Security Awareness
How to Spot a Phishing Attack
A plain-English guide for your whole team — what to look for, what to do, and what never to do.
The 10-Second Phish Check
Most phishing attacks fail one of these checks. Run them before you click.
Check the address, not the name.
Display names are trivially faked. Click the sender to see the real email address — does the domain actually match?
Hover every link.
Before clicking, hover (or long-press on mobile) and read the real URL. Look-alikes like paypa1-support.com are the whole game.
Distrust urgency.
"Account suspended," "act now," "wire today" — pressure is engineered to stop you from thinking.
Beware unexpected attachments & login pages.
A file you didn't ask for, or a page asking you to "verify" your password, is a red flag.
Watch for "off" requests.
A CEO texting you to buy gift cards, or a vendor suddenly changing bank details, is almost always fraud.
Look for the small tells.
Generic greetings, odd grammar, slightly misspelled names or domains.
If You Suspect a Phish
Do
- Stop — don't click, reply, or open attachments.
- Report it (use your report-phish button, or forward to IT/security).
- Verify out-of-band — call the person on a number you already trust.
- If you already clicked: disconnect from the network, change your password, and tell IT immediately. Fast reporting limits the damage.
Don't
- Don't click "unsubscribe" on a suspicious email (it confirms you're real).
- Don't reply to "confirm" anything.
- Don't forward it to coworkers (except to report it).
- Don't hide it or feel embarrassed. Silence is exactly what attackers count on — reporting fast is the win.
What Phishing Looks Like
Illustrative examples only — fictional senders and domains. No real brands or clients.
Example 1 — Spoofed sender + urgency
From: "IT Help Desk" <support@lanstatu5-helpdesk.com>
Subject: URGENT: Your mailbox will be deleted in 2 hours
Your account exceeded storage limits. Click here to verify immediately or lose access.
Tell: Display name says "IT Help Desk" but the domain is wrong (lanstatu5 instead of lanstatus). Urgency + credential link.
Example 2 — Look-alike link
From: billing@paypa1-support.com
Subject: Payment failed — update your card
We couldn't process your last payment. Sign in at https://paypa1-support.com/login to avoid service interruption.
Tell: Hover the link — paypa1 (digit one), not the real payment provider. Unexpected billing email.
Example 3 — Executive wire request (BEC)
From: "Alex Morgan, CFO" <amorgan@c0rp-finance.net>
Subject: Confidential — wire needed today
I'm in meetings all day. Need you to wire $48,500 to the attached account before 3 PM. Keep this between us.
Tell: Off-domain sender, secrecy, urgency, and an unusual payment request. Always verify by phone.
The Big Three for Business
Business Email Compromise (BEC)
Fake exec or vendor requests for wires or sensitive data.
Credential harvesting
Fake login pages that steal passwords and MFA tokens.
MFA fatigue
Attackers spam approval prompts until someone taps yes.
Free download
The printable 10-Second Phish Check
Hang it in the break room or share it at onboarding — a one-page reminder your team can use before they click.
Get the printable 10-Second Phish Check. We'll email you the guide — and that's it. No spam.
We use your email only to send the guide and occasional security tips. Unsubscribe anytime.
Prefer a dedicated landing page? Get the guide here →
Want your whole team to recognize these in real time? We run a free 30-minute phishing-awareness session — and can build the human-risk program behind it.
Build a human-risk program →Also see: Cyber Incident Cost Calculator · Ransomware resilience · AI failure playbook