Learn to spot the warning signs of phishing emails before clicking any links or opening attachments.
Recognising Phishing Emails
Phishing is the most common entry point for cyberattacks worldwide. It uses deceptive emails to trick you into revealing credentials, clicking malicious links, or opening dangerous attachments.
How a Phishing Attack Works
Anatomy of a Phishing Email
The best way to protect yourself is to know what red flags to look for. Here is a real-world example broken down:
⛔ Important
Never click links or open attachments in unexpected emails — even if the sender appears legitimate. Attackers can spoof display names perfectly. The domain in the email address is the only reliable indicator, and even that can be faked with lookalike characters.
Red Flags Checklist
| Red Flag | What to Look For |
|---|---|
| Sender domain | Does the domain after @ match the real company exactly? |
| Urgency / threats | “Act now or lose access” — legitimate companies don’t demand this |
| Unexpected attachment | Were you expecting this file? .zip, .exe, .doc with macros are high risk |
| Hover URL | Hover over links — does the real URL match the display text? |
| Generic greeting | “Dear Customer” instead of your name suggests a mass phishing blast |
| Request for credentials | No legitimate service will ever ask for your password via email |
Spear Phishing vs Mass Phishing
- Mass phishing — sent to millions, generic content, relies on volume
- Spear phishing — targeted at a specific person, uses your name, employer, role, or recent activity scraped from LinkedIn. Far more convincing and dangerous.
⚠ Warning
Modern spear phishing emails are written using AI and personalised with information scraped from LinkedIn, company websites, and social media. They contain no spelling mistakes, use your real name, and reference your actual employer. Appearance alone is no longer a reliable trust signal.
What To Do With a Suspicious Email
- Don’t click any links or open attachments
- Report it to IT using your organisation’s reporting method (e.g., the “Report Phishing” button in Outlook)
- Delete it after reporting
- If you accidentally clicked — tell IT immediately. The sooner they know, the faster they can contain any damage.
✓ Key Point
When in doubt, go directly to the website by typing the address in your browser — never via the link in the email. If the email claims to be from your bank, open a new tab and navigate to the bank’s website yourself.
Would your team click it?
One convincing phishing email is all it takes to hand an attacker your inbox — or your whole business. Mobile Techs IT Service helps Gold Coast businesses stay off the hook: email security and spam filtering, correctly configured SPF, DKIM and DMARC, phishing-awareness training for staff, and rapid response if someone has already clicked. Home users welcome too — on-site or remote, anywhere in Australia.
Get your email security checked → or call 1300 644 588

