Cybersecurity | 8 min read | Advanced IT Support

How to Spot a Phishing Email

A Plain-English Guide for Small Business Employees

Phishing emails are the #1 way hackers get into small business networks. They don’t need to crack your password or exploit a software flaw, they just need one employee to click the wrong link. This guide shows you exactly what to look for, with real examples, so your whole team can stay one step ahead.

Phishing has come a long way from the obviously fake emails promising lottery winnings. Today’s attacks are sophisticated, personalized, and often indistinguishable from real emails. If you know the signs, you can catch them.

In 2026, AI-generated phishing emails can mimic your CEO’s writing style, replicate the exact formatting of your bank’s emails, and time messages to arrive when you’re most likely to act without thinking. The attacks have gotten better. That means your team’s awareness needs to match.

This guide is written for everyone on your team, not just IT staff. No technical background needed.

What Is a Phishing Email?

A phishing email is a fake message designed to trick you into doing one of three things:

Clicking a malicious link that installs malware or takes you to a fake login page
Downloading an infected attachment that gives attackers access to your computer or network
Sharing sensitive information like passwords, credit card numbers, or wire transfer details

The word “phishing” is intentional. Attackers cast a wide net and wait for someone to take the bait. In a small business, it only takes one.

⚠️ By the numbers: According to the FBI’s Internet Crime Report, business email compromise and phishing schemes cost U.S. businesses billions annually, and small businesses are disproportionately targeted because attackers assume their defenses are weaker.

The 8 Warning Signs of a Phishing Email

Most phishing emails have at least one of these red flags. Some have several. Train yourself to look for these before you click anything.

1. The Sender’s Email Address Doesn’t Add Up

Attackers are clever about display names. An email might show the sender as “Microsoft Support” or “Your Bank”, but when you look at the actual email address, something is off.

Real vs. Fake — Examples
Legitimate: [email protected]
Phishing: [email protected]   (zero instead of the letter “o”)
Phishing: [email protected]   (real companies don’t use Gmail)
Phishing: [email protected]   (the “l” in PayPal replaced with a “1”)

What to do: Click on the sender’s name to expand the full email address. Never trust the display name alone.

2. There’s Urgency or a Threat

Phishing emails want you to act fast, before you have time to think. Common urgency tactics include:

“Your account will be suspended in 24 hours”
“Immediate action required, invoice overdue”
“You have been selected for a security review”
“Your payment failed, update your details now”

🚨 Rule of thumb: Urgency is a manipulation tactic. Legitimate companies give you time to verify. If an email is pressuring you to act right now, slow down. That’s exactly when you’re most likely to make a mistake.

3. The Link Doesn’t Match the Destination

Before you click any link in an email, hover your mouse over it. Your browser or email client will show you the real destination URL in the bottom corner of the screen.

Link Mismatch — Example
The email says: Click here to verify your account at Chase Bank

The actual URL shows: http://chase-secure-login.ru/verify

That “.ru” is a Russian domain. Chase Bank’s real domain is chase.com. Nothing else.

What to do: Hover first, always. If the URL doesn’t match the company’s real domain, uses HTTP instead of HTTPS, or looks strange in any way. Don’t click it.

4. You Weren’t Expecting the Email or Attachment

Did you request a password reset? Did you actually place an order? Did you ask someone to send you a document?

If an email arrives with an attachment or a request you weren’t expecting, especially from someone you know, be suspicious. Attackers frequently compromise one email account and then use it to attack everyone in that person’s contacts.

⚠️ Important: Seeing a familiar name in the “From” field doesn’t mean the email is safe. Your colleague’s account may have been compromised, or the attacker may be spoofing their address.

5. The Attachment Has a Suspicious File Type

Some file types are almost never legitimately sent by email and are almost always dangerous:

File Type	Why It’s Dangerous
.exe, .bat, .cmd	Executable files that run code directly on your computer
.zip, .rar	Compressed archives that often hide malicious files inside
.docm, .xlsm	Office files with macros, if it asks you to “Enable Content,” don’t
.iso	Disk image files increasingly used to deliver malware
.lnk	Shortcut files that can execute hidden commands

Even seemingly safe file types like .pdf or .docx can be weaponized. If you weren’t expecting a file, don’t open it without verifying with the sender through a separate channel. Call them, don’t reply to the email.

6. The Email Asks for Credentials, Payment, or Sensitive Information

Legitimate organizations will never ask you to:

Send your password via email
Confirm your credit card number by replying to a message
Wire money based on an emailed instruction alone
Log in through a link in the email to “verify your account”

🚨 CEO Fraud / Business Email Compromise: One of the most damaging phishing variants involves an email appearing to come from your owner or CEO asking someone in accounting to urgently wire funds to a new vendor. Always verify financial requests by calling the person directly, even if the email looks completely legitimate.

7. The Grammar, Formatting, or Branding Feels Off

While AI has made phishing emails more polished, you’ll still sometimes notice:

Generic greetings like “Dear Customer” or “Dear User” instead of your name
Inconsistent fonts or formatting that doesn’t match the company’s usual style
Logos that look slightly blurry or pixelated
Sentences that feel slightly unnatural or awkwardly phrased

None of these alone prove an email is malicious. But combined with other warning signs, they’re worth paying attention to.

8. It Sounds Too Good to Be True

Not all phishing emails use threats. Some use rewards:

“You’ve won a $500 Amazon gift card, claim it here”
“Your account has been selected for a free upgrade”
“A refund of $249.99 is waiting for you, verify your account to receive it”

If an unexpected benefit requires you to click a link or provide information, treat it with the same suspicion as a threatening email.

Types of Phishing Your Team Should Know About

Standard phishing casts a wide net. The same email gets sent to thousands of people at once. But there are more targeted variants worth recognizing:

Spear Phishing

A targeted attack on a specific person or company. The attacker researches their target using LinkedIn, your website, and social media, then crafts a highly personalized email that appears credible. It might reference your real vendors, your boss’s name, or a recent project. These are significantly harder to spot than generic phishing.

Whaling

Spear phishing aimed specifically at executives, the “big fish.” Common targets include business owners, CFOs, and operations managers who have authority to approve payments or access sensitive systems.

Smishing and Vishing

Phishing via text message (smishing) or phone call (vishing). Phishing extends well beyond email. If you receive an unexpected text with a link, or a call asking you to verify account information, the same rules apply. Slow down, verify through a separate channel, and don’t share information you weren’t expecting to give out.

Clone Phishing

An attacker copies a legitimate email you previously received and resends it with a malicious link or attachment swapped in. The email looks completely real because it largely is. Only the link or file has been replaced. These are particularly deceptive because they exploit existing, trusted communication threads.

What to Do If You Receive a Suspicious Email

Don’t click anything. Not the link, not the attachment, not even the unsubscribe button.
Don’t reply. Replying confirms your email address is active, which can lead to more targeted attacks.
Verify through a separate channel. If the email appears to be from a vendor, colleague, or bank, call them directly using a number you already have, not one provided in the email.
Report it to your IT team or MSP. Don’t just delete it. Your IT provider can analyze the message, check whether others in your organization received it, and take action if needed.
Mark it as phishing in your email client. Microsoft 365 and Gmail both allow you to report phishing, which improves filtering for your entire organization over time.

✅ If you already clicked: Don’t panic, but act fast. Disconnect from your network immediately if possible (unplug ethernet or disable WiFi), change any passwords you may have entered, and contact your IT team right away. Quick action significantly limits the damage.

Phishing Red Flag Checklist

Save this, print it out, or share it with your team. Before opening any unexpected email, run through these questions:

Do I recognize the sender’s full email address, not just the display name?
Was I expecting this email, link, or attachment?
Does the email create urgency, issue a threat, or offer something unexpected?
Have I hovered over every link to check where it actually goes?
Is the email asking for credentials, payment, or sensitive information?
Does the attachment have a suspicious file type (.exe, .zip, .docm, .iso, .lnk)?
Does anything about the formatting, logo, or tone feel slightly off?
If this is a financial or access-related request, have I verified it by calling the person directly?

If you answered yes to any of these, don’t click. Report it to your IT team first.

Frequently Asked Questions

What is a phishing email?

A phishing email is a fraudulent message designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. Attackers disguise these emails as legitimate communications from trusted sources like banks, vendors, software providers, or colleagues.

How can I tell if an email is a phishing attempt?

Look for mismatched sender addresses, urgent or threatening language, unexpected attachments, links that don’t match the sender’s real domain, and requests for sensitive information or unusual actions like wire transfers. Most phishing emails trigger at least one item on the checklist above.

What should I do if I clicked a phishing link?

Disconnect from the network immediately if possible, change any passwords you may have entered on the linked page, and notify your IT department or managed IT provider right away. Quick action can significantly reduce the damage from a phishing attack.

What is spear phishing?

Spear phishing is a targeted form of phishing where attackers research a specific individual or company and craft a highly personalized email that appears credible, often mimicking a known colleague, vendor, or executive. These are harder to spot because they feel personal and familiar.

Can phishing emails come from people I know?

Yes. A contact’s email account may have been compromised, or an attacker may be spoofing their address to make it look like a known sender. If you receive an unexpected email from a known contact asking you to click a link, download a file, or take an unusual action, verify with them directly before doing anything.

Is Your Team Prepared for a Phishing Attack?

Advanced IT Support provides security awareness training and phishing simulations for small businesses across Jacksonville and Waycross. We’ll help your team recognize real threats before they cause real damage.

Get a Free Security Consultation

Written by Jeremiah Dillingham, Advanced IT Support

Jeremiah is the founder of Advanced IT Support, a managed IT provider serving small and mid-size businesses in Jacksonville, FL and Waycross, GA. Advanced IT Support specializes in cybersecurity, cloud management, and proactive IT support for teams of 5–50 employees.

Continue building your business’s security posture with these related guides:

Email Security