How to spot a phishing email
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: What Is Social EngineeringWhat Is Zero Trust Security
Want it handled? IT Cares — hands-on managed IT across Canada.
To spot a phishing email, check the sender's real address for look-alike domains, be wary of urgency or threats, hover over links to see where they truly lead, distrust unexpected attachments, and never enter credentials or send money based on email alone. Legitimate organizations rarely demand instant action or ask for passwords by email. When anything feels off, verify through a separate, known channel before clicking or responding.
Check the sender carefully
The sender address is one of the most reliable tells, but you have to look closely. Attackers use:
- Look-alike domains: rnicrosoft.com (rn instead of m) or microsoft-support.net.
- Display-name spoofing: a friendly name like "IT Support" masking a random address.
- Compromised real accounts: a genuine but hijacked supplier or colleague address.
Always expand and read the full email address, not just the display name. If a message claims to be from your bank or Microsoft but the domain is slightly off — or oddly generic — treat it as suspect. When a known contact's email seems out of character, verify by phone before acting on it.
Watch for pressure and emotion
Phishing relies on rushing you past your better judgment. Be alert to messages that:
- Create urgency: "your account will be closed in 24 hours."
- Threaten consequences: fines, legal action, or lost access.
- Dangle rewards: refunds, prizes, or bonuses.
- Invoke authority: a "CEO" demanding an urgent, confidential payment.
This emotional pressure is deliberate — it pushes you to act before thinking. A genuine organization gives you reasonable time and proper channels. Whenever an email tries to make you panic or move fast, slow down. That urge to hurry is itself one of the clearest warning signs of a scam.
Inspect links and attachments
Links and attachments are how phishing delivers its payload, so handle them with care:
- Hover before clicking (on desktop) to preview the true destination URL.
- Watch for mismatches between the visible text and the actual link.
- Be wary of shortened or odd URLs and misspelled domains.
- Don't open unexpected attachments, especially .zip, .htm, or files prompting you to "enable macros."
Never enter your password on a page reached through an email link — open the site yourself in a new browser tab using a known address instead. If an attachment is unexpected, confirm with the sender through another channel before opening it. When in doubt, don't click.
Verify before you act
The single best habit is independent verification. If an email asks you to pay, change banking details, share credentials, or take any sensitive action, confirm it through a separate, trusted channel — a phone call to a number you already have, not one supplied in the email.
This one step defeats most business email compromise and invoice-fraud attacks, which depend on you trusting the message at face value. For businesses, formalize it as policy: no payment or banking change proceeds on email alone. Make reporting suspicious emails easy and blame-free, so staff flag threats quickly. A moment's verification routinely prevents a costly mistake.
FAQ
What's the fastest way to check if an email is phishing?
Look at the actual sender address and hover over any links to see where they really lead. Mismatched or look-alike domains, combined with urgency or a request for credentials or payment, are strong signals. If anything seems off, don't click — verify with the supposed sender through a known phone number or website you navigate to yourself.
Are phishing emails always full of spelling mistakes?
No. While some still contain obvious errors, many modern phishing emails are polished and convincing, often crafted with AI assistance. Don't rely on bad grammar as your only filter. Focus instead on the sender address, suspicious links, unexpected requests, and pressure tactics. A well-written email can still be a scam, so verify anything that asks for sensitive action.
Is it safe to open a phishing email if I don't click anything?
Generally, simply opening an email is low-risk on modern, updated mail clients, though it can confirm to senders that your address is active. The real danger is interacting — clicking links, opening attachments, or enabling content. If you suspect phishing, don't engage with it: report it to your IT team or provider and delete it without clicking anything.