Spotting Attacks

Phishing Emails

Foundational

Phishing is a fake message — usually email — designed to trick you into clicking a bad link, opening a harmful attachment, entering your password, or paying or sending something. It is the most common way attackers get into companies. The good news: once you know the warning signs, most phishing is easy to spot. When you are unsure, you can always check.

Phishing works by pressure and disguise. The message pretends to be someone you trust — a bank, a supplier, IT, a delivery company, even your own CEO — and pushes you to act fast before you think: "your account will be closed", "urgent invoice", "the boss needs this now". The aim is to get you to click, log in on a fake page, or send money or data.

You don't have to be certain a message is fake to be safe — you only have to slow down and verify. Check the real sender address, hover over links before clicking, and if anything is off, report it. A genuine sender will never mind you taking a moment to confirm.

Spot the signs

DoBe suspicious of urgency, threats, or pressure to act immediately — it's the most common trick to stop you thinking.
DoCheck the real sender address, not just the display name — hover or tap to reveal it, and look for odd or look-alike domains.
DoHover over a link to see where it really goes before clicking; if the address looks unrelated or strange, don't click.
DoBe wary of unexpected attachments, requests for passwords or codes, requests to pay or change bank details, and messages that don't quite sound right.
AlwaysVerify any request to pay money, change payment details, or share sensitive data through a separate, trusted channel — phone the person on a known number — before acting.

A typical phishing email

From: IT Support 
Subject: [URGENT] Your mailbox will be deactivated today

Dear user,
We detected a problem with your account. You must verify
your password within 2 hours or lose access permanently.

  >> Verify now: http://finperiti-account-check.info/login

IT Support

The tells: a misspelled look-alike sender domain (f1nperiti-secure.com, with a double 'o' in support), pressure and a deadline, a link to an unrelated address, and a request to "verify your password". Real IT will never ask for your password. Do not click — report it.

When you get one

DoReport suspected phishing using the report button / to security — even if you're not sure, and even if you already clicked.
DoIf you clicked or entered your password, change it immediately and tell security straight away — fast reporting limits the damage (see Report It).
Do notReply to the message, click "unsubscribe" on a suspect email, or forward it to colleagues to ask — report it instead.
NeverEnter your password or an MFA code on a page you reached by clicking a link in an unexpected message.
NeverAct on an email asking you to move money or change bank/payment details without verifying it by phone on a number you already trust.

Ask yourself

AskAm I being rushed, threatened, or pressured to act fast?
AskIs the real sender address genuine, and does the link go where it claims?
AskIs it asking for a password, a code, money, or a change to payment details? Then verify another way first.

Why it matters: Phishing is how a huge share of breaches and frauds begin — one click on a convincing fake can hand over a password or wire money to a criminal. You are the person who stops it. Slow down, check the sender and links, verify money requests by phone, and report anything suspicious. These habits turn the most common attack into one that simply does not work on us.