Let’s face it: email is still the Wild West. No matter how experienced you are, all it takes is one convincing message at the wrong moment to catch even the most seasoned professional off guard.

And phishing emails? They’re not just sloppy scams written in broken English anymore. These days they’re polished, well-branded, and designed to look like they came from someone you trust. Sometimes they do come from someone you trust — if their account’s been compromised.

Hackers try to trick you into clicking a link that takes you to a login page dressed up to look like your bank, Microsoft account, or cloud storage provider — but it’s not. It’s a fake site designed to steal your username and password.

But you don’t need a computer science degree to spot the red flags. Here are a few things to check before you click.

It’s easy to make an email look like it came from “Microsoft Support” or “HR Department.” But the real sender is often hiding in plain sight.

Hover over the sender’s name and look at the full email address. If it’s something like [email protected] or [email protected], you’re staring at a red flag. Big companies don’t send email from strange or misspelled domains.

This is one of the easiest ways to avoid getting hooked. Just hover (don’t click it yet!) and check the web address that pops up — usually in the bottom-left of your screen.

If the email says “Click here to log in to your bank,” but the link points to something like http://weirdsite.ru/login, you know it’s bad news.

But here’s the sneaky part: even if the text of the link says www.yourbank.com, that doesn’t mean that’s where it actually goes. Hackers can disguise the visible link while sending you somewhere malicious. The hover preview shows you the real destination. Always go by that, not what the link says.

Phishing emails love drama. “Your account will be locked in 24 hours!” or “URGENT: Payroll issue—action required immediately.”

When a message tries to rush you, that’s your cue to slow down. Real companies don’t use threats or panic tactics. If something seems urgent, skip the link and go directly to the company’s official website to check for alerts.

Sometimes everything looks almost right, but not quite perfect. The logo’s blurry. The formatting’s weird. There’s a “Dear Joesplumbing” instead of “Dear Customer.”

Or maybe it’s an email from “Joesplumbing IT Support” when you normally just talk to Jake down the hall. Phishers often recycle real content, but the details are usually just a bit off. If it feels weird, it probably is.

Even if you do click a link, don’t immediately enter your login. These fake pages can be incredibly convincing.

The safest move? Close the email, type the company’s URL directly into your browser, and log in that way. If it’s legit, you’ll see the alert once you're in. If it’s not—crisis averted.

Attachments are a classic phishing tool and they’re still wildly effective. That unexpected PDF from a coworker could contain malware. That “invoice” or “resume” from a stranger? Also malware.

Unless you’re expecting a file — and you know exactly who it’s from — don’t open it. And never enable macros in a downloaded document unless you enjoy turning your computer into a malware fountain. (Spoiler: you don’t.)

Some of the most convincing phishing emails come from real people you know — a vendor, a coworker, even your boss. But just because the name and email address check out doesn’t mean the message is legit.

Hackers often gain access to real accounts (usually through phishing) and use them to send perfectly normal-looking messages, asking you to download a file, approve a wire transfer, or use a new ACH account for an invoice payment.

If anything feels even slightly off—especially when it involves money, login credentials, or urgency—pause and investigate. Maybe it came in at 2:15 a.m. Maybe the bright and bubbly coworker now sounds cold and direct.

And no, your boss is not asking you to run to Target and buy a stack of gift cards for “urgent team rewards.” But that’s a surprisingly common scam that still works.

When in doubt, don’t reply. Pick up the phone. A 60-second call can prevent a five-figure mistake and hours of cleanup.

Phishing thrives on speed, emotion, and distraction. You're busy, your inbox is full, and you're just trying to get through it all. But a little pause goes a long way.

And if you do spot a phishing email — don’t just delete it. Report it. Most organizations have an internal way to flag suspicious messages (like forwarding it to your IT team or a button on your company email app). If it’s a personal account, you can report phishing directly to your email provider. Reporting helps protect others, shuts down bad actors faster, and improves spam filters across the board.

CybersecuriTea is a free, plain-English guide to digital safety, designed for families, friends, and the folks you love. Subscribe today and get weekly tips to help keep your digital life secure.

Or, if you’d like to support our work and keep the kettle warm for everyone: