How to Spot a Phishing Email
Why phishing still works
Phishing emails are designed to make a normal person act quickly before they think. They often pretend to be from a bank, Microsoft 365, a courier, the ATO, a supplier, or even someone inside your own business.
The goal is usually one of three things:
- Steal your password
- Trick you into paying a fake invoice
- Get you to open malware or a remote-access tool
Common warning signs
Check for these before clicking a link or opening an attachment:
| Warning sign | What to look for |
|---|---|
| Urgency | "Your account will be closed today" or "payment failed" |
| Unusual sender | The display name looks right, but the email address is wrong |
| Strange links | The link goes to a domain that does not match the company |
| Unexpected files | ZIP, HTML, OneNote, or macro-enabled Office attachments |
| Payment changes | New bank details, gift cards, or urgent transfer requests |
| Poor fit | The message does not match how that company normally contacts you |
How to check links safely
Hover over a link before clicking. On mobile, long-press the link and preview the address. If the address is shortened, misspelled, or unrelated to the sender, do not open it.
For Microsoft sign-in pages, check that the domain is a real Microsoft domain before entering credentials. Attackers often copy the Microsoft login screen exactly.
What to do if you are unsure
Do not reply to the suspicious email. Contact the company using a known phone number or website, not the details inside the email.
If the email claims to be from a colleague or supplier asking for payment changes, verify it by phone before paying.
If you already clicked
Act quickly:
- Change the affected password from a trusted device.
- Enable multi-factor authentication if it is not already enabled.
- Sign out of all sessions for that account.
- Run a malware scan if you downloaded or opened a file.
- Tell your IT support provider so they can check mailbox rules, forwarding, and login history.
Best prevention steps
- Enable multi-factor authentication on email and finance systems.
- Use a password manager so fake login pages are easier to detect.
- Keep Windows, browsers, and Office apps updated.
- Train staff to verify payment changes outside email.
- Use mail filtering and domain protection such as SPF, DKIM, and DMARC.
Phishing is not just a technical problem. The best defence is a combination of secure accounts, clear payment procedures, and staff who know when to pause.