← Back to Blog

How to Tell If an Email Is a Phishing Scam (With Real Examples)

Phishing is the #1 way small businesses get hacked. Not sophisticated zero-day exploits — just a convincing fake email and one bad click.

In 2025, 36% of all data breaches involved phishing. And small businesses are targeted more than large enterprises because attackers know you don't have a dedicated security team reviewing every email.

Here's how to spot them every time.

The 7 Red Flags of a Phishing Email

1. Urgency and Fear Tactics

Phishing emails almost always create panic:

  • "Your account will be suspended in 24 hours"
  • "Unusual sign-in activity detected"
  • "Payment failed — update your billing now"
Legitimate companies don't threaten you over email. If something is truly urgent, you'll see it when you log in to the actual service.

2. The Sender Address Doesn't Match

The "From" name might say "Microsoft Support" but the actual email address is something like `support@microsoft-secure-verify.com`.

How to check: Hover over or click the sender name to see the full email address. If the domain isn't exactly right (microsoft.com, not microsoft-support.com), it's fake.

Common tricks:

  • `paypal@secure-paypal-verify.com` (not paypal.com)
  • `support@amaz0n.com` (zero instead of "o")
  • `billing@apple.com.scam-domain.com` (apple.com is a subdomain, not the actual domain)

3. Generic Greetings

"Dear Customer" or "Dear User" instead of your actual name. Legitimate services that have your account know your name and use it.

4. Suspicious Links

Never click a link without checking where it goes. Hover your mouse over any link — your email client will show the actual URL at the bottom of the screen or in a tooltip.

Red flags:

  • The link text says "microsoft.com" but the actual URL goes somewhere else
  • Shortened URLs (bit.ly, tinyurl) in business emails
  • URLs with random strings of numbers and characters

5. Unexpected Attachments

You didn't ask for an invoice, a "document for review," or a shipping notification? Don't open it.

Dangerous file types: .exe, .zip, .scr, .js, .bat. But even .pdf and .docx files can contain malware if macros are enabled.

6. Grammar and Spelling Errors

Legitimate companies proofread their emails. Random capitalization, awkward phrasing, and obvious spelling errors are red flags.

Note: AI has made phishing emails much better at grammar. Don't rely on this as your only check — but combined with other red flags, it's a strong signal.

7. Requests for Sensitive Information

No legitimate company will ask you to:

  • Send your password by email
  • Provide your Social Security number
  • Wire money or buy gift cards
  • Share credit card details via email

What to Do When You Spot a Phishing Email

  1. Don't click anything — no links, no attachments, no images
  2. Report it — use your email's "Report Phishing" button
  3. Delete it — after reporting, remove it from your inbox
  4. If you already clicked: change your password immediately, enable MFA, and run a malware scan

Real Phishing Examples

The Microsoft 365 "Password Expiring" Email: You get an email saying your Microsoft password expires in 24 hours with a "Keep Current Password" button. Microsoft doesn't send these. Your admin controls password policies, and Microsoft itself will never ask you to click a link to keep your password.

The Invoice Scam: An email with a PDF attachment titled "Invoice #48291." You don't recognize the sender, but you open it anyway because you're worried you forgot a bill. The PDF contains a link that installs malware.

The CEO Fraud: An email that appears to be from your boss asking you to wire money, buy gift cards, or share sensitive information urgently. The email address is slightly off, or it's from a personal email "because my work email is down."

Train Your Team

If you have employees, they need to know this too. One person clicking a phishing link can compromise your entire business.

Quick training plan:

  1. Share this article with your team
  2. Pick 3 recent spam emails from your junk folder and walk through the red flags
  3. Establish a rule: when in doubt, verify through a different channel (call the person, visit the website directly)

How AI IT Guy Helps

We monitor your email security, train you and your team to spot threats, and help you recover if something gets through.

Get email security guidance — $29/month →

Need IT Help Right Now?

AI IT Guy gives you unlimited IT support starting at $29/month. No contracts, no jargon.

Get Started — $29/month