In July 2021, a single phishing email led to a ransomware attack that shut down fuel deliveries across the entire U.S. East Coast. The Colonial Pipeline breach started — like most breaches do — with a compromised credential. If one employee had known how to spot phishing emails, $4.4 million in ransom payments and weeks of disruption might never have happened. That's not speculation. That's what happens when social engineering meets an unprepared inbox.

I've spent years training organizations to recognize phishing before it becomes a data breach. This post walks you through exactly what to look for, with real examples, specific red flags, and practical steps you can take today.

Why Phishing Still Works in 2021

The Verizon 2021 Data Breach Investigations Report found that 36% of breaches involved phishing — up from 25% the prior year. That's not a small bump. That's a trend screaming for attention. Despite billions spent on security tools, phishing remains the number one initial attack vector because it targets people, not firewalls.

Threat actors have gotten remarkably good at impersonation. They don't send sloppy emails from Nigerian princes anymore. They clone Microsoft 365 login pages. They spoof your CEO's email address. They send DocuSign links that look identical to the real thing.

The FBI's Internet Crime Complaint Center (IC3) reported that phishing and related attacks generated 241,342 complaints in 2020, making it the top reported cybercrime category by a wide margin. And those are only the ones people actually reported.

How to Spot Phishing Emails: 9 Red Flags That Matter

Knowing how to spot phishing emails isn't about memorizing a checklist. It's about building a reflex — a gut reaction that says "something is off here." These are the red flags I train people to look for every single day.

1. Urgency That Doesn't Make Sense

"Your account will be suspended in 24 hours." "Immediate action required — unauthorized login detected." Phishing emails almost always manufacture urgency. The goal is to short-circuit your critical thinking. If an email demands you act RIGHT NOW, slow down. That pressure is the weapon.

2. Mismatched Sender Addresses

The display name says "Microsoft Support" but the actual email address is [email protected]. Always hover over or click on the sender name to see the actual address. Legitimate companies send from their own domains. A single swapped letter or an extra hyphen is all it takes to fool someone who isn't looking closely.

3. Generic Greetings

"Dear Customer" or "Dear User" from a company that definitely knows your name? That's a red flag. Your bank, your employer, your SaaS vendor — they all know your name. A generic greeting often means the email was blasted to thousands of targets.

Before you click any link, hover over it. On desktop, the destination URL appears in the bottom-left of your browser or email client. If the link text says "https://office.com" but the actual URL points to "https://office-365-verify.sketchy-domain.ru" — that's credential theft waiting to happen. On mobile, press and hold the link to preview it.

5. Unexpected Attachments

You didn't request a document. Nobody told you one was coming. But there it is — an Excel file, a PDF, or a .zip archive attached to an email from someone you barely recognize. Malicious attachments remain one of the most common ransomware delivery mechanisms. If you weren't expecting it, don't open it. Call the sender on a known number to verify.

6. Requests for Credentials or Personal Information

No legitimate organization will ask you to email your password, Social Security number, or banking details. Period. If an email asks you to "verify your identity" by providing sensitive information, it's phishing. Even if it looks like it came from your IT department.

7. Too-Good-to-Be-True Offers

"You've been selected to receive a $500 gift card." "Claim your stimulus payment here." Threat actors latch onto current events — COVID-19 relief, tax refunds, stimulus checks — and weaponize them. If you didn't enter a contest, you didn't win one.

8. Poor Grammar and Branding Inconsistencies

This is the classic tell, and it still applies — but less than it used to. Modern phishing kits are polished. Still, look for slight logo distortions, odd spacing, fonts that don't match the company's usual emails, and sentences that read like they were machine-translated.

9. Spoofed Internal Emails

Business email compromise (BEC) attacks impersonate executives or colleagues. You get an email from "your CEO" asking you to wire funds or buy gift cards. The FBI's IC3 data shows BEC caused over $1.8 billion in losses in 2020 alone. Always verify unusual requests through a separate communication channel.

What Actually Happens When Someone Clicks

Here's what I've seen happen in incident response engagements — and it's rarely pretty.

Scenario 1: Credential Harvesting. The employee clicks a link, lands on a fake Microsoft 365 login page, enters their username and password. Within minutes, the attacker has access to the employee's mailbox. They set up forwarding rules, harvest sensitive data, and send phishing emails to internal contacts. Without multi-factor authentication, the entire organization's email system can be compromised from one click.

Scenario 2: Malware Delivery. The employee opens an Excel attachment with a macro. The macro downloads a payload. Within hours, ransomware encrypts every file on the shared drive. Backup recovery takes days — if backups exist at all.

Scenario 3: Invoice Fraud. An attacker compromises a vendor's email account, then sends a real-looking invoice with updated bank details to your accounts payable team. The money goes to the attacker's account. By the time anyone notices, the funds are gone.

These aren't theoretical. These are patterns I see repeated across industries, from healthcare to manufacturing to education.

The Technical Layer: What Your Organization Should Deploy

Training is essential, but it works best alongside technical controls. Here's what should already be in place.

Multi-Factor Authentication (MFA)

If a phishing attack captures credentials, MFA is your safety net. It doesn't make phishing impossible, but it makes stolen passwords far less useful. According to CISA's MFA guidance, enabling MFA can prevent over 99% of account compromise attacks. If your organization hasn't rolled this out yet, it should be your top priority today.

Email Filtering and DMARC

Modern email gateways catch a lot of phishing — but not all. Implementing DMARC, DKIM, and SPF records helps prevent domain spoofing. If your organization's domain isn't protected by DMARC, attackers can send emails that look exactly like they came from your domain.

Phishing Simulation Programs

You can't test awareness without simulations. Regular phishing simulation campaigns show you where vulnerabilities exist in your workforce. They also build muscle memory. Employees who've been tricked in a safe simulation are far less likely to fall for the real thing. Our phishing awareness training for organizations includes simulation-based exercises designed to build exactly this kind of resilience.

Zero Trust Architecture

Zero trust assumes that no user, device, or network segment should be automatically trusted. Even if an attacker gets past the email perimeter, zero trust principles limit lateral movement. NIST Special Publication 800-207 lays out the framework. It's not a product you buy — it's a strategy you implement over time.

This is the question I get asked more than any other, so here's the direct answer.

Step 1: Disconnect from the network immediately. If you're on Wi-Fi, turn it off. If you're on Ethernet, unplug the cable. This limits the damage if malware is involved.

Step 2: Do not enter any credentials. If you landed on a login page and haven't typed anything yet, close the browser tab immediately.

Step 3: If you already entered credentials, change your password from a different device right now. Enable MFA if it isn't already active.

Step 4: Report it to your IT or security team. Do not be embarrassed. Fast reporting is the single biggest factor in limiting damage from phishing attacks. Every minute counts.

Step 5: Run a full malware scan on the affected device. Your security team may want to isolate and image the machine for forensic analysis.

The worst thing you can do is stay quiet and hope nothing happens. I've seen minor incidents escalate into full-blown breaches because an employee was too embarrassed to report a click.

Building a Culture That Catches Phishing

Technical controls fail. Filters miss things. The last line of defense is always a human being staring at an email, deciding whether to click. That's why security awareness training isn't optional — it's operational.

But bad training is worse than no training. A once-a-year slideshow doesn't change behavior. Effective training is ongoing, scenario-based, and relevant to the threats employees actually face. It uses real-world phishing examples. It rewards reporting rather than punishing mistakes.

Our cybersecurity awareness training program covers phishing identification, social engineering tactics, credential theft prevention, and incident reporting — all built around practical scenarios, not abstract theory.

Organizations that run regular training and phishing simulations see measurable results. The 2021 Verizon DBIR noted that security awareness programs are one of the most cost-effective risk reduction strategies available. You're not just training employees to spot emails. You're building a security culture.

The Details That Trip Up Even Experienced Users

Sophisticated phishing campaigns don't rely on one red flag. They combine several persuasion techniques:

  • Authority: The email appears to come from a CEO, IT director, or law enforcement.
  • Scarcity: "Only 2 hours to respond" or "limited-time verification required."
  • Social proof: "Your colleagues have already completed this verification."
  • Familiarity: The attacker references a real project, real colleagues, or real company events pulled from LinkedIn or your website.

This is social engineering at its core. The attacker doesn't need to hack your firewall. They just need to hack your decision-making for three seconds.

I've reviewed phishing emails during incident response that fooled seasoned IT professionals. The emails used the company's exact email template, referenced an actual internal project by name, and linked to a domain registered 24 hours earlier that looked identical to the company's SSO portal. No spelling errors. No generic greetings. Perfect impersonation.

That's why knowing how to spot phishing emails requires more than looking for typos. It requires questioning every unexpected email that asks you to click, log in, download, or transfer something — no matter how legitimate it looks.

Your Next Step

Every breach has a first click. Your job is to make sure that click doesn't happen in your organization. Start by sharing these red flags with your team. Then put a real training program in place — one with phishing simulations, practical scenarios, and measurable outcomes.

Explore our phishing awareness training to get started, or check out the full cybersecurity awareness training curriculum for broader coverage across social engineering, ransomware, credential theft, and more.

The threat actors aren't slowing down. Your training shouldn't either.