The email looks right. The logo checks out. The sender's name is someone you recognize, and the message is asking you to click a link or approve a payment — right now, before something bad happens.
That combination — familiar branding, a reasonable-sounding request, manufactured urgency — is the standard phishing formula. It works often enough that email remains the most common entry point for attackers targeting small businesses.
Most phishing emails share the same handful of tells: a sender address that doesn't match the organization it claims to be from, a link pointing somewhere unexpected, a request for money or credentials, and language designed to make you act before you think. Running five quick checks before clicking takes about 10 seconds and stops most attacks before they cause damage. No technical background is required.
Forward this to your team. Post it near the printer if that helps. The goal is to make these checks automatic.
The 10-second checklist
Run through these before you click any link, open any attachment, or act on any request an email puts in front of you.
1. Check the actual email address, not just the sender name
The display name — what appears as the sender — can say anything. "Chase Bank," "Your Payroll Team," or "Office Manager" costs an attacker nothing to fake. Click or tap on the sender's name to reveal the full email address behind it.
Ask: Does the domain after the @ match the organization's real website? "[email protected]" is not Chase. "@chase.com" is.
2. Read the domain one character at a time
Attackers register domains designed to look almost right: the letter "l" replaced with the number "1," words like "billing" or "accounts" inserted, or the suffix swapped (".net" instead of ".com").
Ask: Does every character in the domain match exactly what you would expect from that company?
3. Hover over links before you click
On a desktop, hovering your cursor over a link — without clicking — reveals the actual destination URL in the lower corner of your screen. That address is what matters, not the linked text.
Ask: Does the URL match the company the email claims to be from? An unfamiliar domain or a string of random characters means stop. On a phone, press and hold the link to preview the destination URL before tapping.
4. Notice urgency and pressure
"Your account will be closed in 24 hours." "Immediate action required." "Payment overdue — respond now." These phrases are pressure tactics designed to make you skip every other check on this list. Legitimate organizations give you time to respond.
Ask: Is this email pushing you to act before you think? That is exactly when the checklist matters most.
5. Treat any request for money or credentials as automatically suspicious
No bank, payroll platform, software vendor, or IT team will ask you to confirm a password, enter banking details, or approve a wire transfer in an unsolicited email. Gift card purchase requests are also a common scam pattern.
Ask: Is this email requesting a password, account number, payment approval, or gift cards? If yes, stop — and call the sender directly using a number you already have on file, not one listed in the email.
6. Think before opening attachments
An unexpected invoice, a contract from an unfamiliar contact, a voicemail delivered as an audio file — these are standard methods for delivering malware. A real person sending you a file will usually explain why in the body of the email.
Ask: Were you expecting this attachment? Is there a clear, specific reason it was sent?
What to do when something looks wrong
Stop. Do not click, download, forward, or reply.
If your email client has a "Report Phishing" button — available in both Outlook and Gmail — use it. Otherwise, forward the message to whoever manages your IT before you take any further action.
If you already clicked something: say so immediately. The sooner your IT team knows, the faster they can respond. Waiting does not help.