How to spot a phishing email (and prepare your team)
Phishing isn’t an exotic threat. It’s the most common way a company ends up in a security incident. What makes it distinct is that it doesn’t attack the infrastructure: it attacks the employee sitting in front of the screen. A message that looks like it comes from someone you know, pushing you to click, to send a password, or to make a payment. The good news is that almost all of these messages stop with a few simple habits. The checklist below is written to go through with your team before an incident, not after one.
The signs that keep repeating
Almost all of them share the same three traits. First, they rush you (“your account will be locked in 24 hours,” “the invoice has to be paid today”), because hurry short-circuits judgment. Then they look like they come from someone you know: a bank, a supplier, even a colleague. But if you check the sender’s real address, it’s slightly off, or simply unfamiliar. And whatever shape they take, they always ask for something concrete: a password, card details, a click on a link, or opening an attachment you weren’t expecting.
Some messages are crude, full of language errors and warped logos. Others, especially the ones aimed at a specific person in the company, are carefully made and look perfectly normal. That’s why you can’t rely on the sense that a fake message gives itself away at a glance. You rely on the habit of checking, not on instinct.
The 10-second check, before you click
Before any click, make a habit of three checks that take ten seconds. Look at the sender’s real address, not just the display name, because that’s where the lie most often hides. Hover over the link without clicking: you’ll see where it actually leads, and if the text shows one address while the link sends you somewhere else, you have your answer. Then ask yourself, briefly: was I expecting this message?
For any request for money, for data, or for passwords, there is just one rule, and it has no exceptions: you confirm on another channel. You call the person instead of replying to the email. You reach the site by typing the address yourself, not by clicking the link. The short rule worth getting into every employee’s head: if a message rushes you, slow down.
A prepared team and the technical layers
Phishing isn’t solved by buying a program, because its target is your employees, not your network. What helps most is a team that knows what to look for: talk openly about real cases, show an example that actually landed in your inbox, and make reporting a suspicious message an ordinary act rather than something embarrassing. A team member who asks whether a message is clean before clicking is the cheapest security mechanism you have.
On top of your people you place a few technical layers that catch what gets through. An email filter stops a good share of messages before they reach anyone. Two-factor authentication means a stolen password is no longer enough for an attacker to get into the account. And a clear response plan for the moment someone does click anyway (who to notify, which accounts to change, what to check) turns panic into procedure.
Where we come in
We set up the technical layers (the email filter, two-factor authentication, monitoring) and we help the team recognize these messages, using concrete examples. And if it happens anyway, the response plan is written ahead of time, not improvised on the day of the incident. It starts with a free on-site audit: we look at where your company stands right now with email, passwords, and access, and you leave with a clear list of what needs fixing.