How to spot a phishing email before it costs you

Most online trouble for a small business does not start with a hacker breaking down a digital door. It starts with one ordinary-looking email and one busy person clicking before they think. Phishing is the polite name for those messages, the ones pretending to be your bank, a vendor, Microsoft, or even your own boss. The good news is that most of them give themselves away if you know where to look.

Here is how we coach our clients in South Orange County to slow down and catch them.

What phishing actually is

Phishing is a message designed to trick you into doing something you would not normally do. Usually that means clicking a link, opening an attachment, typing your password into a fake login page, or paying an invoice that was never real. The sender is impersonating someone you trust so you will lower your guard.

It works because it relies on emotion and speed, not technical wizardry. Once you understand the playbook, the spell mostly breaks.

The warning signs to watch for

No single clue proves an email is fake, but when a few of these show up together, treat the message as suspicious.

• A sense of urgency or fear. “Your account will be closed today.” “Payment failed, act now.” Real companies rarely rush you like this.
• The sender address is slightly off. The display name might say “Microsoft,” but the actual address is a string of random letters or a domain that is almost right but not quite. Click or tap the name to see the real address.
• Links that do not match. Hover your mouse over a link before clicking, and check the little preview of where it really goes. On a phone, press and hold. If the text says one thing and the destination says another, stop.
• Generic greetings. “Dear Customer” or “Dear User” from a company that knows your name is a small but real tell.
• Unexpected attachments. Invoices, shipping labels, or voicemail files you were not expecting are a classic delivery method for trouble.
• Requests for passwords, codes, or payment. Legitimate companies do not email you asking for your password or a one-time security code.
• Odd wording or formatting. Strange grammar, mismatched logos, or a tone that feels off can all be signs.

The ones that look perfect

It is worth saying plainly that some phishing emails are very polished. They copy real logos, real wording, and real signatures. We are also seeing more messages that read smoothly because they were written with help from AI.

So do not rely only on “it looks professional.” The deeper question is always: was I expecting this, and does the request make sense? A wire transfer you never discussed, a login page that arrived out of nowhere, a vendor suddenly changing their bank details. Those deserve a second look no matter how clean the email appears.

What to do when one lands

When something feels off, follow a simple routine:

• Pause. Urgency is the trap. Give yourself a minute.
• Verify through a separate channel. If your bank, a vendor, or a coworker seems to be asking for money or access, call them on a number you already know. Do not reply to the email or call a number it provides.
• Do not click, do not download, do not enter your password.
• Report and delete. Most email systems have a “Report phishing” button. Use it, then delete the message.
• If you already clicked, change the affected password right away, turn on multi-factor authentication if it is not already on, and tell whoever handles your IT.

Building a habit, not just a one-time check

The businesses that stay safe are not the ones with the most expensive software. They are the ones where everyone has quietly agreed to slow down on anything involving money, passwords, or surprise attachments. A short, shared habit across your team beats any single tool.

A few simple protections help too: multi-factor authentication on email and banking, regular backups, and a clear “when in doubt, ask” rule so nobody feels silly double-checking. We cover more of these everyday questions on our FAQ, and the broader work of locking down email and Microsoft 365 is a big part of what we do day to day.

If you would like a calm, no-pressure set of eyes on your email setup and your team’s habits, we are happy to help. Get a free assessment and we will walk through where you stand and what, if anything, is worth tightening up.