In March 2022, the Lapsus$ threat actor group breached Okta — a company literally in the business of identity security — by compromising a single employee through a social engineering campaign that started with phishing. If it can happen to an identity provider securing thousands of enterprises, it can happen to your organization. That's why knowing how to spot a phishing email isn't just a nice-to-have skill. It's the front line of your defense.

The FBI's Internet Crime Complaint Center (IC3) received over 300,000 phishing complaints in 2022 alone, making it the most reported cybercrime category for the fourth consecutive year. The FBI IC3 2021 report showed phishing complaints nearly doubled from 2019 to 2021. The trend hasn't slowed down. Phishing remains the number one initial attack vector for data breaches, ransomware infections, and credential theft.

This post gives you nine specific red flags I use when training security teams and employees. These aren't vague tips — they're the exact indicators that separate a legitimate email from one designed to steal your credentials, deploy malware, or drain your bank account.

Why Phishing Still Works in 2023

Phishing works because it targets humans, not firewalls. According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of breaches involved a human element — including social engineering, errors, and misuse. Phishing is the dominant social engineering tactic.

Modern phishing emails don't look like the Nigerian prince scams of 2005. Today's threat actors use pixel-perfect replicas of Microsoft 365 login pages, spoofed executive email addresses, and AI-generated text that's nearly indistinguishable from legitimate business communication. I've reviewed phishing kits sold on dark web forums that come with pre-built templates for DocuSign, PayPal, and major banks — complete with SSL certificates.

The barrier to entry for attackers has never been lower. That means the burden on every employee to recognize these attacks has never been higher.

How to Spot a Phishing Email: 9 Red Flags Security Pros Actually Use

1. The Sender Address Doesn't Match the Brand

This is the single most reliable indicator. Before you read a word of the email body, look at the full sender address. Not just the display name — the actual email domain. I've seen phishing emails from "Microsoft Support" sent from [email protected]. The display name looks fine. The domain tells the real story.

Hover over the sender name in your email client to reveal the full address. If it's a legitimate company, the domain should match their official website exactly. One character off? That's a red flag.

2. Urgency That Feels Manufactured

"Your account will be suspended in 24 hours." "Immediate action required to avoid penalty." "Unauthorized login detected — verify now." Every single one of these is designed to short-circuit your critical thinking. Threat actors know that urgency overrides caution.

Legitimate companies rarely threaten immediate account closure via email. When you feel that spike of anxiety, pause. That emotional reaction is exactly what the attacker is engineering.

Hover over every link before clicking. On desktop, your email client will show the actual URL in the bottom-left corner or in a tooltip. On mobile, long-press to preview the URL. I've analyzed phishing campaigns where the visible text says "https://www.paypal.com/security" but the actual hyperlink points to "https://paypa1-secure.com/verify".

Look for subtle misspellings, extra subdomains, or completely unrelated domains. If the link doesn't match the sender's official domain, don't click it.

4. Unexpected Attachments

If you weren't expecting an attachment, treat it as hostile until proven otherwise. This is especially true for file types like .zip, .exe, .iso, .html, and macro-enabled Office documents (.docm, .xlsm). In my experience reviewing incident response cases, malicious attachments remain one of the top ransomware delivery methods.

Even PDFs can be weaponized. If the email seems off in any other way, don't open the attachment. Call the sender directly using a known phone number — not one listed in the suspicious email.

5. Generic Greetings When They Should Know Your Name

Your bank knows your name. Your employer knows your name. If an email from a company you have an account with opens with "Dear Customer" or "Dear User," that's a signal. Mass phishing campaigns blast millions of emails, and they rarely have personalized data for every recipient.

That said, spear phishing — targeted attacks — will use your name, your job title, even your recent projects. Generic greetings catch the spray-and-pray campaigns. The next few red flags help with more sophisticated attacks.

6. Grammar and Formatting That's Slightly Off

I want to be careful here. Modern phishing emails have gotten dramatically better at mimicking legitimate corporate communications. But many campaigns still contain tells: inconsistent fonts, unusual spacing, slightly awkward phrasing, or mismatched brand colors.

Compare the suspicious email to a legitimate one from the same company. Open a recent real email side by side. Differences in footer formatting, logo resolution, or legal disclaimers often reveal the fake.

7. Requests for Credentials or Sensitive Data

No legitimate company will ask you to reply to an email with your password, Social Security number, or banking credentials. Full stop. If an email asks you to "confirm" or "verify" sensitive information by clicking a link and entering it into a form, that's credential theft in progress.

Microsoft, Google, Apple, and every major bank have publicly stated they will never ask for your password via email. If you're unsure, navigate to the company's website directly by typing the URL into your browser — never through a link in the email.

8. Mismatched or Suspicious "Reply-To" Addresses

Here's one most people miss. The "From" address and the "Reply-To" address can be different. Attackers sometimes spoof a legitimate "From" address but set the "Reply-To" to their own mailbox so they can intercept your responses. Check the email headers. In Gmail, click the three dots and select "Show original." In Outlook, open the message properties.

If the Reply-To address is different from the From address and you can't explain why, treat the email as suspicious.

9. Too-Good-to-Be-True Offers

"You've won a $500 gift card." "Claim your tax refund." "Your stimulus check is ready." These lures exploit greed the same way urgency exploits fear. I tracked a massive phishing campaign in late 2022 that used fake IRS refund notifications to harvest Social Security numbers and banking details from thousands of victims.

If you didn't enter a contest, apply for a refund, or request a reward, you didn't win one. Delete the email.

What Does a Phishing Email Actually Look Like?

Here's a composite example based on real phishing emails I've dissected in incident response engagements. This is what a typical credential-harvesting phish looks like:

  • From: IT Security Team <[email protected]> (note: not your actual company domain)
  • Subject: ACTION REQUIRED: Password Expires in 2 Hours
  • Body: "Dear Employee, Your network password will expire today. Click the link below to update your credentials immediately to avoid losing access to company systems."
  • Link text: "Update Password Now" → actual URL: https://yourcompany-it.com/login (a lookalike domain)
  • Footer: Slightly different font from your company's real IT emails, no internal ticket number

Every single red flag from the list above is present. Spoofed domain. Manufactured urgency. Link mismatch. Generic greeting. Credential request. In a busy workday, it takes about three seconds of inattention to fall for this.

The $4.88M Lesson Your Organization Can't Afford

According to IBM's 2022 Cost of a Data Breach Report, the average cost of a data breach reached $4.35 million globally — and phishing was the second most expensive initial attack vector at $4.91 million per breach. For small and mid-sized businesses, a single successful phishing attack can mean the difference between staying operational and closing doors.

Knowing how to spot a phishing email is a critical skill, but individual vigilance isn't enough. You need layers: security awareness training, phishing simulation exercises, multi-factor authentication, and a zero trust architecture that limits the damage even when someone does click.

I've seen organizations reduce phishing click rates by over 60% within six months of implementing structured training. The key is practice — not a one-time presentation, but ongoing simulated phishing campaigns that teach employees to recognize real-world tactics.

Build a Culture That Catches Phishing Emails

Start with Phishing Simulation

The most effective way to train employees on how to spot a phishing email is to send them realistic but safe phishing simulations. When someone clicks, they get immediate feedback — not punishment, but education. Over time, click rates drop and report rates rise. Our phishing awareness training for organizations is built around this exact model: realistic simulations paired with targeted education.

Layer in Comprehensive Security Awareness

Phishing doesn't exist in a vacuum. Employees also need to understand social engineering tactics like pretexting and vishing, password hygiene, safe browsing habits, and how to report incidents. A comprehensive cybersecurity awareness training program covers all of these topics and builds the kind of security-first culture that makes phishing attacks far less likely to succeed.

Enforce Multi-Factor Authentication Everywhere

Even when someone falls for a phishing email and enters their credentials on a fake login page, multi-factor authentication (MFA) adds a second barrier. It's not bulletproof — attackers have developed MFA fatigue attacks and real-time proxy tools — but it stops the vast majority of credential theft attempts. CISA's MFA guidance is a solid starting point for implementation.

Adopt a Zero Trust Mindset

Zero trust means never assuming that a user, device, or network connection is trustworthy by default. Every access request gets verified. If a phishing attack does compromise credentials, zero trust architecture limits lateral movement and restricts what the attacker can reach. It's the safety net behind the safety net.

What to Do When You Spot a Phishing Email

Knowing how to spot a phishing email is only half the job. Here's what to do next:

  • Don't click any links or open attachments. Close the email.
  • Report it immediately. Use your organization's phishing report button (most email clients support this) or forward it to your IT/security team.
  • Report it externally. Forward phishing emails to [email protected] and to the impersonated company's abuse team.
  • If you already clicked, disconnect from the network, change your passwords immediately from a known-clean device, and notify your security team. Time matters — every minute counts in containing credential theft.
  • Document what happened. Screenshots, headers, timestamps. This data helps your security team block similar attacks across the organization.

The Red Flags Checklist You Can Share Today

Print this. Pin it near your monitor. Share it with your team:

  • Sender address doesn't match the official domain
  • Manufactured urgency or threats
  • Links that point somewhere different than displayed
  • Unexpected attachments, especially .zip, .exe, .html, .docm
  • Generic greetings from companies that know your name
  • Grammar, formatting, or branding inconsistencies
  • Requests for passwords, SSNs, or financial information
  • Mismatched Reply-To address
  • Offers that seem too good to be true

Every phishing email in the wild hits at least two or three of these. Most hit five or more. Train your eyes to scan for them automatically, and you'll catch attacks that your spam filter misses.

Phishing Isn't Going Away — Your Response Has to Evolve

Threat actors are already using AI tools to generate more convincing phishing emails at scale. The spelling errors and broken English that once made phishing easy to spot are disappearing. The attacks are getting more targeted, more personalized, and harder to distinguish from legitimate communication.

Your defense has to evolve faster. That means continuous training, regular phishing simulations, layered technical controls like MFA and zero trust, and a culture where reporting a suspicious email is encouraged — not embarrassing. Start with structured phishing awareness training and pair it with comprehensive cybersecurity education for every employee in your organization.

The next phishing email is already in someone's inbox. The only question is whether they'll recognize it.