How do I know if an email is a phishing attempt?

The heading of this blog is one  of the questions I am asked quite frequently in my security and password sessions. Specifically, how I tell personally,  if an email is a phishing attempt- and what advice I give for managers to take back to their teams and any future staff around dealing with phishing attempts. Phishing and preventing people from being taken in by scammers is something of a focus for us – we’ve even previously written about phishing on this blog specifically from a small business perspective Phishing: The Small Business Lowdown. So we’ve put together our Phishing Check List for business teams.

Whilst not exhaustive by any means, this list has served me, and my team well.

Here’s my check list –  if something doesn’t look right to me, in my inbox , this is usually how I evaluate and deal with it. Admittedly, the items have become second nature – so I don’t necessarily need a physical check list – but in case you, or your staff do – there’s a downloadable printable PDF at the end of this article.

There are 7 points – the detailed explanations follow.

Check List

  1. Are you expecting this email?
  2. Does the “From” email address look legit?
  3. Is there a misplaced sense of urgency in the email ?
  4. Google Search is your friend. Use it.
  5. Are there multiple typos, and massive grammar inconsistences in the email?
  6. When you hover over the link (or links) what does the preview show you for the address?
  7. If all else fails – check with the company that appears to have sent the email.

The Detailed explanations

  1. Are you expecting this email ?

Email is used to validate identity when new accounts or profiles are created , so often you may be sent an email with a “validation” link in it to confirm your email address and thus if you have just signed up for a new profile or online shopping account – then, yes, the email may be expected. And it’s highly unlikely to be a phishing attempt. Don’t overthink this one. If you’re not expecting a validation email, or a confirmation of identity for anything, then move on.

  1. Does the From email , in all its variations look legit ?

Most email clients (the programs we use to read and work with emails , rather than the actual email exchange ) have tools where you can look at the details of the sender – it can be confusing as sometimes there is a “via” or the reply-to email looks different . Generally what you want to see here is that the email address you see in the name, has the same domain as the company or the sender, and that the reply to address isn’t necessarily completely different. Also if there is a “via” displayed that makes sense.

It’s not always a problem if the email has come via another channel – for example Bank of Melbourne emails are sent to their clients via the St George email servers, so they all arrive with “via” in the from address. Again – it’s not a problem if it makes sense, and you know that the company details are correct.


Phishing emails sometimes come via a channel that they do not belong to- it’s a warning flag if you see a “via” in the From address that doesn’t make sense and doesn’t look legit.


3. Is there a sense of urgency, related to a deadline or time limit that feels wrong.

Assuming that this is not a validation email of some kind ( see 1. ) that you are expecting , another red flag is when an email purportedly from a bank or another financial institution arrives, demanding a login, for security purposes – and there is a limit or a deadline associated with this login.

Creating a false sense of urgency by threatening to cut off access is a very big warning flag. Assuming that you have not been ignoring notices for weeks from the company in question (don’t laugh, people don’t read anything that comes from a Corporate, even the legit stuff)

  1. Google Search is your friend. Use It.

When in doubt about the sender, the reply-to or the via – use Google Search to find out info about the company and the details shown.

As an example – if you did not know that Bank of Melbourne emails are sent via St George – go to google search and type in “ Connection between St George and Bank of Melbourne” – the search results should verify that

a) yes there is a connection between the banks and

b) in fact Bank of Melbourne is simply a rebranded St George …

which means that – we can safely assume the via is not a problem

  1. Is the email badly written ?

Emails and communications go through several layers of checks and several different team members and managers before being signed off, and then sent. This is particularly true in larger corporates.

Spelling errors, and incredibly bad grammar are almost guaranteed not to happen.

It’s a massive warning red flag when there are a large number of typos, spelling errors and bad grammar in an email that’s meant to be coming from a corporate.

  1. What does the link Preview tell you?

Most browsers will show you a preview of the link if you hover your mouse over the link or button – it looks like this –

Screenshot of Learn More link from an email with the URL displayed by the mouse hover

Occasionally you can’t do this as  the links are shortened by services such as or – however, if they are not shortened then, you can see where you’re going before you click.

  1. Check on the website for the vendor, or call your contact

After all of that – if you’re still not sure – either go directly to the website, login and check for any notifications , or pick up the phone and call whomever you normally speak to.

If the email is from a bank, or larger company – call up their call centre – and ask about the email. If it’s legit, they’ll be able to help you with the details.

Phishing Check List

There you have it – the list , plus explanations of the steps we follow to assess a suspicious email.

Opt in below ( to be notified about our corporate and business team training and workshops ) – and we’ll send you a printable copy of this checklist ( 4 copies per A4 Page).

Phishing : the Small Business Lowdown

So, you got this email the other day from AGL , or perhaps one of the big banks , Westpac maybe. And the strangest thing happened when you went to login and verify your account because there was apparently an issue , and you needed to confirm some details for them.

You seemed to be creating everything from scratch - so strange - and then something just felt wrong , as you were about to click on that submit button.

So you glance up at the URL - and HOLEY MOLEY - you're not on the AGL/Westpac/Banking website anymore !

Come to think of it , the logo does look very second hand , a bit blurry maybe .

So you close the browser - and thank your lucky stars that you stopped in time.

And that, is the story you tell at the BBQ about how you came *this close* to being caught in a phishing scam. Your identity nearly compromised.

And that email was so good - you could barely tell it wasn't real.

Here are some Rocking Tips for avoiding being caught up in a Phishing scam, as best you can.

  1. Always go directly to the website in a new browser to access and check your account when you get an email about your account that looks suspicious.
  2. Never click on the links in emails from Banks , or other large companies - there are very very few instances where you will need to do this ( see 4)
  3. The only time you click on links is when you are expecting the email - for example when you first open an online account, you will sometimes be sent a verification email to confirm that own the email address - in this instance , you will click on the link , because you are expecting that email ( and its highly unlikely that you are being targeted by a phishing attack within minutes of signing up for something new.
  4. Check the email address where the email came from -- don't just look at the display , open up and inspect the details of the Sender to ascertain if the email is correct for the company represented

Definition of Phishing with steph n the background reading something on her phone at a coffee shop

Being the bottleneck


Those thin long bits at the top of your wine bottle that allow a smooth pouring of your 5pm pickup. The point of them is to make sure your wine/ beverage of choice doesn't rush out and spill. Heaven forbid you waste any Happy Juice. *smiley wink emoji*
More figuratively alluding to a place in your business where things are squeezed and tightened and slowed down. In the literal sense, they are necessary and good ( not spilling wine) , in the figurative sense, they are not good. They prevent good people from getting on and doing the business at hand.
We talk of 'reducing', 'removing', 'alleviating' bottlenecks. But we never really talk of how we do that, or why the bottleneck exists in the first place.
The most common bottleneck in a small to medium sized business, sadly, is the owner, owner-manager, or hired gun that runs the place. Because your baby is exactly that, your baby, and usually you are unwilling, or unable to fully trust your staff, or outsourced vendors (even just a little bit, admit it). You want to be sure every moment of the experience is on brand, and just perfect for your clients. And at some point, that obsession with being in control of the experience overrides your common sense, and your clients start having bad experiences. Delays in getting their emails responded to. Delays in getting the answers about their projects. Just so many long delays.
And if you're a complete control freak, perfectionist, with trust issues, such as myself, then well, you likely are the biggest and worst bottleneck. As I am, very often.
Now, I know the answer to this, and I also know , as anyone who identifies with my predicament, that resolving it is so much easier said, than done.
The answer is a 3 pronged attack
1) Answer emails promptly. (responsiveness)
2) Pass on the work to others promptly (delegation)
3) Encourage clients to go directly to the relevant staff. (creating autonomy)
I am managing 3 fairly well I reckon, and I try very hard not to get in the way of my super stars too much. They are exceptional at what they do for our clients, and I really don't want to get in the way of that.
I manage to do number 2 about 50% of the time. Mostly because I just barely manage number 1. I have tried everything imaginable to get on top of the 200 odd emails from real people, clients, suppliers , vendors , partners , networking contacts , that I get daily.
I've tried doing my emails in 'blocks' at a specific time of day -  and on that day , 3 clients had severe hardware failures which they emailed me because my email address was the only one they could remember. Yeah, that went well.
I also tried the block-time method 2-3 times per day - slightly better - except clients started ringing my mobile to find out if I had received the email, and then we ended up discussing the email , while I was trying to pay salaries sort out wages and resolve issues with 2 bookkeepers across 2 continents. Yup - that went smashingly well too.
Lately I kind of settle for a 'thinning of the herd' approach. I first scan for emails that can be passed onto my staff and I try do so as quickly as a I can. Then I scan for emails where I can reply immediately with info or an answer,  and finally , I add the emails that require some work effort or input from me beyond a 'read-reply' to my task list, and work my way down.
It doesn't always work as well as I'd like to be honest, traveling to visit distant clients usually leads to a bigger backlog for a while.
It has also been suggested that I should clone myself by several clients and friends. I am not so sure the world is ready for 2 of me.
Advice welcome from any other lady Bosses our there grappling with the issue of being a bottleneck.