StormDotCom Logo
Back to Cyber Security & Compliance

Cyber Security & Compliance

How to Spot a Phishing Email Before It's Too Late

Staff are the biggest cybersecurity risk — not because they don't care, but because phishing is designed to trick good people. Here's how to recognise it, verify requests safely, and train your team to respond the right way.

Published: March 20267 min read

Why phishing works (and why it keeps getting worse)

Phishing is a type of social engineering: criminals send messages that look legitimate so someone will click a link, open an attachment, or share sensitive information. It works because it targets normal human behaviour — trust, urgency, curiosity, and the desire to be helpful.

The good news: you don't need to be technical to spot most phishing attempts. You just need a consistent routine.

The core idea

Phishing is rarely about “hacking the computer”. It's about persuading a person to do something unsafe. That's why staff awareness training is one of the highest-impact security investments a business can make.

The 10 red flags to teach every staff member

If your team can recognise these red flags, you'll prevent the majority of real-world attacks.

  1. Unexpected urgency: “Payment needed today”, “Account will be suspended”, “Final warning”.
  2. Pressure to bypass normal process: “Don't tell anyone”, “Use this new bank account”, “I'm in a meeting — just do it”.
  3. Sender looks right at a glance, but not on inspection: display name says “Microsoft” but the email address is unrelated.
  4. Links that don't match the text: hover over the link (or long-press on mobile) and check the real destination.
  5. Attachments you weren't expecting: especially “invoice” or “payment advice”.
  6. Requests for passwords or MFA codes: legitimate support teams should never ask for your password.
  7. Spelling, grammar, or odd formatting: not always present, but still a common clue.
  8. Too good to be true: unexpected refunds, prizes, or “you've won” messages.
  9. Login pages that feel slightly off: wrong branding, unusual prompts, or a URL that isn't the real service.
  10. Anything that creates a “panic click”: fear is a feature of phishing.

The safe verification routine (what to do instead of clicking)

The simplest rule for staff: Never use the contact details provided in a suspicious message.If an email asks you to log in, pay, or change details, verify using a known-good method.

Do this

  • • Type the website address yourself (or use a saved bookmark)
  • • Phone the person using a number you already have
  • • Confirm bank detail changes verbally
  • • Ask IT to verify the message before acting

Not this

  • • Clicking the link to “check”
  • • Replying to ask if it's real
  • • Calling the number in the email
  • • Forwarding it to colleagues as a warning (without telling IT)

How to train staff (a simple programme that actually sticks)

Training isn't a once-off slideshow. The goal is to build a reflex: pause, verify, report. Here's a lightweight approach that works well for small and mid-sized teams.

  • 1) Set one clear rule: if an email creates urgency around money, passwords, or login — verify out-of-band.
  • 2) Teach the red flags: use the checklist below as a common language.
  • 3) Make reporting easy: staff should know exactly how to report suspicious messages (and feel safe doing it).
  • 4) Run short refreshers: 5 minutes monthly beats 1 hour annually.
  • 5) Reward the right behaviour: praise reporting, even when it turns out to be a false alarm.

Want help rolling this out?

We can help you tighten email security, set up safe reporting, and train staff in plain English.

Book a security assessment
📄

Download the Phishing Guide

Get the complete “How to Identify Phishing & Spam Emails” guide as a PDF — practical tips your team can use immediately. Free, no obligation.

🔒 Your information is safe. We never share your details with third parties.

The “Pause, Verify, Report” checklist

Print this, pin it near finance/admin desks, and use it as the shared language for your team.

1

Stop and breathe

Phishing relies on urgency. A 10-second pause prevents most mistakes.

2

Check the sender properly

Don’t trust the display name. Look at the full email address and domain.

3

Look for urgency + consequence

“Final warning”, “account will be locked”, “payment needed today” are classic pressure tactics.

4

Hover (or long-press) links

If the link destination looks odd, don’t click. Type the site address yourself instead.

5

Be suspicious of attachments

Unexpected invoices, payment advice, or “scanned documents” are common malware delivery methods.

6

Never share passwords or MFA codes

No legitimate company should ask for your password or one-time code.

7

Verify out-of-band

If money, bank details, or access is involved, verify by calling a known number (not the one in the email).

8

Report it (don’t forward it around)

Report to IT/security so they can block it for everyone. Forwarding to colleagues can spread risk.

Quick scenarios to practise in a team meeting

Scenario

“I’m in a meeting. Please pay this invoice now and send proof.”

Best response

Treat as suspicious. Verify with a known contact method and follow your normal payment approval process.

Scenario

“Your Microsoft password expires today. Click here to keep access.”

Best response

Don’t click. Go directly to Microsoft 365 (or ask IT) and check account status from a trusted portal.

Scenario

“We’ve updated our banking details. Use this new account from now on.”

Best response

Never accept bank changes by email alone. Confirm verbally with a known number and update supplier records securely.

Want to reduce phishing risk fast?

Book a free security assessment. We'll review your email security, MFA, and staff awareness — and give you a clear, prioritised action plan.

Book a Security Assessment