How to spot a phishing email: a 60-second checklist

Phishing remains the most common way attackers get into small businesses — not because it's sophisticated, but because it works on busy people. A convincing email arrives at 4:50 PM, it looks like it's from your bank or your boss, and it asks for one small click.
The good news: most phishing falls apart under sixty seconds of scrutiny. Here's the checklist we teach every client's team.
The 60-second checklist
- Check the real sender address — not the display name. "Microsoft Support" can be typed by anyone; hover (or tap-and-hold) to reveal the actual address.
support@micros0ft-billing.netis not Microsoft. - Hover every link before clicking. Does the destination match who the email claims to be? A "review your invoice" button that points to a random domain is your answer.
- Watch for manufactured urgency. "Your account will be suspended in 24 hours." "Wire the payment today." Urgency is the attacker's best tool — real institutions almost never operate this way.
- Be suspicious of unexpected attachments. Especially invoices, voicemails, or "shared documents" you weren't expecting. Confirm with the sender through a channel you already trust — a phone call beats a reply.
- Never enter credentials from an email link. If "your bank" needs you to log in, type the bank's address yourself or use your bookmark. Same for Microsoft 365, payroll, and anything with money or passwords behind it.
If someone already clicked
Don't shame them — speed matters more than blame. Disconnect the machine from the network, change the affected passwords from a different device, turn on MFA if it wasn't on, and call your IT partner. The first hour makes the difference.
Make it a habit, not a memo
A checklist on the wall doesn't change behavior; practice does. Periodic phishing simulations — fake-but-safe emails sent to your own team — turn this checklist into a reflex, and they're one of the highest-value, lowest-cost security measures a small business can take.
Want us to run one for your team? Get in touch — or learn more about our cybersecurity services.
