Knowledge base › Recognising phishing

How to recognise phishing: a practical guide

Recognising phishing is a skill anyone can learn. This guide uses real examples to show which signals reveal that an email, SMS or phone call is fraudulent. No theory - concrete warning signs that every employee can apply immediately.

Step 1: check the sender

The sender name in your email client is easy to fake. The criminal can display "Microsoft Support" or "Director John Smith" while the actual email address is completely different. Always click the name to see the full address.

Real examples of fake addresses:

  • noreply@microsoft-support.net - Microsoft always uses @microsoft.com
  • invoicing@barclays-bank.com - Your bank has its own official domain
  • ceo@yourcompanyname.org - Your CEO uses @yourcompanyname.com
  • info@royaI-mail.co.uk - Capital "I" instead of lowercase "l"

Step 2: recognise urgency language

Phishing emails create artificial urgency to make you act without thinking. It is one of the most used and effective phishing techniques.

Recognisable urgency phrases:

  • "Your account will be suspended unless you respond within 24 hours"
  • "Urgent action required: verify your details now"
  • "Final warning: your payment has failed"
  • "Your parcel will be returned if you don't pay the delivery fee"
  • "Reply asap, this is confidential" (from a supposed manager)

The golden rule: the more urgent a request, the more reason to pause and verify through a different channel. Call the organisation's official number, or walk over to your colleague rather than replying by email.

Step 3: check the links

Never click a link in an email without checking it first. Hover over the link (without clicking) and look at the URL that appears. The displayed text and the actual URL can be completely different.

Warning signs in links:

  • URL does not start with https:// (though https alone is no longer a guarantee)
  • Domain name differs from what is expected: bit.ly/xyz, or microsoft-login.ru
  • Subdomain abuse: login.your-bank.malicious-domain.com - always look at the main domain
  • Unexpected characters or numbers: paypàl.com (accented character), arnazon.com

Step 4: watch for suspicious attachments

Attachments are a common way to install malware. Not only executable files (.exe) are dangerous - Word, Excel, PDF and ZIP files can also contain harmful code.

Suspicious file types and situations:

  • Executable files: .exe, .bat, .cmd, .vbs, .js
  • Office files that ask to enable macros on opening
  • ZIP files from unknown senders with enticing names ("invoice_2026.zip")
  • Unexpected attachments - even from known senders (their account may be hacked)

Step 5: recognise smishing and vishing

Phishing is not limited to email. SMS (smishing) and phone calls (vishing) are increasingly used.

Recognising smishing:

  • Unexpected message from your bank, a delivery service or government body with a link
  • Request for PIN, password or payment via SMS
  • WhatsApp message from an unknown number claiming to be a family member in distress

Recognising vishing:

  • Caller asks for login credentials, a one-time code or remote access via TeamViewer
  • Caller claims to be from Microsoft, your bank or a government body and calls unexpectedly
  • There is time pressure: "your account is being hacked right now"

Legitimate organisations never ask for your password, PIN or full payment details over the phone or via SMS. When in doubt: hang up and call back on the official number.

The STOP-THINK-REPORT rule

Employees don't need to be IT experts to recognise phishing. Teach them one simple rule:

  1. STOP - Don't click. Let the urgency settle.
  2. THINK - Does the sender check out? Is the link trustworthy? Was I expecting this?
  3. REPORT - Forward it to IT or the designated contact. Even if you're not sure.
Phishing training for employees More about phishing training