7 Phishing Red Flags Every SMB Employee Should Know

Your inbox is a battlefield. Every day, attackers launch thousands of phishing campaigns — and most land in the same inboxes your team checks before their first coffee. For small and medium businesses, a single successful phish can mean stolen credentials, emptied bank accounts, or a ransomware infection that halts operations for weeks.

SMBs are particularly attractive targets: most don't have a dedicated security team, and the average cost of a phishing-related breach for small businesses now exceeds $200,000. Attackers know this — they automate campaigns at scale, sending millions of emails hoping a handful slip through.

The good news: phishing has a pattern. These emails almost always leave fingerprints. This guide breaks down the 7 most common red flags so your team can spot them before clicking.

1. Urgency That Demands Immediate Action

Phishing emails create panic. They need you to act fast — before you think.

Common urgency hooks:

• "Your account will be suspended in 24 hours"
• "Immediate action required to verify your identity"
• "Unusual sign-in attempt — verify now or lose access"

Real businesses send reminders. They do not threaten account suspension via email without prior notice. If an email is pushing you to act right now, slow down. Open a new tab and log into the service directly — don't click the link.

Real phishing subject line examples:

• "⚠️ Action Required: Your Microsoft 365 account has been compromised"
• "Urgent: Invoice Overdue — Pay within 24hrs or face legal action"

2. Mismatched or Suspicious Sender Domains

The visible name in your email client might say "support@amazon.com" — but the actual address behind it could be support-amazon@cmail22.xyz.

What to check:

• Hover over the sender name (don't click) to see the actual email address
• Look for extra letters, numbers, or unusual domains (e.g., amazon-security.com, amaz0n.com, amazon.support)
• Legitimate companies use their own domains: support@aws.amazon.com, not support@aws-help-desk.xyz

Red flags:

• Free email providers for "business" communications (gmail.com, yahoo.com claiming to be Microsoft support)
• Hyphens, numbers, or odd word combinations in the domain
• Subdomains that look real: secure.bank-name.com.malicious-domain.com

3. Hyperlinks That Point Somewhere Unexpected

You can disguise a hyperlink. The text says "https://www.paypal.com/signin" but the actual link goes somewhere completely different.

How to check it:

• On desktop: hover your mouse over the link (don't click). The actual URL appears at the bottom of your browser.
• On mobile: tap and hold the link to see the real destination.

What to look for:

• Misspelled brand names in URLs: paypa1.com, paypal-login.net, paypal-support.xyz
• Long strings of random characters after the brand name
• Domains that look similar to real ones but have extra words or letters

Example real phish URL pattern:
https://paypal.com.secure-login.accounts-update.com/login — The real domain here is accounts-update.com, not PayPal.

4. Unexpected Attachments, Especially from Unknown Senders

Never open unexpected attachments — even from known contacts — if the email feels off. Attackers compromise real email accounts and send malicious files to entire contact lists.

High-risk attachment types:

• .exe files — almost never sent legitimately
• .zip or .rar files — often contain malware
• .js files — common malware delivery mechanism
• .docm, .xlsm, .pptm — macro-enabled documents are a top infection vector

Why macro-enabled Office documents are especially dangerous: Modern Office apps block macros by default — but attackers package malicious macros inside documents and add instructions like "Enable content to view." The victim sees a legitimate-looking document and clicks "Enable," unknowingly running the attacker's code. This is one of the most common ransomware delivery methods for SMBs.

Safer approach: If you're unsure, open a new message and reply directly to the sender asking "Did you send this?" Don't hit reply on the suspicious email — attackers sometimes set reply-to to a different address.

5. Generic Greetings and Vague Language

"Dear Customer." "Dear User." "Dear Sir/Madam." Real businesses with your account information don't use these.

What legitimate emails typically include:

• Your actual name
• Partial account number or last 4 digits of a card on file
• Specific details about a real transaction or order

Phishing emails use vague language to cast a wide net:

• "We noticed unusual activity on your account"
• "Your package could not be delivered"
• "You have received an invoice"

The vagueness is intentional — they don't know who you are, so they write to everyone.

6. Requests for Sensitive Information via Email

Your bank, the IRS, Microsoft, Google — none of these organizations will ask you to send passwords, credit card numbers, or Social Security numbers over email.

What attackers ask for:

• Login credentials (usernames and passwords)
• Credit card or bank account numbers
• Employee ID or payroll information
• MFA codes or one-time passwords

The right response: If an email asks you to verify, log in, or confirm personal information — do not use the link in the email. Open your browser, type the company's URL directly, and log in from there.

7. Tone and Design That Feel "Off"

Bad actors often make small errors that a trained eye can catch:

Visual red flags:

• Low-res logos or images that look stretched/blurry
• Multiple font styles in the same message
• Spelling mistakes or awkward grammar
• Emails that look dramatically different from what you'd expect from that brand

Tone red flags:

• Unusual formality: "Dear Sir/Ma'am" from a casual tech company
• Threatening language: legal action, arrest, immediate account closure
• Overly friendly or "we're in this together" tone from a cold email

Trust your gut. If something feels wrong, it probably is.

What to Do If You Spot a Phishing Email

1. Don't click any links or download any attachments
2. Report it to your IT team or email provider (most email services have a "Report phishing" button)
3. Forward the email as an attachment (not inline) to your security contact — this preserves the full email headers
4. If you already clicked: disconnect from the network, notify IT immediately, and change the password on a different device before the attacker can use the session

What a Phishing-Resistant Culture Looks Like

Spotting individual emails is helpful — but the real defense is a culture where employees feel comfortable reporting suspicious messages without fear of blame.

• Create a "report" button in your email client
• Celebrate when employees catch phishes (public recognition works)
• Never punish someone for reporting a false positive
• Run quarterly phishing simulations to keep skills sharp

The goal isn't perfect detection. It's fast reporting — because the sooner your IT team knows about a campaign, the sooner they can block it.

Ready to make your whole team harder to phish? SecurEveryone runs live, interactive training sessions built around the threats SMBs actually face. No pre-recorded videos. Real scenarios, real responses.

Explore team training →

Get your free pocket guide

Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.

Send me the pocket guide →

✓

Check your inbox!

Your pocket guide is on its way.

No spam. Unsubscribe anytime. Unsubscribe