Security awareness
What a phishing email actually looks like.
A field guide to the red flags scammers reuse — the forged sender, the manufactured deadline, the link that isn't what it says, the “urgent, confidential” wire. Every example below is a synthetic illustration, never a real message.
Every example here is fabricated. All names are invented and all addresses use reserved documentation domains ( example.com, *.test). Nothing on this page references a real brand, person, or live domain.
Sender & identity
The 'From' line and display name are trivially forged. These tells live in the address itself, not the friendly name.
Almost-right sender domain
High-confidence tellThe address looks legitimate at a glance but the domain is subtly wrong, or a real company name sits in front of an unrelated domain.
What to look for
- Extra words, hyphens, or swapped letters bolted onto a familiar name.
- A trusted brand in the display name, but the real address is some unrelated domain.
- A public webmail address claiming to be an official corporate sender.
From: "Acme Billing Team" <billing@acme-support-secure.test> Reply-To: acme.billing.dept@example.net
What to do
Read the full address, not the display name. If the domain isn't exactly the organisation's real one, treat it as hostile and verify through a channel you already trust.
Real name, wrong address
High-confidence tellThe display name impersonates a colleague or executive, but the underlying email address belongs to someone else entirely.
What to look for
- A coworker's or boss's name paired with an external or personal address.
- Replies silently route to a different address than the one shown.
- The 'sent from my phone' excuse for why it looks off.
From: "Dana Cole (CEO)" <dana.cole.exec@example.org> "Hi — I'm in a meeting, are you at your desk? Need a quick favour."
What to do
Confirm any unusual request from a named person using their known number or a fresh message you compose yourself — never by replying to the suspicious email.
Reply-To points somewhere else
Worth a second lookThe message appears to come from one address, but answers are quietly redirected to an attacker-controlled inbox.
What to look for
- A Reply-To header that doesn't match the From domain.
- Hitting reply auto-fills an address you didn't expect.
From: notifications@example.com Reply-To: accounts.review@mailbox-team.test
What to do
Before replying with anything sensitive, check the address your client is actually about to send to. If it differs from the sender, stop.
Urgency & pressure
Scams work by rushing you past your judgement. Manufactured deadlines, threats, and secrecy are the lever.
Act now or else
High-confidence tellA manufactured deadline or threat of loss pressures you to act before you can think it through.
What to look for
- 'Within 24 hours', 'immediately', or 'final notice' framing.
- Threats of account closure, fees, or legal action.
- Pressure not to check with anyone first.
Subject: FINAL NOTICE — account suspension in 24 hours "Your access will be permanently disabled unless you confirm your details today."
What to do
Treat urgency itself as the warning sign. Slow down and verify through the organisation's official site or phone number, never via the message's links.
Keep this between us
High-confidence tellThe message insists on confidentiality so you won't do the one thing that would expose the scam — ask a colleague.
What to look for
- 'Don't tell anyone', 'this is confidential', 'handle it discreetly'.
- A request that deliberately bypasses your normal process.
- Pressure to use personal email or text instead of work channels.
"Please keep this confidential for now — I'm finalising an acquisition and need you to handle a payment quietly before the announcement."
What to do
Legitimate leaders expect you to follow controls. Verify out-of-band and loop in a second person — secrecy plus money is a classic fraud signature.
Too good to be true
Worth a second lookAn unexpected refund, prize, or bonus dangles a reward to lower your guard and rush you into clicking.
What to look for
- A refund or payout you never requested.
- 'You've been selected' or 'claim before it expires'.
- A small action now for a disproportionate reward.
Subject: Your refund of $480.00 is ready "Confirm your details within 48 hours to release your payment."
What to do
If you didn't initiate it, assume it's bait. Log in to the real service directly to check for any genuine refund or notice.
Links & web addresses
The visible text of a link and its real destination are two different things. Hover before you trust.
Link text hides the real address
High-confidence tellThe clickable text says one thing while the underlying destination goes somewhere completely different.
What to look for
- Hovering shows a destination that doesn't match the link text.
- A button labelled with a brand name pointing at an unrelated domain.
- Long, random-looking paths after an unfamiliar host.
Displayed: "Verify your account at portal.example.com" Actual link target: https://account-verify.test/login?id=8841
What to do
Hover (or long-press on mobile) to preview the real destination before clicking. If it doesn't match, don't click — navigate to the site yourself.
Shortened or cloaked link
Worth a second lookA URL shortener or redirect hides where a link actually leads, so you can't judge it before clicking.
What to look for
- A short redirect link in an unexpected message.
- No way to see the final destination before you click.
- A QR code standing in for a link you can't read.
"Scan the code or open lnk.test/x7Qz to review the secure document."
What to do
Don't follow shortened links or QR codes from unsolicited messages. Go to the organisation's known website and find the item there instead.
Login page on the wrong host
High-confidence tellA link leads to a convincing sign-in page hosted on a domain that has nothing to do with the real service.
What to look for
- The login page's address bar shows an unfamiliar domain.
- A subdomain dressed up to look like a brand name.
- The page asks for your password immediately, out of context.
Login page served from: https://secure-signin.example.test/auth
What to do
Check the domain in the address bar before typing anything. When in doubt, open the service from your own bookmark and sign in there.
Attachments & files
An unexpected attachment is a delivery mechanism. The file type and the story around it are the tells.
Attachment you didn't expect
High-confidence tellAn out-of-the-blue file — invoice, receipt, or 'document' — arrives from someone you weren't corresponding with.
What to look for
- A file you never asked for, with a vague 'see attached' note.
- An invoice or receipt for something you didn't buy.
- Pressure to open it quickly to 'resolve an issue'.
Subject: Outstanding invoice "Please see the attached statement — Invoice_4821.html — and confirm payment."
What to do
Don't open unexpected attachments. Verify with the supposed sender through a known contact method before touching the file.
File that demands you 'enable' something
High-confidence tellAn attachment opens to a near-blank page instructing you to enable content or editing to reveal the 'real' document.
What to look for
- 'Enable content / enable editing to view this document.'
- Claims the document is 'protected' or 'encrypted' until you act.
- A document whose only content is instructions to click.
"This document is protected. Click Enable Content to view your secure file."
What to do
Never enable content or macros to read an unexpected file. Close it and confirm with the sender first — that prompt is how the payload runs.
Disguised file type
Worth a second lookA file is dressed to look like a harmless document but its real extension makes it a program or script.
What to look for
- A name like 'report.pdf.exe' where the real ending is executable.
- An icon that doesn't match the claimed file type.
- An archive (.zip) that expands to an unexpected program.
Attachment: Quarterly_Report.pdf.exe
What to do
Show full file extensions and be wary of executables arriving by email. If the real ending isn't a plain document, delete it and report it.
Payment & money movement
Business-email-compromise targets the money directly — changed bank details, gift cards, and 'urgent, confidential' wires.
Sudden change of bank details
High-confidence tellA supplier or colleague emails to say their payment account has changed — right before an invoice is due.
What to look for
- New bank or routing details 'for all future payments'.
- Timing that lines up suspiciously with a real invoice.
- A request to update records without a phone confirmation.
"Please note our banking details have changed. Remit the outstanding balance to the new account on the attached form."
What to do
Always confirm changed payment details by calling a number you already have on file — never the number in the email — before moving any money.
Pay us in gift cards
High-confidence tellA request to buy gift cards and send the codes — a hallmark of fraud, because gift cards are untraceable and irreversible.
What to look for
- Any ask to purchase gift cards 'for a client / reward / emergency'.
- A request to scratch off and send the codes by reply or text.
- Urgency plus secrecy attached to the request.
"Can you grab five $100 gift cards for a client gift and send me the codes? I'll reimburse you. It's time-sensitive."
What to do
No legitimate business pays vendors or 'reimburses' staff in gift-card codes. Treat this as fraud and report it; do not buy anything.
Credential & login capture
The goal of most phishing is your password or one-time code. Any unexpected login or code request deserves suspicion.
Reset you didn't request
High-confidence tellA password-reset or 'verify your account' prompt arrives even though you never started one.
What to look for
- A reset link for an account you didn't try to access.
- 'Unusual sign-in detected — confirm your password to continue.'
- A login form embedded directly in the email body.
Subject: Confirm your password "We noticed a new sign-in. Re-enter your password here to keep your account active."
What to do
Ignore reset prompts you didn't trigger. If you're unsure, go to the service directly and reset from there — never through the email's link or form.
Someone asking for your one-time code
High-confidence tellA message or call asks you to share the verification code you just received — the last barrier an attacker needs.
What to look for
- Anyone asking you to read back a code sent to your phone.
- A prompt to approve a login or push you didn't start.
- 'Support' walking you through 'verifying' by reading a code.
"For security we've sent a 6-digit code to your phone. Reply with the code to confirm it's really you."
What to do
Never share a one-time code with anyone — no real service or support team will ask. If you didn't start the login, deny it and change your password.
Generic giveaways
The little inconsistencies — odd greetings, off tone, mismatched branding — that don't fit any one bucket but add up.
Generic greeting & off wording
Subtle tellImpersonal greetings and stilted or error-laden wording betray a message that wasn't really written by the organisation it claims to be.
What to look for
- 'Dear Customer' / 'Dear User' instead of your name.
- Awkward phrasing, odd capitalisation, or obvious errors.
- Tone or formatting that doesn't match the real sender.
"Dear Valued Customer, We detect a problem on you account. Kindly to confirm your informations immediately."
What to do
Treat a generic greeting plus off wording as a prompt to slow down and verify — even a polished message can be fake, but these tells rarely are.
Knowing the tells is step one. Build the reflex.
Run a phishing simulation so your team practices spotting these in a real inbox, brush up the basics in the help center, and make sure your domain's email defenses make spoofing harder in the first place.