Phishing prevention: how to spot, avoid and respond to email attacks

Phishing emails have come a long way since the days of badly spelled Nigerian prince scams. Today’s attacks are often subtle, well-crafted and worryingly convincing - and that makes them dangerous.

Whether you run a business, manage client accounts or just have a lot riding on your inbox, phishing matters. It’s one of the most common causes of data breaches worldwide, and it only takes one click to put your data, clients or reputation at risk.

Here's how to spot a phishing attempt, avoid falling for one and respond quickly if something slips through.

How to spot a suspicious email

Not every phishing email looks like a scam. Some are so convincing they even fool experienced users. But most have subtle tells, and knowing what to look for can save you a lot of trouble.

Poor formatting or odd language

Spelling errors, unusual grammar or phrasing that feels “off” can be a giveaway - especially if the sender claims to be from a large company or institution. Is that email really coming from your credit card company? Does your boss regularly misspell their own name?

Urgency or scare tactics

Phishing emails often try to rush you into action: “Your account will be closed in 24 hours” or “Unusual activity detected - click now”. If it’s pressuring you, be cautious. It doesn’t matter how important it is to click on that link – you can take five minutes to check.

Generic greetings

Emails that start with “Dear customer” or “Hello user” instead of your name are often phishing attempts. Most legitimate senders personalise their messages. Even if you signed up with your name as “Spam Spamington”, legitimate senders will start with “Dear Spam”.

Suspicious links

Before clicking, hover over any link. Does the URL match the site it claims to be? If not, don’t touch it. This goes for misspellings, subdomains, and exotic characters. Is that “n” really an “n” or is it an “п”?

Unexpected attachments

Files you weren’t expecting - especially .exe files, zip archives, or macro-enabled documents - should raise red flags. Even if they appear to come from a known sender, double-check. That software they want you to download isn’t going to make your job easier – it’s just going to create more pain.

How to handle links and attachments

Phishing emails often rely on one of two things: getting you to click a link or download a file. Here's how to deal with both:

Hover to preview

Always check where a link actually goes. If it looks unrelated to the company, unfamiliar or just odd, leave it alone. Think about it. Would the company really use [company name].totallynotascam.com?

Avoid shortened links

URL shorteners like bit.ly or tinyurl can hide malicious destinations. Be extra cautious on clicking when you see them, especially in places they’re not commonly used. Social media, maybe. Emails? Never.

Don’t click unless you're sure

If something feels off, stop. Contact the sender another way and ask them about the email. For example, if it says your account’s about to be cancelled, open up a new browser window and log into your account directly. And then tell them about the email.

Use built-in reporting tools

Gmail and most major email services have built-in options to report phishing. Using these tools helps others stay safe too. Most phishing scams will scattershot their posts across entire platforms, but they only need one bite to make it work.

Staying safe with passwords

Phishing attacks are often after your login credentials. The best defence is to make sure a stolen password won’t get an attacker very far.

Use a password manager

This makes it easier to create strong, unique passwords without having to remember them all. You can choose an online one that works via a browser extension, or an offline one you keep on your hard drive.

Never reuse passwords

If one account is compromised, reused credentials make it easy for attackers to access others. Make sure each site has its own unique password.

Enable two-factor authentication (2FA)

Even if your password is stolen, 2FA adds a second barrier before access is granted. Whether this is using an authenticator app on your phone, a decoder key you plug into your computer, or a code sent to your phone or email, it’s extra protection.

Invalidate old sessions

If you change your password, log out of all devices. This closes any back doors an attacker may exploit. You’ll have to log in again for anything you’re using elsewhere, but it’ll also save you plenty of trouble.

What to do if you’re not sure

Sometimes it’s genuinely hard to tell. Here’s what to do when an email seems suspicious, but not obviously fake:

Confirm with the sender through another method

Call them. Message them on Slack. Text them. Don’t reply directly to the email if you're unsure, as that’ll go straight to the scammer, who will, obviously, tell you that it’s perfectly safe.

Ask your team

Post a screenshot in your team’s security or IT channel. If it’s real, someone else will know. If it’s fake, you’ve just helped stop it spreading, and they can inform the rest of the company right away.

Don’t trust appearances

Some phishing emails spoof logos, names and signatures perfectly. If it asks for sensitive info, double-check before inputting anything.

If you think you’ve been compromised

Accidents happen, and fast action matters more than blame. If you’ve clicked something dodgy or entered details where you shouldn’t have:

Change your passwords immediately

Start with the affected account, then others if you’ve reused credentials. And stop reusing those credentials! You have been warned!

Tell your manager or IT contact

Early reporting helps stop an attack from spreading. The sooner the team knows, the faster they can respond, whether it’s blocking that sender, informing the rest of the company, or locking down sensitive information.

Write down what happened

Make sure the team have as much information as you can remember. What you clicked, when you did it, and what info you entered. This helps with investigation and damage control.

Watch for follow-up attacks

Monitor your accounts for anything unusual - login alerts, changed settings, strange messages. These can be signs an attacker is trying to move further in. If you don’t remember buying a large pink toy elephant, you need to check your Amazon account.

Final tips for staying vigilant

Phishing isn’t going away, but staying alert can make you much harder to fool.

Keep your software up to date

Make sure you’ve updated your browser, OS, antivirus and email clients - updates often include important security patches built to protect you from the latest problems.

Stick to official tools

Use your company’s file systems instead of external or personal services for sensitive work. It might seem easier to field files back and forth on your personal Dropbox, but it just takes one scammer and suddenly all your client details are out in the wild.

Trust your gut

If an email feels off, don’t be afraid to ask. A quick check now could save hours of cleanup later, not just for the security team, but for you as well.

Review your own habits

Phishing isn’t just a problem for big corporations. It targets individuals, small businesses and freelancers every day. The best way to protect yourself is to stay informed, stay cautious and build better habits around email and account security.

If you’ve read this far, take a minute to think: are you doing enough? Is everyone on your team? Now might be a good time to check.