Skip to main content

How-To · Security Awareness

How to spot a phishing email

Phishing is still how most breaches start at law firms, medical practices, and financial offices. Here are the seven warning signs your team can check in under a minute, and exactly what to do if someone already clicked.

Updated

More than 90% of successful cyberattacks begin with a phishing email, a message engineered to look legitimate so you'll click a link, open an attachment, hand over a password, or approve a payment. For an Orange County law firm, medical practice, or financial office, a single click can mean exposed client records, a HIPAA or PCI incident, or a fraudulent wire transfer.

The good news: almost every phishing email leaves fingerprints. Train your team to pause and run through the seven checks below, and you'll catch the overwhelming majority before any damage is done.

7 warning signs of a phishing email

Walk through these in order. If a message trips even one or two of these, treat it as suspicious and verify before you act.

  1. Check the sender's real email address

    The display name is easy to fake. Click or hover on the sender to reveal the actual address. Watch for lookalike domains (micros0ft.com, ocmsp-support.net), public domains posing as a company ([email protected]), or a name that doesn't match the address. When it claims to be someone internal, compare it letter-for-letter against a known-good email.

  2. Watch for urgency, threats, and pressure

    Phishing relies on panic so you act before you think. "Your account will be suspended in 24 hours," "unpaid invoice, final notice," or "the partner needs this wire sent now" are classic pressure tactics. Legitimate organizations rarely demand immediate action through email alone.

  3. Hover over links before you click

    Hover your cursor over any link (on mobile, press and hold) to preview the real destination. If the visible text says one thing but the URL points somewhere else, or to a misspelled or unfamiliar domain, don't click. Be especially wary of shortened links and login pages reached from an email.

  4. Be suspicious of unexpected attachments

    Never open an attachment you weren't expecting, especially .zip, .html, .iso, or files that ask you to "enable macros" or "enable editing." Attackers disguise malware as invoices, faxes, voicemails, and shipping notices. When in doubt, confirm with the sender through a separate channel first.

  5. Look for generic greetings and off-brand details

    "Dear valued customer" or "Dear user" instead of your name is a red flag. So are odd grammar, awkward phrasing, mismatched logos, and formatting that's slightly off from the brand you know. Modern phishing can look polished, so treat sloppy details as a strong signal but never rely on their absence alone.

  6. Scrutinize any request for credentials, payment, or a change of details

    Be highly skeptical of emails asking you to log in, "verify" your account, reset a password, pay an invoice, or change bank/wire details. Requests to change payment or direct-deposit information are a top target for business email compromise, always verify these by phone using a number you already have, not one in the email.

  7. Verify through a separate, trusted channel

    When anything feels off, confirm through a channel you control: call the person or vendor on a known number, walk to their office, or start a new message thread, do not reply to the suspicious email. Thirty seconds of verification is far cheaper than a breach.

Quick phishing red-flag checklist

Save or print this and keep it by every workstation. If a message hits any of these, stop and verify.

  • The sender's real address doesn't match the display name, or uses a lookalike domain.
  • The message creates urgency, fear, or pressure to act immediately.
  • A link's real destination (on hover) doesn't match the visible text or the expected site.
  • There's an unexpected attachment, or a prompt to enable macros/editing.
  • It uses a generic greeting, has odd grammar, or the branding looks slightly off.
  • It asks you to log in, verify credentials, pay, or change bank/wire details.
  • You can't confirm it through a trusted, separate channel.

FAQ

Phishing FAQs

What should I do if I clicked a phishing link or entered my password?

Act fast: disconnect the device from the network, change the affected password (and anywhere you reused it) from a different device, and enable multi-factor authentication. Then report it to your IT or security team immediately so they can check for account access, forwarding rules, and malware. If you entered banking or payment details, contact your bank right away. OCMSP clients can call our helpdesk and we'll contain it and investigate.

What's the difference between phishing and spear phishing?

Phishing is a mass, generic attack sent to many people. Spear phishing is targeted, the attacker researches you or your firm and personalizes the message (using real names, cases, clients, or vendors) to be far more convincing. Executives and finance staff are common spear-phishing targets, which is why verifying payment and wire requests by phone matters so much.

Does antivirus or spam filtering stop phishing?

It helps, but it isn't enough on its own. Filters catch a lot, yet well-crafted phishing and business email compromise routinely slip through because they contain no malware, just a convincing request. Layered defenses (advanced email filtering, MFA, endpoint protection, and ongoing staff training) are what actually reduce risk.

How can my firm reduce phishing risk beyond training?

Combine regular security-awareness training and simulated phishing tests with technical controls: multi-factor authentication on every account, advanced email filtering, endpoint detection and response, strict payment-change verification procedures, and a clear, blame-free way for staff to report suspicious messages. OCMSP builds and manages this full stack for Orange County practices.

Are phishing emails illegal?

Yes. Phishing typically involves fraud, identity theft, and unauthorized access, all of which are crimes under federal and California law. Reporting attempts to your IT team (and, for losses, to the FBI's IC3 and the FTC) supports enforcement and helps protect others.

Reduce your firm's phishing risk

Turn your team into a human firewall

OCMSP combines security-awareness training, simulated phishing tests, MFA, and advanced email filtering into one managed program for Orange County law firms, medical practices, and financial offices. Start with a free assessment and we'll flag your gaps.