How to Spot a Phishing Email Before Your Team Clicks It

Phishing emails are getting scarily good. Gone are the days of obvious Nigerian prince scams — today's phishing emails look like they're from Revenue, from your bank, from Microsoft, even from your own boss.

I've seen Irish businesses lose thousands because one employee clicked a link in a convincing email. Here's how to make sure your team doesn't fall for it.

Check the sender address carefully. The display name might say "Revenue.ie" but the actual email address could be revenue-notices@randomdomain.com. Hover over the sender name to see the real address. If it doesn't match the organisation, it's fake.

Look for urgency and threats. "Your account will be suspended in 24 hours." "Immediate action required." "You have an outstanding fine." Legitimate organisations rarely email you with panic-inducing deadlines. Revenue will send you a letter, not a threatening email.

Hover before you click. Before clicking any link, hover over it. Does the URL match where it claims to go? If a "Microsoft" email links to microsoft-login-secure.dodgysite.com, that's a phishing attempt.

Watch for poor grammar and odd formatting. While phishing emails are getting better, many still have subtle errors — unusual spacing, slightly wrong logos, or language that doesn't quite sound right.

Be suspicious of unexpected attachments. If you weren't expecting a document from someone, don't open it. Call them directly to verify.

The best defence is a cautious team. I run security awareness sessions for Irish businesses — practical, no-jargon training that teaches your staff what to look for. One hour could save your business from a very expensive mistake.

If you've received a suspicious email and aren't sure, forward it to me. I'll tell you in seconds whether it's legitimate or not.