not an annual checkbox.

If you're looking to build that kind of program from the ground up, our cybersecurity awareness training course covers phishing, social engineering, ransomware defense, and the practical habits that reduce your organization's risk profile.

What Types of Phishing Should You Watch For?

Phishing isn't one-size-fits-all. Here are the variants your team needs to recognize:

  • Spear phishing: Targeted emails crafted for a specific person, often using details from LinkedIn or company websites.
  • Whaling: Spear phishing aimed at executives. These often impersonate board members, legal counsel, or the CEO.
  • Business Email Compromise (BEC): The attacker compromises or spoofs a real business email to redirect payments or steal data. The FBI's IC3 reported BEC caused $1.8 billion in losses in 2020 alone.
  • Smishing: Phishing via SMS text messages. "Your package delivery failed" texts with malicious links spiked in 2021.
  • Vishing: Voice phishing — phone calls impersonating IT support, banks, or government agencies to extract credentials or access.

Each variant uses different channels but the same social engineering principles. Train for all of them.

Your Phishing Defense Checklist

Here's what I recommend every organization implement before the end of this quarter:

  • Deploy MFA on all email accounts and cloud applications.
  • Run monthly phishing simulations with varied templates.
  • Establish a no-blame phishing reporting process.
  • Train employees quarterly on how to spot a phishing email — not just annually.
  • Implement email authentication (SPF, DKIM, DMARC) to reduce spoofing.
  • Review and restrict who can authorize wire transfers or share sensitive data via email.
  • Keep all endpoints patched and monitored.

None of these steps are revolutionary. But I consistently see organizations skip the basics and pay for it later.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2021 Cost of a Data Breach Report pegged the average breach cost at $4.24 million globally — and phishing was the second most expensive initial attack vector at $4.65 million per incident. These aren't numbers that happen to other people. They happen to organizations that thought they were too small, too careful, or too well-protected to get hit.

Knowing how to spot a phishing email is the most cost-effective security investment you can make. It doesn't require a massive budget. It requires attention, repetition, and a commitment to making every person in your organization part of the defense.

Start today. Your next phishing email is already on its way.