The Email That Cost One Company $37 Million

In 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated form of phishing — accounted for over $2.9 billion in adjusted losses. That's not a typo. Billions. And it all starts with a single email that someone didn't recognize as fake.

Knowing how to spot a phishing email isn't a nice-to-have skill anymore. It's the single most important thing standing between your organization and a data breach, ransomware infection, or wire fraud disaster. I've spent years training teams to catch these messages before they click. Here are the exact red flags I teach — the ones that actually matter in 2026.

What Is a Phishing Email, Really?

A phishing email is a message designed by a threat actor to trick you into doing something dangerous — clicking a malicious link, opening an infected attachment, or handing over credentials. The goal is almost always one of three things: steal your login, install malware, or redirect money.

These aren't the laughable "Nigerian prince" scams of 2005. Modern phishing campaigns use pixel-perfect branding, spoofed sender addresses, and AI-generated text that's nearly indistinguishable from legitimate communication. The Verizon 2024 Data Breach Investigations Report found that phishing was involved in 15% of all breaches — and it remains the number-one initial access vector for social engineering attacks.

Red Flag #1: The Sender Address Doesn't Match the Brand

This is the first thing I check, every single time. The display name might say "Microsoft Support," but the actual email address reads something like [email protected]. That domain has nothing to do with Microsoft.

Hover over the sender name to reveal the full email address. Legitimate companies send from their own domains. If the domain looks off — extra words, strange hyphens, a country code you don't expect — treat it as hostile until proven otherwise.

Subdomain Tricks to Watch For

Attackers love subdomains. They'll register microsoft.com.verify-account.net and hope you only read the first part. The actual domain is verify-account.net. Train your eye to read right-to-left from the first single slash.

Red Flag #2: Urgency That Feels Like a Threat

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." "Failure to verify will result in permanent data loss." Every one of these is designed to short-circuit your critical thinking.

Legitimate organizations rarely threaten you via email with immediate consequences. When you feel that spike of panic, that's exactly when you should slow down. Threat actors weaponize urgency because it works. In my experience, the emails that scare you the most are the ones most likely to be fake.

Red Flag #3: Generic Greetings in a World of Personalization

"Dear Customer." "Dear User." "Dear Account Holder." Your bank knows your name. Your employer knows your name. Any company you actually do business with knows your name.

A generic greeting in a message that claims to be from a service you use is a strong signal that the sender pulled your email from a list, not from a customer database. It's not definitive on its own, but combined with other red flags, it's damning.

This is where the real damage happens. A phishing email lives and dies by its link. Before you click anything, hover your mouse over the link and look at the actual URL in the bottom-left corner of your browser or email client.

Does it point to the company's real domain? Or does it go to something like paypa1-secure.com (note the numeral "1" instead of the letter "l")? Typosquatting and lookalike domains are the bread and butter of credential theft campaigns.

Shortened URLs Are Always Suspicious

If someone sends you a bit.ly or tinyurl link in a professional email, that's a problem. Legitimate businesses link to their own domains. URL shorteners hide the destination, and that's exactly what phishers want.

Red Flag #5: Attachments You Didn't Request

An unexpected attachment — especially a .zip, .exe, .docm, or .html file — is one of the most dangerous payloads in your inbox. Ransomware, keyloggers, and remote access trojans all arrive this way.

I tell every team I train: if you didn't ask for it, don't open it. Even if it appears to come from a coworker. Verify through a separate channel — a phone call, a Slack message, a walk to their desk. The 30 seconds it takes to confirm could save your entire network.

Red Flag #6: Spelling and Grammar Errors in "Official" Communication

This one is getting trickier in 2026 because threat actors now use large language models to polish their messages. But it still catches a surprising number of campaigns, especially those originating from non-English-speaking threat groups.

Look for subtle errors: inconsistent capitalization, odd phrasing, mismatched formatting. A real email from your bank's legal or compliance department went through multiple rounds of review. A phishing email went through a spam kit.

Red Flag #7: Requests for Sensitive Information

No legitimate company will ask you to reply to an email with your password, Social Security number, credit card number, or multi-factor authentication code. Period. If an email asks for any of these, it's phishing.

This extends to "verification" pages linked from the email. A real password reset flow starts from the service's actual website, not from an inbound email you didn't initiate. If you need to verify something, open a new browser tab and navigate directly to the site.

Red Flag #8: Mismatched Branding and Design

Phishing kits have gotten remarkably good at cloning corporate branding. But they're rarely perfect. Look for slightly wrong logos, colors that are a shade off, footer text that references the wrong year, or privacy policy links that go nowhere.

I've seen phishing emails that cloned a company's entire email template but forgot to update the unsubscribe link — it pointed to a dead page. Small details like that reveal the forgery.

Red Flag #9: The "Too Good to Be True" Offer

"You've been selected for a $500 gift card." "Claim your tax refund now." "You've won a new iPhone." These prey on greed the same way urgency preys on fear.

If you didn't enter a contest, you didn't win one. If a refund shows up that you didn't file for, it's not real. Treat every unsolicited offer in your inbox as a phishing attempt until you can independently verify it through official channels.

How to Spot a Phishing Email: The 10-Second Checklist

When a suspicious email lands in your inbox, run through this sequence before doing anything else:

  • Check the sender's full email address — does the domain match the brand?
  • Read the greeting — is it generic or personalized?
  • Assess the tone — is it creating artificial urgency or fear?
  • Hover over every link — does the URL match the expected destination?
  • Look for attachment red flags — did you request this file?
  • Scan for errors — grammar, formatting, branding inconsistencies?
  • Ask: did I initiate this? — if not, verify through a separate channel.

This takes 10 seconds. It could prevent a breach that costs your organization millions.

Why Training Beats Technology Every Time

Email filters catch a lot. Secure email gateways, sandboxing, DMARC, SPF, DKIM — these are all essential. But according to CISA, the human element remains the most exploited attack surface. Technology can't catch every phishing email, especially when attackers use compromised legitimate accounts to send them.

That's why security awareness training matters. Not the annual checkbox exercise that everyone sleeps through — real, scenario-based training that puts people in front of actual phishing simulations and teaches them to recognize the red flags I've listed here.

Phishing Simulations Change Behavior

I've watched organizations cut their phishing click rates by 60-80% within six months of implementing regular phishing simulation programs. The key is consistency. One training session per year does nothing. Monthly simulations with immediate feedback build the muscle memory that stops a real attack.

If your organization needs a structured approach, our phishing awareness training for organizations delivers exactly this — scenario-based simulations tied to the latest threat intelligence.

What to Do When You Catch One

Spotting a phishing email is only half the job. What you do next matters just as much.

  • Don't click, reply, or open attachments. Leave the email untouched.
  • Report it. Use your organization's phishing report button, or forward it to your IT/security team. In the U.S., you can also report phishing to the FBI's IC3.
  • Delete it after reporting. Don't leave it sitting in your inbox where you might accidentally interact with it later.
  • If you already clicked, disconnect from the network, change your passwords immediately, enable multi-factor authentication on every account, and notify your security team. Time matters.

Building a Culture That Catches Phishing

The organizations I've seen handle phishing best aren't the ones with the biggest security budgets. They're the ones where every employee — from the CEO to the newest intern — treats suspicious emails as a team problem, not a personal failure.

That means creating a zero-blame reporting culture. If someone clicks a phishing link, the response should be support and remediation, not punishment. Punishment drives people to hide mistakes. Hiding mistakes is how a compromised account turns into a full-blown data breach.

Zero Trust Starts in the Inbox

The zero trust philosophy — "never trust, always verify" — applies to email as much as it applies to network architecture. Every email is untrusted until you've verified the sender, the links, and the intent. When your entire organization operates with that mindset, your attack surface shrinks dramatically.

Building that mindset takes structured, ongoing education. Our cybersecurity awareness training program covers phishing, social engineering, ransomware defense, and more — designed for teams that want practical skills, not slideshow theater.

Phishing Isn't Going Away — But You Can Get Better at Catching It

Threat actors will continue to refine their phishing techniques. AI-generated emails, deepfake voice phishing (vishing), and multi-channel attacks that combine email with SMS and phone calls are already here. The game is evolving.

But the fundamentals of how to spot a phishing email haven't changed as much as you might think. Verify the sender. Question urgency. Hover before you click. Never hand over credentials through email. These habits, drilled consistently through training and simulation, remain your strongest defense.

Every phishing email that gets caught is a breach that doesn't happen. That's not hypothetical — it's the math that keeps your organization off the front page.