Email Security

How to Identify and Avoid Phishing Emails

Learn how to spot phishing emails, understand modern AI-powered attack techniques, and protect yourself and your business from credential theft and business email compromise.

Protect Your Email

33%of SMB breaches start with stolen credentials

$2.9Blost to BEC attacks in the US (FBI)

81%of ransomware starts with phishing

AInow powers hyper-personalised phishing

The 7 Signs of a Phishing Email

Urgency and Pressure

Phishing emails create artificial urgency to make you act before thinking.

"Your account will be suspended in 24 hours"
"Immediate action required — security breach detected"
"This invoice is overdue — pay immediately to avoid legal action"

Real messages rarely threaten immediate consequences. Legitimate services give you days or weeks to respond.

Mismatched Sender Address

The display name might say one thing, but the actual email reveals the truth.

[email protected] (Legitimate)
[email protected] (Phishing)
[email protected] (Legitimate)
[email protected] (Phishing)

Always check the actual email address, not just the display name. On mobile, tap the sender name to reveal the full address.

Suspicious Links

Hover over any link (without clicking) to see where it actually goes.

Link text says microsoft.com but URL goes to microsoft-security-verify.com
Shortened URLs (bit.ly, tinyurl.com) that hide the destination
Misspelled domains: microsft.com, paypa1.com, arnazon.com

Golden rule: Never click a link in an email to log into a service. Type the website address directly in your browser.

Unexpected Attachments

Be suspicious of attachments you did not expect, especially:

.exe, .scr, .bat, .cmd — executable files (never open from email)
.zip, .rar, .7z — compressed archives (often contain malware)
.docm, .xlsm — Office files with macros (can run malicious code)
.html, .htm — web pages that open fake login forms

Generic Greeting

Mass phishing emails use generic greetings because the attacker does not know your name:

"Dear Customer" / "Dear User" / "Dear Account Holder"

Legitimate services that have your account usually address you by name.

Grammar and Formatting Issues

Unusual phrasing or awkward sentence structure
Inconsistent formatting (mixed fonts, sizes, or colours)
Blurry logos or missing footer text

AI-generated phishing in 2026 is often grammatically perfect. Do not rely on grammar alone — always verify sender address and link destinations.

Request for Sensitive Information

No legitimate company will ask you to:

Email your password
Send your credit card number via email

Share MFA codes via email or text
Download and run a file to verify your account

Modern Phishing Techniques (2026)

AI-Powered Phishing

Scrapes LinkedIn and social media to personalise messages
Mimics writing styles of specific people in your organisation
References real projects, meetings, or events
Generates convincing replies in email threads (conversation hijacking)

Business Email Compromise (BEC)

The attacker compromises or spoofs an executive's email, then sends urgent wire transfer requests to the finance team. No malware involved — just social engineering.

BEC caused $2.9 billion in losses in the US alone (FBI Internet Crime Report).

QR Code Phishing (Quishing)

Attackers embed QR codes in emails or printed materials that link to phishing sites. QR codes bypass link-scanning tools because the URL is not visible as text.

Multi-Channel Phishing

Teams or Slack messages impersonating IT support
Phone calls claiming to be from Microsoft or your bank
SMS messages with malicious links
Calendar invites with phishing links in the description

What to Do If You Receive a Suspicious Email

For Individuals

Do not click any links or open any attachments
Do not reply to the email
Report it: In Outlook, click Report > Report phishing
Delete it after reporting
If you already clicked, change your password immediately and enable MFA

For Businesses

Report it to your IT team or security provider
Do not forward the email to colleagues (this spreads the risk)
If someone clicked, initiate your incident response process
Check if other users received the same email using message trace
Block the sender domain in your email filtering

Technical Protections for Businesses

Email Authentication (Prevents Spoofing)

Protection	What It Does
SPF	Verifies the sender's server is authorised to send email for the domain
DKIM	Cryptographically signs emails to prove they have not been tampered with
DMARC	Blocks emails that fail SPF/DKIM checks — the final enforcement layer

Microsoft 365 Protections

Safe Links

Scans URLs at click time and blocks malicious destinations in real time.

Safe Attachments

Detonates attachments in a sandbox before delivery to detect malware.

Anti-Phishing Policies

Detects impersonation of executives and domains automatically.

Attack Simulation

Sends simulated phishing to test and train employee awareness.

MFA is your safety net. Even if a user enters their password on a phishing site, the attacker cannot access the account without the second factor. For the strongest protection, use phishing-resistant MFA (passkeys or FIDO2 security keys).

Phishing Response Checklist

If a user reports they clicked a phishing link and entered credentials, follow these steps immediately:

Reset their password immediately
Revoke all sessions to force re-authentication
Check for inbox rules — attackers create rules to hide their activity
Check for mail forwarding — attackers add external forwarding addresses
Check OAuth app consents — attackers register malicious apps
Review sign-in logs — look for logins from unfamiliar locations
Notify affected parties if the attacker sent emails from the compromised account

Key Takeaways

Never click links in emails to log into services — type the URL directly

Always check the sender address, not just the display name

Hover over links before clicking to see the real destination

Report suspicious emails — every report helps your filters improve

Enable MFA — your strongest defence even if a password is compromised

AI makes phishing harder to spot — verify through multiple indicators, not grammar alone

Protect Your Business From Phishing

CyberITEX provides enterprise-grade email security for small businesses — including SPF/DKIM/DMARC configuration, Microsoft Defender for Office 365 setup, phishing simulation training, and 24/7 incident response.

Email Security Services Free Email Security Assessment

Get Security Insights Delivered

One email per month with our best articles. No spam.