Despite growing awareness and increasingly sophisticated security tools, phishing is still one of the most persistent and pernicious threats of the modern age: according to Proofpoint’s 2024 State of the Phish report, 86% of organisations experienced a phishing attempt last year and over 70% suffered a successful compromise due to human error.
Phishing is also the most prevalent form of attack: the UK government’s Cyber Security Breaches Survey 2025 found that phishing accounted for 93% of all cyber crime in the UK.
So why is phishing so effective? Simply because it exploits the weakest link in any cyber security setup: people. Phishing attacks are designed to manipulate people into giving up sensitive information, clicking malicious links or downloading dangerous attachments.
But while phishing tactics are evolving, so are the ways we can identify and mitigate them. This guide walks you through the most common red flags, updated for 2025 with real examples to help you stay vigilant.
Quick phishing checklist: is this email a scam?
Answering “yes” to any of the questions below is a sign the email may be fraudulent.
Sender clues
- Is it from a public domain (e.g. @gmail.com) but pretending to be from a company?
- Is the domain slightly misspelled (e.g. amaz0n.com)?
- Does it differ from how that organisation normally emails you?
Content and tone
- Are there spelling or grammatical errors?
- Does it urge immediate action (e.g. “Act now”, “Your account will be closed”)?
- Is the tone inconsistent with the sender’s usual communication style?
Links and attachments
- Does the link URL differ from the anchor text?
- Is there an unexpected attachment?
- Are the call-to-action buttons vague (e.g. “Click here”, “Log in now”)?
Security pressure
- Does it ask for personal information or passwords?
- Are you asked to bypass company protocols?
- Does it threaten negative consequences if you don’t comply?
If so, do not click, and always verify through a known, trusted contact method.
Let’s look at those points in more detail.
1. The sender uses a public or suspicious email domain
Legitimate organisations don’t email you from addresses like [email protected].
Not even Google.
Except for some small operations, most companies will have their own email domain and email accounts. For example, genuine emails from Google will read ‘@google.com’.
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate.
By contrast, if the email comes from an address that isn’t affiliated with the apparent sender, it’s almost certainly a scam.
However, it’s not always immediately obvious that a domain isn’t legitimate: some 85% of users open emails on their smartphones, where inboxes show only names rather than email addresses.
Tip: Always tap or hover over the sender name to reveal the full address.
2. The domain name is slightly altered
There’s another clue hidden in domain names that provides a strong indication of phishing scams – unfortunately, it complicates our previous clue.
The problem is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
For example, in early 2025, a campaign imitating Microsoft Teams used micros0ft-teams.net and tricked users into entering their credentials on fake login portals.
These domains exploit quick-glance habits. Just one character difference can deceive even careful readers.
Remember, criminal hackers only require one mistake from one employee for their operation to be a success. Everyone in your organisation must be confident in their ability to spot a scam upon first seeing it.
3. The email is poorly written
Although phishing emails are generally better written nowadays thanks to generative AI, many still reveal themselves with misspellings and awkward phrasing.
Many scammers are from non-English-speaking countries and backgrounds where they have limited access to, or opportunity to learn, the language.
When crafting phishing messages, they’ll therefore use a spellchecker or translation machine, giving them all the right words but not necessarily in the right context.
That’s not to say any email with a mistake is a scam, however. Everyone makes typos from time to time, especially when they’re in a hurry.
It’s the recipient’s responsibility to look at the context of the error and determine whether it’s a clue to something more sinister. You can do this by asking:
- Is it a common sign of a typo (like hitting an adjacent key)?
- Is it a mistake a native speaker shouldn’t make (grammatical incoherence, words used in the wrong context)?
- Is this email a template which should have been crafted and copy-edited?
- Is it consistent with previous messages I’ve received from this person?
If you’re in any doubt, look for other clues that we’ve listed here or contact the sender using another line of communication, whether in person, by phone, via their website, an alternative email address or through an instant message client.
4. It includes malicious attachments or links
Phishing emails come in many forms. We’ve focused on emails in this article, but you might also get scam text messages, phone calls or social media posts.
But no matter how phishing emails are delivered, they all contain a payload. This will either be an infected attachment you’re asked to download or a link to a bogus website.
The purpose of these payloads is to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers.
Malicious links
In January 2025, scammers posed as Chase Bank with emails linking to chase-secure-login.com, stealing banking credentials from unsuspecting users.
Hover over or hold down on all links before clicking.
Infected attachments
Phishing attachments often appear as invoices or tax documents. In March 2025, an IRS-themed scam used ZIP files with embedded malware.
If you weren’t expecting a file, don’t open it. And definitely don’t enable macros unless you’ve confirmed the source.
5. The message creates urgency or fear
Scammers play on panic. The longer you think about something, the more likely you will notice things that don’t seem right. That’s why so many scams request that you act now, or else it will be too late.
Criminals know that we’re likely to drop everything if there’s apparently a problem with a critical service or if our boss emails us with a vital request – especially when other senior colleagues are supposedly waiting for us.
Some examples seen in recent months:
- “Your Google Ads will be paused in 15 minutes – confirm billing now.”
- “Internal policy breach – click here to resolve before HR escalates.”
- “Your parcel is being returned – reschedule delivery within 30 minutes.”
This tactic pushes people to act before thinking critically.
Train your team to spot the threats
According to IBM’s Cost of a Data Breach Report 2024, phishing-related breaches now cost organisations $5.1 million (£3.8 million) on average – the highest among all attack vectors.
The best defence is continuous education. Phishing awareness training helps your team recognise subtle red flags before it’s too late.
Regular staff awareness training will ensure that employees know how to spot a phishing email, even as fraudsters’ techniques become increasingly more advanced.
It’s only by reinforcing advice on avoiding scams that your team can develop good habits and detect signs of a phishing email as second nature.
With our Phishing Staff Awareness Training Programme, these lessons are straightforward.
The online subscription course explains everything you need to know about phishing and is updated each month to cover the latest scams.
A version of this blog was originally published on 16 March 2018.
The post How to Spot a Phishing Email in 2025 –with Real Examples and Red Flags appeared first on IT Governance Blog.
