Phishing emails are getting harder to spot. The days of "Your account has been suspended click here URGENT!!!" in broken English are mostly gone. Modern phishing attempts can look like a message from your bank, your hosting provider, a courier company, or a known contact whose account has been compromised. The goal is always the same — get you to click a link or open an attachment that gives the attacker access to something valuable.
Knowing what to do in the moment is a skill. Here's the playbook.
Step 1: Don't click anything yet
The moment you feel uncertain about an email, your instinct should be to stop. Don't click links, don't open attachments, don't reply. That initial hesitation is your most important defence.
Attackers use urgency to override that instinct — "Your account will be suspended in 24 hours," "Immediate action required," "Your package is waiting." Urgency is a manipulation technique. Legitimate organisations give you time to respond.
Step 2: Check the actual sender address
The display name in an email can say anything. "PayPal Support" can be the display name for an email actually sent from a completely unrelated domain. Click on or hover over the sender name to reveal the actual email address. Look at it carefully:
- Is the domain what you'd expect? (paypal.com, not paypal-alerts.com)
- Are there subtle misspellings? (rn instead of m, 0 instead of o)
- Does the domain match the company at all?
If anything looks off, trust that instinct.
Step 3: Don't use the links in the email — go directly
If an email claims your bank account needs attention, don't click the link in the email. Open a new browser tab and go to your bank's website directly. Log in there. If there's a genuine issue, it'll be waiting for you. If there isn't, you've just avoided a phishing attack.
This one habit eliminates the vast majority of phishing risk. The link in the email is the attack vector. Remove it from the equation.
Go direct, always. If an email prompts you to take action on an account — banking, hosting, email, domain registrar — open a new tab, go to that service directly, and handle it from there. Never through a link in an email you're uncertain about.
Step 4: Check the link without clicking it
If you do need to evaluate a link, hover over it without clicking. Your browser will show you the actual destination URL in the status bar at the bottom of the screen. Look at the domain — the part just before the first single forward slash. That's the site you'd actually be visiting. If it doesn't match what you'd expect, don't go there.
Step 5: Report it — don't just delete it
If you've confirmed the email is a phishing attempt, report it before deleting:
- In Gmail: Click the three dots → "Report phishing"
- In Outlook: Use the "Report" button or right-click → "Report as phishing"
- Forward to: reportphishing@apwg.org — the Anti-Phishing Working Group, which tracks active campaigns
If the email is impersonating a real company, report it to that organisation as well. They track these campaigns and can warn other customers.
Step 6: If you clicked something, act immediately
If you've already clicked a link or opened an attachment, don't panic — but do act fast:
- Disconnect from the internet if you think malware may have been downloaded
- Change the password for any account that may have been targeted — from a different device if possible
- Enable multi-factor authentication on that account immediately
- Check your account activity for anything unfamiliar
- Run a malware scan (Malwarebytes free edition is a solid starting point)
- Tell your IT contact immediately if this is a business device
When in doubt, ask yourself: "Did I initiate this?" If you didn't log in, request a password reset, or contact this company recently — and now they're emailing you with urgent instructions — treat it as suspicious until proven otherwise.
Concerned about your team's exposure to phishing? Book a free call and tell us where you're at — we'll point you in the right direction on training and security posture.
Book a free call →