The 10 Phishing Red Flags Your Employees Need to Know (2024)

Here are the 10 major phishing red flags that your employees should already be aware of.

Post hero image

Table of contents

DID YOU KNOW? 57% of organizations experience phishing attempts on a weekly or daily basis.

And last year there was a 1265% increase in phishing attacks.

The good news is: Research shows that a well-trained workforce is able to cut the cost of phishing by 50%.

Employee training and behaviors are both the biggest cost amplifier and mitigator of breaches...

Which means employee cybersecurity skills are are absolutely vital.

Cost of a data breach

The cost of missing a phishing attack

  • The average cost of a data breach due to phishing is $4.76 million.
  • Settlements can cost hundreds of millions: Equifax ($575 million), Amazon ($875 million), Didi ($1.19 billion).
  • Publicly traded companies lost 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion.
  • 60% of organizations that have experienced data breaches have had to raise their product prices.

Regardless of the tech you may have in place, the humans in your business will ultimately be your first line of defense against phishing.

Recognizing the signs of a phishing attempt is crucial for protecting your organization.

Employees at all levels must be equipped with the knowledge to identify and respond to these threats.

Below, we'll lay out the 10 major phishing red flags that your employees should already be aware of 👇

Phishing red flags your employees need to know 🚩

1. Suspicious email addresses

Suspicious email addresses are one of the most common indicators of phishing attempts...

And also one of easiest to spot!

Cybercriminals will often craft email addresses that look like legitimate ones, but there are a few giveaways to watch out for.

Misspelled domains: attackers may use domain names that are near-identical to legitimate ones - changing just a single letter or adding a number.

Unfamiliar sender: Phishing emails will often come from unknown or unfamiliar email addresses.

Mismatched sender and domain names: Display names will often look legitimate, but the sender's email address doesn't always match the company's domain name.

Generic domain extensions: Phishing emails may come from generic or public domain extensions (e.g. instead of a corporate domain like

Fake forwarded email: Some phishing attempts mimic forwarded emails with fake email chains to make the communication seem legitimate.

🔒 Best practices for employees

Verify the sender: If an email appears to come from a known contact, employees can verify by reaching out to them using an established phone number or email address (just make sure its not the one in the suspicious email).

Check the domain: Encourage employees to look closely at sender's email addresses for misspellings or inconsistencies in the domain name.

2. Urgent or unusual requests

Phishing attacks will often use a combination of urgency and unusual requests to trick recipients into taking action without thoroughly verifying the email's legitimacy.

Attackers might tell employees that their account os being locked or that it has (ironically) even been hacked.

The more panicked someone is, the more likely they are to miss anything suspicious.  

Sense of panic: Attackers aim to create a sense of urgency to induce panic and cloud judgment. This'll make targets more likely to take immediate action without proper scrutiny.

Request to bypass normal procedures: Urgent requests often push recipients to go around standard verification procedures to increase the likelihood of success.

Exploiting authority: Emails claiming to be from high-level executives with urgent demands are used to exploit recipient into quickly complying.

Uncommon requests: Phishing emails will often deviate from normal business processes or involve sensitive actions (e.g. wire transfers, sharing confidential information).

Urgent request example

🔒 Best practices for employees

Pause and assess: Employees should always take a moment to assess the situation. Attackers rely on haste, so simply taking time to properly review unusual emails will significantly reduce the likelihood of a successful phishing attempt.

Check internal policies: If in doubt, employees can refer to your company’s policies regarding requests for sensitive actions to ensure the request aligns with standard procedures.

3. Suspicious links or attachments

Once an employee opens a malicious email, the attacker still needs them to take one more step in order to steal senstivie information or download malware onto their device.

This is often done via links.

Phishing emails will contain a link that either downloads malware or takes users to a website/form designed to capture certain information (personal details, bank deatils, login credentials etc).

Although these can sometimes be hard to spot if attackers have made the effort to disguise them, there are a few things that usually give suspicious links away.

Mismatch between displayed and actual URLs: The link text in the email may appear legitimate, but the actual URL (revealed when hovering over the link) might not match up.

Hyperlink without any additional contents: Always be suspicious of emails that only contain hyperlinks with no extra detail.

Misspellings: Malicious links will sometimes contain very minor variations or misspellings to look like legitimate sites (.com becomes .org or .info).

Shortened URLs: Some attackers will use short URL services to mask the real destination of their phishing link. Services like Bitly, TinyURL, Tinycc allow users to shorten any URL.

Non-secure websites: Links leading to websites that do not use HTTPS (no padlock symbol in the browser) can be a sign of phishing, as legitimate sites typically secure their connections. However, this is not always the case: 20% of phishing sites actually utilize HTTPS.

Uncommon attachments: Attachments with unusual file types (.iso, .js, .scr) instead of common ones like .pdf or .docx. may be grounds for suspicion.

Suspicious link example

🔒 Best practices for employees

Avoid clicking suspicious links: Employees should not click on links if they're unsure of their legitimacy.

Hover over URLs: By just hovering their mouse over links, employees will be able to view the actual URL. If it looks off or doesn't match the supposed sender’s domain, it shouldn't be clicked on.

4. Poor grammar and spelling

Legitimate businesses usually have standardized templates and proofreading processes that mean spelling and grammar errors are fairly rare.

Phishing attacks may be evolving in sophistication, but often still slip up with grammar mistakes and bad spelling.

This is mostly likely a result of hastily composed phishing emails designed to bypass spam filters and reach the recipient quickly.

Non-native language use: Many phishing emails originate from non-native speakers of the language they are written in, which means they're more likely to contain grammatical errors and awkward phrasing that make them easier to catch.

Intentional errors: Some emails intentionally include errors to target less vigilant recipients who might overlook these mistakes and fall for phishing scams.

Generic greetings: Legitimate companies and colleagues usually address you by your name or title. Phishing emails often use generic greetings like "Dear Customer," "Dear User," or "Hello," because the attackers do not have access to your personal details.

Poor grammar example

Verify with the sender: If an employee receives an email with suspicious mistakes,  they can reach out to the person or organization directly using a known phone number to find out whether or not the email is legitimate.

Email template guidelines: Provide employees with guidelines and templates for professional email communication, making it easier to recognize deviations that might indicate phishing.

5. Requests for sensitive information

Legitimate organizations typically don't ask for sensitive information, like passwords, social security numbers, or credit card details - especially not through unsolicited emails.

These organizations will usually have any information you've submitted already and are unlikely to randomly reach out to request further details.

Urgency and pressure: Phishing emails often rely on creating urgency so that recipients feel pressured to provide sensitive information that they'd usually think twice about.

Odd time stamps: Emails sent at unusual times (e.g., late night or very early morning) could indicate an attempt to bypass standard business hours when vigilance might be lower.

Impersonation: Most people are unlikely to pass their details over to a random person. So, attackers will impersonate trusted entities, such as banks, colleagues, or government agencies, to trick recipients into divulging confidential information.

Unsecure channels: Legitimate organizations use secure methods (e.g. secure websites, encrypted communication) to request sensitive information. Email is generally not a secure method for sharing this kind of information.

🔒 Best practices for employees

Do not respond: Employees should never provide sensitive information via email before verifying that the sender and their request are legitimate.

Be wary of sending information via email: Since most organizations won't ask you to disclose sensitive information via email, employees should always be wary of these requests and report them immediately - they're unlikely to be the only ones who received an email.

6. Unexpected invoice or payment requests

Unexpected invoice or payment requests are often used in phishing attacks to trick recipients into transferring money or giving away financial information.

Phishing emails posing as invoices issued by one company to another can be particularly tricky to spot.

They tend to use tactics like exploiting compromised email addresses to fly under the radar.

Lack of context: Genuine companies usually provide notice or context for invoices and payment requests. So, employees should be suspicious of any unsolicited requests.

Urgency and pressure: Legitimate requests generally won't create a sense of urgency or try to pressure recipients to make payments.

Unusual payment methods: Requests for payment via unconventional methods, such as wire transfers to unknown accounts, cryptocurrency, or gift cards.

Suspicious or unfamiliar details: The invoice may contain phishing red flags such as unfamiliar company names, incorrect details, or unusual formatting.

Payment request example

🔒 Best practices for employees

Review previous correspondence: Employees should check for previous correspondence or agreements related to the invoice or payment request.

Do not click Links or open attachments: Make sure employees know not to click on any links or open attachments in the email - this could lead to malware or phishing sites.

7. Unusual or 'off-looking' design

Phishing emails often have design elements that can appear unusual or "off-looking" compared to legitimate communications.

Poor formatting: Legitimate emails from reputable organizations usually have consistent and professional formatting. Poor layout, inconsistent font styles, sizes, and colors can indicate a phishing attempt.

Low-quality images and logos: Phishing messages may contain low-resolution images or logos that look distorted or pixelated. Authentic emails generally use high-quality images.

Mismatched branding: Official emails adhere to a company’s branding guidelines. If the email design deviates from what you usually see (e.g., different colors, logos, or font styles), it might be a phishing attempt.

Inconsistent contact information: Contact details that differ from the official channels you know or look odd (e.g., personal email addresses or phone numbers not associated with the organization).

Unusual email design example
Source: CheckPoint

🔒 Best practices for employees

Compare with previous emails: Employees can compare the design and layout with previous emails from the same sender - looking for inconsistencies or deviations from the norm.

Contact the sender: Encourage employees to use established contact information to confirm whether or not the email is genuine.

8. Activity alerts

You're probably used to seeing phishing emails attempting to steal your personal information...

But in this rather ironic twist, attackers are now sending emails warning you about phishing attacks.

This method works for attackers because it's so simple.

These fraudulent messages appear to be a friendly warning from a trusted source.

Some of these campaigns are actually clone phishing attacks - they use duplicates of legitimate emails from legitimate companies to increase credibility.

Account compromise notifications: Fraudulent emails often claim there has been suspicious activity on your account and request you to click a link to verify or reset your credentials.

Request for immediate action: These emails usually include a call to action, such as clicking a link, providing login credentials, or verifying account details to resolve the supposed issue.

Urgency and panic: Unusual activity alerts aim to cause panic so that recipients click  on links quickly without thinking.

Activity alert example

🔒 Best practices for employees

Review account activity: Employees can always log in to your account directly through the official website or app to check for any unusual activity.

Pay close attention to the sender’s email address: Employees may be able to spot anomalies in the sender's address (e.g. vs When it comes to phishing, the devil’s often in the detail.

Do a little detective work before clicking: Employees should hover their mouse over the link to reveal the real URL it leads to (just make sure they don't actually click).

9. Requests from high-level executives

Emails that appear to come from high-level executives (often referred to as whaling phishing attacks) exploit the authority and urgency associated with executive requests.

Whaling phishing attacks are costing enterprises around $1.8 billion each year.

Attackers use sophisticated social engineering tactics and reconnaissance to create convincing, personalized messages that make these attacks particularly hard to spot.

Authority and urgency: Emails may use the name and email address of high-level executives (e.g., CEO, CFO) to create a sense of urgency and importance.

Generic or slightly off email addresses: The sender’s email address may look legitimate at first glance but might contain slight variations or misspellings that are easy to overlook.

Lack of context: Legitimate executive requests typically include context or background information. Phishing emails often lack this context or provide vague details.

Unusual time frames: Requests sent outside of normal business hours are a common phishing red flag.

Whaling example

🔒 Best practices for employees

Contact the executive directly: Employees should use a known contact method (e.g. phone call, official internal messaging system) to confirm the request with the executive.

Consult security team or IT department: If employees are unsure about the email’s authenticity, they should seek guidance from the IT/security team.

10. Unexpected calls

Phishing attempts are not limited to emails and can occur over the phone, often referred to as "vishing".

Vishing is a phone call where someone calls you and pretends to be an authority.

Attackers will use vishing to steal sensitive information, such as a verification code to gain access to your company's bank account.

Unsolicited nature: Unexpected calls from unknown or blocked numbers claiming to be from reputable organizations, such as banks or government agencies should generally be considered suspicious.

Requests for sensitive information: Phishing calls often involve requests for sensitive information, such as Social Security numbers, bank details, login credentials, or personal data.

Urgent or threatening tone: The caller may use urgency or threats to pressure you into providing information or taking action

🔒 Best practices for employees

Never give away sensitive information in phone calls: If employees are unsure that the request is legitimate, they should end the call, and look up the customer service number of the organization to verify if it was a real call.

Ask for contact details: Request the caller's name, department, and contact information. Do not use the contact details provided by the caller to verify their identity.

Preventing phishing attacks: best practices for businesses

Implement multi-factor authentication (MFA)

Although MFA won’t completely stop attacks, it significantly enhances security by requiring multiple forms of verification before granting access.

Use email security tools

Utilizing advanced email security tools is another crucial measure.

These solutions are designed to detect and block phishing emails before they even reach employees’ inboxes.

By filtering out potentially harmful messages, these tools reduce the risk of phishing attempts significantly, ensuring a safer communication environment.

Establish clear reporting channels

Clear reporting channels are vital for effective defense against phishing.

Establishing clear procedures for reporting suspicious emails and ensuring all employees are aware of these protocols is absolutely essential.

This ensures that any potential threats are quickly identified and addressed, preventing further damage.

Regularly update and patch software

Software, systems, and antivirus program updates often contain fixes that will keep you against known vulnerabilities.

So, keeping everything updated ensures that the latest security measures are in place.

Make sure employees are marking suspicious emails

Marking emails as suspicious using your email client’s features helps to improve the organization’s email security filters.

This proactive approach not only protects the individual employee but also enhances the overall security of the business by refining the detection systems against future attacks.

Invest in employee training

Traditional security training often falls short when it comes to changing employee behavior.

Habits aren't built on cookie-cutter training content and punishing those who fail simulations.

When assessing vendors, look for solutions that offer personalized learning paths.

This essentially just means tailoring your training to employees' individual role, location and skill level.

If someone has failed a few simulations, you'll be able to send them easier ones to build up their expertise and confidence before increasing the difficulty.

This is how organizations using Hoxhunt tend to see:

  • 20x lower failure rates
  • 90%+ engagement rates
  • 75%+ detect rates

Here's why effective phishing training matters

No matter what tools or software you put in place, humans will always be your biggest security risk.

Human error is responsible for anywhere between 70-100% of incidents.

To reduce this human risk, you'll need to make sure your training is actually effective.

Here are the key ingredients of training that works:

  • Frequent training
  • Short and digestible training (ideally 5-7 mins each time)
  • Personalized content
  • Simulations up to date with latest cyber threats
  • Rewards-based and engaging

This is why here at Hoxhunt, we built a security awareness and phishing training solution that measurably changes behavior...

And engages your employees personalized, rewarding micro-trainings that they genuinely enjoy.

  • Automate your workload: Hoxhunt's AI will do the heavy lifting or operate your training program on your own
  • Training library up-to-date with latest threats: Stay at the cutting edge of the constantly evolving threat landscape as our global threat intel team turns real phish into powerful phishing simulations.
  • Create a strong security culture: Build a resilient culture on secure habits and measurable behaviors by rewarding employees for reporting phishing attacks - with powerful dashboards to identify elevated risk areas.
Hoxhunt phishing training

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this