7 Red Flags That Reveal a Phishing Email
A practical guide to the warning signs employees can use to pause, verify, and report suspicious messages before they click.
Phishing emails work because they ask busy people to make a fast decision. The message may look routine: an invoice, a delivery notice, a password reset, a document share, or a request from someone senior. The risk is not that every employee ignores training. The risk is that one realistic message arrives at the wrong moment.
The goal is not to turn every employee into a forensic analyst. The goal is to give people a short list of signals that help them pause, verify, and report before they click.
1. The sender looks almost right
Attackers often use a display name that looks familiar while hiding a suspicious email address. A message may show "Microsoft Support" or the name of your CEO, but the actual address may come from a free mailbox, a misspelled domain, or a newly registered lookalike.
Employees should check the full sender address before acting on payment requests, login prompts, shared files, or urgent instructions. On mobile, this may take an extra tap, which is exactly why attackers like mobile-first targets.
2. The message creates pressure
Urgency is one of the most reliable phishing signals. Common phrases include "final notice", "payment overdue", "account will be suspended", "respond immediately", or "do not call me, I am in a meeting".
Pressure narrows attention. It pushes the recipient away from normal verification habits. Any message that asks someone to skip a process, keep a request private, or act before they can confirm details should be treated as suspicious.
3. The link destination does not match the promise
The visible text of a link can say anything. The real destination is what matters. A link that claims to go to Microsoft, Google, DocuSign, Dropbox, or a bank should not point to a strange domain, a shortened URL, or a spelling variation.
Employees should hover over links on desktop and preview links carefully on mobile. If the destination is unclear, they should avoid clicking and report the message.
4. Attachments arrive without context
Malicious attachments are often disguised as invoices, purchase orders, resumes, scanned documents, or legal notices. The message may be short because the attacker wants the file to do the convincing.
Unexpected attachments deserve extra caution, especially compressed files, macro-enabled documents, or files that ask the user to enable editing. If the recipient was not expecting the file, the safest next step is to verify through a separate channel.
5. The request changes a normal workflow
Many phishing attacks are less technical than people expect. The message may ask a finance employee to update bank details, ask HR to send payroll data, or ask an operations manager to buy gift cards. The red flag is the change in process.
Good security awareness training should reinforce business rules: payment changes need verification, sensitive data needs approval, and executive requests still follow the same controls.
6. The tone feels slightly off
Generative AI has made phishing messages cleaner, but tone still matters. A message may be unusually formal, unusually casual, or out of character for the supposed sender. It may refer to projects vaguely or avoid details the real sender would know.
Employees should be encouraged to trust that small discomfort. Reporting a suspicious message is not an accusation. It is a low-friction way to let the security team inspect it.
7. The message asks for credentials
Any email that leads to a login page should be handled carefully. Attackers commonly mimic Microsoft 365, Google Workspace, banking portals, payroll systems, and e-signature tools. Some pages even proxy the real login flow to steal MFA codes.
The safer habit is to open known services from bookmarks or typed addresses instead of following email links. If the prompt came from a message, report the message first.
What to do next
Red flags are useful, but they work best when employees have a simple reporting path. A good program gives staff a report button, fast feedback, and repeated practice through realistic simulations. The message to employees should be clear: if something feels wrong, report it. Quick reporting helps protect the whole company.
Sources and further reading
Want to reduce phishing risk across your team?
See how PhishAlertPro combines reporting, AI-assisted triage, simulations, and awareness training.
Book a demo