Phishing emails don’t look like obvious scams anymore. Here’s what to watch for — and what to do when something feels off.
Phishing remains the single most common way cybercriminals get into small business or church systems. And today’s phishing emails have come a long way from poorly written messages promising lottery winnings. Modern phishing attempts often look like invoices, shipping notifications, password reset requests, or even messages from a coworker or your boss.
The good news is that most phishing attempts share common warning signs — once your team and volunteers know what to look for, spotting them becomes second nature. Here are the seven red flags worth printing out and sharing with everyone on your team — staff and volunteers alike.
1. A Sense of Urgency Threat
“Your account will be suspended in 24 hours.” “Immediate action required to avoid late fees.” “Unusual sign-in detected — verify now.” Urgency is one of the most reliable tools in a scammer’s playbook, because it pushes people to act before they think.
When you feel that flash of panic while reading an email, treat it as a cue to slow down — not speed up. Legitimate organizations rarely demand split-second action over email.
2. A Sender Address That Doesn’t Quite Match
The display name might say “Microsoft Support” or “Your Bank,” but the actual email address behind it tells a different story — often a string of random characters, a slightly misspelled domain (like “arnaz0n.com”), or a free email service that a real company would never use for official communication.
Always check the full sender address, not just the display name. On most devices, tapping or hovering over the sender’s name reveals the real address.
3. Genereic Greetings
“Dear Customer,” “Dear User,” or no greeting at all — from a company you actually do business with — is a signal worth noticing. Legitimate businesses you have an account with typically use your name. Scammers sending mass emails often can’t (or don’t bother to).
4. Links That Don”t Go Where They Claim
A button that says “View Invoice” might lead somewhere completely different from what it claims. Before clicking any link in an email — especially one asking you to log in or enter information — hover over it (on desktop) or press and hold (on mobile) to preview the actual destination.
If the link address looks unfamiliar, misspelled, or unrelated to the company it claims to be from, don’t click it. When in doubt, go directly to the company’s website by typing the address yourself.
5. Unexpected Attachment
An invoice you weren’t expecting, a “shipping label” for something you didn’t order, or a “resume” for a job you didn’t post — unexpected attachments are a common way to deliver malware. If you weren’t expecting a file from someone, verify with the sender through a different channel before opening it.
6. Requests to Change Payment or Account Details
One of the costliest scams involves a message — sometimes appearing to come from a real vendor or even your own CEO — asking to update bank details for an upcoming payment, or requesting an urgent wire transfer or gift card purchase.
Churches see a frequent variant of this scam: an email that looks like it’s from the pastor or a ministry leader, urgently asking a staff member or volunteer to buy gift cards, wire money, or redirect a donation. The same rule applies — pause and verify.
Any request to change payment information or move money should be verified by phone, using a number you already have on file — never a number provided in the email itself.
7. Offers That Are Too Good to Be True
Unexpected refunds, free prizes, exclusive deals that require “quick action” — if an offer seems unusually generous for an email you weren’t expecting, it almost certainly is. These messages are designed to create excitement that overrides caution.
What To Do When You Spot a Phishing Attempt
Spotting a red flag is only half the battle — what you do next matters just as much:
- Don’t click any links or open any attachments.
- Don’t reply — even to “unsubscribe,” which can confirm your email is active.
- Verify independently by contacting the company or person through a known phone number or website.
- Report it to your IT provider or designated point person.
- Delete it once it’s been reported and addressed.
Phishing works because it exploits trust and habit, not technical weaknesses. The best defense is a team that pauses, checks, and asks questions — and feels comfortable doing so without fear of looking foolish. A culture where “let me double-check that” is normal can stop an attack before it ever starts.