Phishing emails have become harder to spot. Attackers mimic your suppliers, your team, or even Microsoft. The red flags are still there—but they’re buried under fake branding, tone-matching subject lines, and rushed morning inboxes.
This guide walks through the most common email phishing red flags, and what you can do to protect your business. It’s for SME owners and managers, not IT specialists.
Why Email Is the Favourite Route for Attackers
Email is cheap. You don’t need to hack anything. You just need one click.
Cybercriminals often use phishing—emails designed to trick you into giving away login details, money, or data. It’s still the most common cause of business breaches.
10 Email Phishing Red Flags That Get Missed
These red flags don’t require technical knowledge—just a habit of checking before acting:
Strange sender email addresses
Often one letter off or using odd domains, likemicros0ft-support.com. Always check the full email address.Urgency or pressure tactics
Messages saying “Your account will be locked in 1 hour” are designed to panic you. Pause before responding.Unexpected attachments or links
A file you weren’t expecting or a link to a “secure document” is often bait. Don’t open or click unless you’re sure.Requests for login info
No real company asks you to confirm your password or login by email. This is a common phishing tactic.Generic greetings and poor grammar
Emails starting with “Dear customer” or containing basic errors signal a rushed or fake message.Branding that looks almost right
Logos and signatures copied from real businesses can still be fake. Don’t trust visuals alone.Mismatch between display name and email address
It might say “Finance Team,” but the email is from a random domain. Always check beyond the name.Odd or unexpected timing
A finance request at 3am or on a UK bank holiday should raise questions.Unfamiliar invoices or payment demands
Fake supplier emails often include realistic-looking invoices. Contact the real supplier before taking action.Too-good-to-be-true offers
Surprise refunds, gift cards, or offers with no context often lead to scams. Delete them.
Microsoft, Gmail, or Anything Else—Scammers Don’t Care
If your business uses Microsoft 365, scammers target it. It’s widely used and holds valuable access to business systems. But they send these attacks to all platforms—Google, Yahoo, private mail servers—using automated tools.
AI now helps scammers get more convincing. They scrape your website or LinkedIn and adjust tone, names, and timing to increase the chance of success.
No email system is immune.
Even Microsoft Defender or Google’s filters can’t catch every well-crafted phishing attempt. They’re useful. But you need user awareness too.
What You Can Do Right Now
Start by encouraging your team to pause before clicking. Most phishing emails rely on urgency—training people to stop and check is one of the simplest ways to reduce risk. You can also add a banner to emails that come from outside your organisation, which is easy to do in Microsoft 365. This gives staff a clear visual cue when something might need a second look.
Make it straightforward for people to report suspicious messages. A shared inbox or even a WhatsApp group for questionable emails can work. If you’re not already using multi-factor authentication (MFA), it’s worth adding—especially to accounts with admin access. MFA adds a layer of protection if login details are stolen. Check your existing email security settings too. Microsoft 365 includes anti-phishing policies that aren’t always turned on by default.
Finally, instead of long training sessions, send short reminders or examples each month. These are quicker for staff to digest and easier to stick with.
What We Do
We work with SMEs around Wiltshire to reduce email risks before they cause damage. That means setting up filters and banners that catch the most common scam tactics, tuning Microsoft 365 settings properly, and helping teams build better habits through plain-English guidance. If your team gets a suspicious message, we can take a look and confirm whether it’s safe. And if you’ve never reviewed your email security setup, we’ll walk you through what you need—and what’s missing—without trying to sell you tools you don’t need.
Could You Spot It?
You’ve probably had one of these emails this month. Could your team spot it? Would you?
If you’d like us to check your current setup, send us a message. We’ll take a look at your Microsoft 365 email settings and point out what’s missing—or fix it for you.
Got a dodgy email right now? Forward it to us. We’ll tell you if it’s fake.
Further reading: Multifactor authentication
