TL;DR: Phishing emails try to make you act fast — click a link, open an attachment, pay an invoice, or enter a password — by pretending to be someone you trust. Most share the same tells. Below is a quick checklist anyone on your team can use. (And if you own a domain, scan it free so attackers can't send phishing as you.)
The red-flag checklist
- The sender looks slightly off. Hover over the name to see the real address — a look-alike domain or a public address where a company one is expected.
- Urgency or threats. "Act now or your account will be closed." Pressure is a manipulation tactic.
- Generic greeting. "Dear customer" instead of your name (though targeted attacks personalise).
- Links that don't match. Hover over a link — if the destination isn't the real site, don't click.
- Unexpected attachments. Especially invoices, ZIPs or documents asking you to "enable content".
- Requests for credentials or payment. Legitimate companies don't ask for your password by email or to change bank details on a whim.
- Odd grammar or formatting. Mistakes, mismatched logos, or a layout that's almost right.
What to do when you spot one
- Don't click or reply. Don't open attachments.
- Verify out of band. Contact the supposed sender through a number or address you already trust — never the details in the email.
- Report it to your IT/provider and delete it.
- If you already clicked, change the password immediately, enable 2FA, and tell your IT contact.
Stop phishers using your brand
Phishing isn't only something that lands in your inbox — attackers also send it as your business to your customers. Locking your domain with enforced DMARC stops them spoofing your exact address (the most convincing kind). Scan your domain to see if you're protected.
FAQ
How is phishing different from spoofing?
Spoofing is one technique phishers use (forging a sender). Phishing is the broader scam — the deceptive message designed to make you act.
Are personalised emails safe?
Not necessarily — targeted "spear phishing" uses your name and real details. Judge by the request and the links, not just the greeting.
Can software catch all phishing?
No — filters help, but human awareness plus domain protection (DMARC) is what closes the gap.
Want to stop phishers impersonating your business? Scan your domain, then reply to your report — we're developers and we'll lock it so your brand can't be used against your customers.