What are the five most reliable phishing red flags?

Urgency or scarcity language; sender domain mismatch with the impersonated brand; a generic greeting where personalization should exist; a link or attachment that doesn't match the action being requested; and an unusual request from a known contact. Any one of these warrants pausing; two or more is a near-certain phishing attempt.

Should employees check every email for all five flags?

Not every email - that's not realistic. The goal is reflex inspection on a smaller subset: any email asking for credentials, money, sensitive data or a behavior change. Routine internal communications don't need the full red-flag pass. Train employees to recognize the moment when the inspection is required, then run it carefully.

Are these red flags still effective with AI-generated phishing?

Yes, with one caveat. AI-generated phishing produces grammatically perfect text, so the older 'look for typos' advice is no longer reliable on its own. The five red flags here are intentionally structural - they hold up against AI-polished lures because the underlying social engineering still depends on urgency, mismatched action and unusual requests. See our AI-generated phishing post for a deeper look.

What should an employee do when they spot a red flag?

Three steps. Do not click anything in the email. Report it through the corporate phishing-report mechanism (typically a one-button add-in in Outlook or Gmail). Verify the request through a separate channel if it appears to come from a known contact - call them, message them on the corporate chat or walk to their desk.

Can we use this as employee training material?

Yes - that's why this post is structured the way it is. Companies are welcome to share it internally as part of their security awareness program. For organizations using Bait & Phish, the same red flags appear in the auto-assigned remediation training that fires when a user fails a simulated phishing campaign.

Five Phishing Email Red Flags for Employees

Five Phishing Email Red Flags Every Employee Should Catch

Most phishing emails do not require expert analysis to spot. They share a small handful of structural tells, and an employee who has internalized five of them - yes, only five - will catch the overwhelming majority of phishing attempts that hit their inbox. This post is designed to be shared. Forward it to your team, paste the five flags into your onboarding deck, print it for the breakroom. The goal is for these five cues to become reflex.

The list is intentionally structural rather than surface-level. "Look for typos" was useful advice five years ago and is increasingly useless against AI-polished phishing. The five red flags below hold up because they target the underlying social engineering, not the cosmetic surface.

Red flag #1: Urgency or scarcity language

If the email is pushing you to act right now, slow down. Real systems and real coworkers occasionally have urgent requests, but the combination of urgency plus a request for credentials, money or sensitive information is the single most reliable phishing tell.

Concrete examples:

"Your password expires in 24 hours - verify now."
"Final notice: account suspension imminent."
"Wire must clear before close of business - flying in five minutes."
"Limited-time bonus - claim before midnight."

What to do instead: the cure for urgency is verification. Treat any urgent ask as the moment to use the slowest, most careful inspection - not the moment to skip it. The pressure is the manipulation.

Red flag #2: Sender domain mismatch

The "From" name and the actual sending domain rarely match in a phishing email. The display name might say "Microsoft 365 Support" while the underlying address is support@m1crosoft-secure.example. The visible name is whatever the attacker typed; the domain is harder to spoof and is the truth.

Concrete examples:

A "Microsoft" email from microsft-secure.example.
A "DocuSign" notice from anything other than @docusign.net (or a regional @docusign.com).
A "from your CEO" email where the reply-to is a Gmail or other free-mail address.
A vendor invoice from a domain one character different from the vendor's real domain.

What to do instead: on desktop, hover over the sender name to reveal the underlying address. On mobile, tap the sender name. If the domain doesn't match the brand or the company you'd expect, treat the email as suspect regardless of how legitimate the body looks.

Red flag #3: Generic greeting where personalization should exist

Real banks, real employers, real vendors and real shipping carriers know your name. They use it in transactional email. A "Dear Customer," "Dear User," "Dear Account Holder," or no greeting at all on an email purporting to be a personalized account notification is a sign the sender doesn't actually know who you are - because they don't.

Concrete examples:

"Dear PayPal User, your account has been limited."
"Dear Customer, please verify your recent transaction."
An "internal HR notice" addressed to "Team Member" rather than your name.
A bank fraud alert without your name or last-four card digits.

What to do instead: when you see a generic greeting on what should be a personal message, default to skepticism. Real institutions personalize. Bulk-spammed phishing rarely does.

Red flag #4: Link or attachment that doesn't match the action requested

The body of the email tells you to do one thing. The link or attachment goes somewhere else, or asks for something out of proportion to the stated action. This mismatch is one of the cleanest signals because it doesn't depend on grammar, branding or tone - it depends on simple consistency.

Concrete examples:

An email saying "view your invoice" with a link that downloads a .ZIP or .HTML file.
A "view shared document" that drops you on a Microsoft 365 login page asking for credentials.
A "track your package" link that hovers as a long, randomized URL with no recognizable carrier domain.
A simple internal-feeling email with an unexpected attachment you weren't expecting.

What to do instead: hover before you click. Read the destination URL. Ask yourself whether the destination matches what the email said it would do. If the answer is no, the email is the problem.

Red flag #5: Unusual request from a known contact (BEC)

The hardest red flag to teach because the email might pass every other test - clean domain (it's spoofed well), personalized greeting, no urgency cues - and still be phishing. It's also the most expensive to miss. This is Business Email Compromise (BEC), and it's where the seven-figure losses live. The cue is behavioral: this person, on this topic, in this tone, would not normally do this.

Concrete examples:

The CFO emailing the controller asking for an urgent wire transfer to a new account, when the CFO has never done this before.
A vendor's accounts-receivable contact emailing the new bank account details "for our recent banking transition."
A board member emailing the CEO's executive assistant asking for the CEO's personal cell number "for a confidential matter."
An IT staffer asking for someone's password "to push the update through."

What to do instead: use a separate channel to verify. Call the person at a known number. Message them on the corporate chat. Walk to their desk. The single most effective control against BEC is out-of-band verification, and it costs nothing. The Verizon DBIR, FBI IC3 and CISA have documented BEC losses in the multi-billion-dollar range every year - and the same defensive control closes most of them.

Putting it together: the 10-second inspection

Five flags is too many to consciously check on every email. The goal is reflex inspection on the right subset of email - anything asking for credentials, money, sensitive data or a behavior change. For those emails, the 10-second pass:

Read the sender domain (not the display name).
Notice if the greeting is personal or generic.
Hover the link before clicking.
Notice if there's urgency pressure.
Ask: is this request normal for this sender?

Any one cue triggering is enough to pause. Two or more cues is a near-certain phishing attempt.

What to do when you spot a red flag

Three steps, in order:

Don't click anything. No link, no attachment, no "click here to unsubscribe." Even unsubscribe links can be tracking pixels.
Report through the corporate channel. Most organizations have a one-button "Report Phishing" add-in in Outlook or Gmail. If yours doesn't, forward to a designated security mailbox.
Verify out-of-band if needed. If the email appeared to come from a real person, contact them through a separate channel to confirm.

Reporting matters more than people realize. The first user to report a phishing email is doing the security team a real favor - it lets them block the lure across the entire organization before more users click. Reporting is the single most under-credited employee security behavior.

Edge cases the five flags don't cover (and what to do)

The five flags catch the overwhelming majority of phishing emails, but a few patterns slip through and deserve specific mention:

Reply-chain hijacks. An attacker has compromised one mailbox and replies to a real, ongoing email thread you're part of. Sender domain matches because it really is the legitimate domain. Greeting is personal because it's a continuation. The cue is the request itself: a sudden change of subject toward credentials, money or a new bank account, mid-thread, where it doesn't fit the prior conversation.
Compromised vendor mailboxes. Same pattern, external. The vendor's real mailbox sends the lure. The cue is the unusual request - bank account change, urgent invoice - that doesn't match the vendor's prior pattern. Out-of-band callback is the only reliable defense.
Zero-text image phishing. The entire email body is an image (no text), so URL filtering and content scanning have nothing to work with. The cue is the absence of selectable text where you'd expect text - try to highlight a sentence and notice it doesn't behave like text.
Calendar-invite phishing. The lure shows up on your calendar even if you never opened the email. The cue is an unfamiliar sender on the invite or a link in the location field that goes somewhere unexpected. Don't accept invites from unknown senders.

Building this into your awareness program

The reason this post is structured as a printable, scannable list is so it can sit on the wall of a breakroom, in an onboarding deck, in a quarterly newsletter, in a phishing-report success email to the user who flagged the latest real attempt. Repetition matters more than depth. An employee who sees these five flags reinforced six times in a year recalls them under pressure; an employee who sees them once in an annual training session does not.

How phishing simulations build the reflex

Reading about red flags is useful. Practicing them in safe conditions is what makes them stick. Simulated phishing campaigns give employees real, low-stakes exposure to lures designed to test exactly the cues above. When a user clicks, auto-assigned remediation training walks them through the specific red flag they missed, while it's still fresh. Repetition is what turns a checklist into a reflex.

Where Bait & Phish fits

Bait & Phish is built for exactly this - running continuous simulated phishing campaigns and pairing them with auto-assigned, role-appropriate training that maps to the red flags above. Start a 25-user free trial with no credit card and run your first campaign this week, or browse pricing for full-organization rollouts. Contact us if you want help building a 90-day awareness plan around the five red flags. About us covers our methodology in more depth, and the cyber insurer phishing questions guide explains why awareness programs increasingly drive insurance premium decisions.

External authoritative references for further reading: the Verizon DBIR, the FBI Internet Crime Complaint Center (IC3) annual Internet Crime Report, CISA phishing advisories, the Anti-Phishing Working Group (APWG) trend reports, NIST SP 800-50, and ongoing security press coverage at Krebs on Security. All of them publish the same finding: phishing is the lead initial-access vector for enterprise breaches, and the human layer is where it succeeds or fails.

See also: Phishing Trends 2026 - annual roundup covering AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression and other patterns that defined the year.

22jan