In March 2022, the FBI's Internet Crime Complaint Center reported that phishing schemes were the most common cybercrime in 2021, with over 323,000 victims — more than double the count from 2019. That number is climbing again in 2022. If you're searching for how to spot phishing emails, you're asking exactly the right question — because the single fastest way a threat actor gets inside your organization is through your inbox. This post gives you nine specific, field-tested red flags I use when training teams, along with real examples from actual breaches.

I've spent years dissecting phishing campaigns for organizations of all sizes. The patterns are remarkably consistent. Once you learn to recognize them, you'll catch 90% of malicious emails before you ever hover over a link.

Why Phishing Still Works in 2022

The Verizon 2022 Data Breach Investigations Report found that 82% of data breaches involved a human element — and phishing was the top attack vector. That's not because people are stupid. It's because phishing emails are engineered to exploit urgency, authority, and trust.

Modern phishing doesn't look like the Nigerian prince scams of 2005. Today's campaigns use pixel-perfect replicas of Microsoft 365 login pages, spoofed executive email addresses, and AI-generated text that reads like your CEO actually wrote it. Social engineering has become a professional discipline for criminal organizations.

Here's the uncomfortable truth: your technical controls — spam filters, secure email gateways, even multi-factor authentication — will miss some of these messages. The last line of defense is always the human reading the email.

How to Spot Phishing Emails: 9 Red Flags From Real Attacks

These aren't theoretical. Every red flag below comes from phishing campaigns I've personally analyzed or that appeared in documented incidents. Learn these, drill them into your team, and you'll dramatically reduce your risk.

1. The Sender Address Doesn't Match the Display Name

This is the first thing I check. A phishing email might show "Microsoft Support" as the sender name, but the actual address reads something like [email protected]. That extra "t" is deliberate — it passes a glance test but fails inspection.

Always expand the sender field. On mobile, this takes an extra tap. It's worth it every time. In the Twitter breach of July 2020, internal employees received messages from accounts that looked legitimate at first glance but weren't.

2. Urgency That Demands Immediate Action

"Your account will be suspended in 24 hours." "Unauthorized login detected — verify now." "Failure to respond will result in legal action." Sound familiar?

Threat actors manufacture urgency because it short-circuits critical thinking. When your heart rate spikes, you click before you think. Every time an email demands immediate action and threatens consequences, slow down. That emotional pressure is the attack itself.

Hover over every link before you click. If the email says "Log in to your Bank of America account" but the URL points to boa-secure-login.xyz, you're looking at credential theft in progress.

I train teams to hover over links and read the domain from right to left — start at the .com (or .org, .net) and work backward. The domain immediately before the top-level domain is what matters. Everything else is decoration a threat actor controls.

4. Attachments You Didn't Request

If you didn't ask for an invoice, a shipping notification, or a "document to review," don't open the attachment. Ransomware campaigns — including strains like Emotet, which surged again in early 2022 — rely heavily on malicious attachments disguised as routine business documents.

Common weaponized file types: .docm, .xlsm, .zip, .iso, and .html files. Even PDF files can contain malicious links. When in doubt, call the sender on a known phone number and verify.

5. Generic Greetings Instead of Your Name

"Dear Customer." "Dear User." "Dear Account Holder." Legitimate companies that have your business almost always use your actual name. A generic greeting in an email claiming to be from your bank or your IT department is a strong signal that the message went to thousands of people, not just you.

This isn't foolproof — sophisticated spear-phishing campaigns do use your real name, pulled from LinkedIn or data breaches. But generic greetings remain a reliable first-pass filter.

6. Grammar and Formatting That Feel Off

Mismatched fonts, inconsistent spacing, odd line breaks, and grammar that reads like it was translated — these are hallmarks of mass phishing kits sold on dark web forums. The operators using them often don't speak English natively and don't invest in proofreading.

That said, I've seen phishing emails in 2022 with flawless English. Don't rely on this red flag alone. Use it as one signal among many.

7. Requests for Credentials or Sensitive Data via Email

No legitimate IT department, bank, or SaaS provider will ask you to email your password, Social Security number, or credit card details. Ever. If an email asks you to "confirm your password" or "verify your account details" by replying or clicking a link, it's phishing.

The Twilio breach in August 2022 started with SMS phishing (smishing) that directed employees to a fake login page. The principle is identical: any request for credentials through an unexpected channel should trigger suspicion.

8. A Reply-To Address That Differs From the Sender

This one catches even experienced users off guard. The email appears to come from your CFO's address, but the reply-to field points to an external Gmail account. Business email compromise (BEC) attacks — which the FBI IC3 reports caused $2.4 billion in losses in 2021 — rely on this trick constantly.

Check the reply-to field before responding to any email that involves money, credentials, or sensitive data. It takes three seconds.

9. Too-Good-to-Be-True Offers or Unexpected Windfalls

Gift card giveaways, unexpected tax refunds, prize notifications — these are social engineering basics, and they still work. If you didn't enter a contest, you didn't win one. If the IRS needs to reach you, they'll send a letter.

In my experience, these lower-sophistication phishing emails still account for a surprising number of successful compromises, especially among employees who don't handle security-sensitive tasks daily and haven't had recent security awareness training.

What Does a Phishing Email Actually Look Like?

Here's a quick composite based on real campaigns I've analyzed this year:

  • From: IT-HelpDesk <[email protected]>
  • Subject: Urgent: Your mailbox is 98% full — action required
  • Body: "Dear Employee, Your mailbox has reached its storage limit. To avoid disruption, please verify your account immediately by clicking the link below. Failure to act within 12 hours will result in account suspension."
  • Link text: "Verify Account Now" (actual URL: http://yourcompany-mail-verify.ru/login)

Every red flag is present: mismatched sender domain, urgency, generic greeting, suspicious link URL, and a request for credentials. Once you know how to spot phishing emails, patterns like this become obvious.

What to Do When You Spot a Phishing Email

Recognizing the email is only half the job. Your response matters just as much.

Don't Click, Don't Reply, Don't Forward

Clicking a link can trigger a drive-by download or take you to a credential harvesting page. Replying confirms your email address is active. Forwarding spreads the threat. Just don't.

Report It Through Your Organization's Process

Most email clients have a "Report Phishing" button. If your organization uses a phishing simulation platform, use the reporting button — it trains the system and gives your security team intelligence. If you don't have a formal process, email your IT or security team directly.

Delete It

Once reported, delete the email. Don't leave it sitting in your inbox where you might accidentally interact with it later.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's Cost of a Data Breach Report 2022, the average cost of a phishing-initiated data breach reached $4.91 million. That's not a typo. And for small businesses without cyber insurance, a single successful phishing attack can be an extinction event.

Technical controls are necessary — deploy multi-factor authentication, enforce zero trust architecture, and keep your email filters updated. But CISA's own guidance at cisa.gov/shields-up emphasizes that human awareness is a critical layer. Your firewall can't stop an employee from typing their password into a fake login page.

That's why regular training matters more than annual compliance checkboxes. I recommend running phishing simulations at least quarterly. Teams that practice identifying phishing emails in realistic scenarios get dramatically better at catching real ones.

Build a Human Firewall That Actually Works

If you're responsible for security at your organization, reading this post is a good start — but it's not enough. Your entire team needs to internalize these patterns.

Our phishing awareness training for organizations walks employees through real-world phishing scenarios, teaches them to identify every red flag above, and includes phishing simulation exercises that build muscle memory. It's the most practical way to reduce your human attack surface.

For broader security fundamentals — covering ransomware defense, credential hygiene, multi-factor authentication, and more — our cybersecurity awareness training program gives your team a solid foundation across the full threat landscape.

A Quick Checklist: How to Spot Phishing Emails

Bookmark this. Share it with your team. Post it next to the coffee machine.

  • Does the sender address match the display name and the organization's real domain?
  • Is the email creating artificial urgency or threatening consequences?
  • Do link URLs match their claimed destinations when you hover?
  • Did you expect this attachment, or is it unsolicited?
  • Does the email use your real name or a generic greeting?
  • Are there grammar errors, formatting inconsistencies, or odd phrasing?
  • Is the email requesting credentials or sensitive data?
  • Does the reply-to address match the sender?
  • Is the offer too good to be true?

If even one answer raises a flag, stop. Verify through a separate channel. Report it. Move on.

Phishing Isn't Going Away — But Your Risk Can Shrink

The FBI IC3's 2021 Internet Crime Report makes it clear: phishing is accelerating, not declining. The attacks are getting more targeted, more convincing, and more costly. But organizations that invest in continuous security awareness training — not just once-a-year slide decks — see measurably fewer successful compromises.

Knowing how to spot phishing emails is the most cost-effective security control you can deploy. It doesn't require a budget for new hardware. It doesn't require a team of analysts. It requires attention, practice, and a healthy dose of skepticism every time you open your inbox.

Start today. Train your team. And the next time a threat actor sends that perfectly crafted email to your CFO at 4:55 PM on a Friday, your people will be ready.