If you’re imagining phishing emails as poorly-spelled “Nigerian prince” messages, you’re a few years out of date. Modern phishing is sharp: clean writing, legitimate-looking branding, references to your real accounts, just enough urgency to make you click before you think.
Here’s how to recognize them.
The structure of a modern phish
Most phishing emails today share four traits:
- A trusted sender name — “Apple,” “DocuSign,” “Microsoft 365,” “FedEx,” “Bank of America,” your CEO, your bookkeeper.
- An urgent reason to act — expired payment, suspicious login, package delivery, signature request, locked account.
- A button or link that takes you somewhere to “verify” or “review” something.
- A page that looks legitimate — logos, colors, layout that match the real company.
The link goes to a site that captures your password, then immediately uses it on the real site. Sometimes you don’t notice anything is wrong until you’re locked out the next day.
Five quick checks before you click
1. Hover over the link
On a desktop, hover your mouse over any link without clicking. The real URL will show in the corner of the browser. “Apple” emails should link to apple.com — not “apple-secure-login.com” or “verify.account-id-7453.net”. On phones, long-press the link to see the real destination.
2. Check the sender’s email address, not the name
The sender NAME can say anything. The email ADDRESS is what matters. “Apple Support” might be coming from “apple.support@randomdomain.com.” Click the sender’s name to see the actual address.
3. Watch for urgency you didn’t expect
“Act now or your account will be closed.” “Sign within 24 hours.” “Suspicious activity detected.” Real companies rarely create artificial deadlines for routine actions. Urgency is a manipulation tactic, not a sign of legitimacy.
4. Don’t trust attachments you didn’t expect
Even from people you know. If your accountant suddenly sends a “voice mail.html” attachment or a Dropbox link to a “shared document” you weren’t expecting, call them and ask before opening it.
5. When in doubt, go direct
If you get an email from your bank, your boss, or any service you use, don’t click the link in the email. Open a new browser tab, type the company’s real URL yourself (bankofamerica.com, microsoft.com, your company’s domain), and log in directly. If there’s really an issue, you’ll see it there.
If you already clicked
Don’t panic, but act fast:
- Change your password on the real site immediately
- Turn on two-factor authentication if you haven’t already
- Check recent activity / login history on the account
- If it’s a banking or business account, call the company directly
- If you can’t tell what damage was done, give us a call — we’ll help you check
For business: train the team
The weakest link in any business’s security is the person clicking the link. Brief, occasional reminders — “what does a phishing email look like?” — do more for security than expensive software. Our managed IT service includes basic phishing awareness for client teams.
If you ever get an email and you’re not sure: send it to us. We’ll tell you in five minutes. (732) 637-9640.