TUCU Managed IT Services Logo
Schedule A Call
Reporting a phishing email in Outlook using the Report Message button

How to Identify Phishing Emails: 2026 Guide For Small Business

The internet is a bit like the wild west, except instead of train and bank robbers we now have hackers who attempt to steal your information. The most popular way for these attackers to get control of your systems and companies’ information is through a method called “phishing”. These emails are designed to trick the user into thinking they must give out money, download a file, visit a website, or even give out their password. Today we give you tips on how to identify phishing emails. Review this post with your entire team. Everyone needs cyber security awareness training.

How AI Changed Phishing (2024-2025 Update)

When this guide was first published in 2018, poor grammar and unprofessional formatting reliably identified phishing attempts.

AI tools like ChatGPT have eliminated these red flags and today, modern phishing emails use perfect grammar, professional layouts, and convincing writing that matches legitimate corporate communications. This makes the technical red flags in this guide (mismatched URLs, misleading domains, unsolicited requests) MORE important than ever, not less.

The fundamentals haven’t changed: verify before you trust, regardless of how professional an email appears.

For more on current phishing tactics, see our guide on AI-powered phishing attacks.

Recognizing Phishing: The Fundamentals

First, the most important thing to remember when trying to spot a phishing attack is; No company will ever ask you for your password or information through an e-mail without being prompted first.

A common phishing e-mail may look something like the image below. 

Note: The link in the body may appear as a word –  simply hover your mouse over it to see the URL.

There may be more images in the e-mail, and a lot of them will look professional, but they are not real.

Can you spot the red flags in this sample phishing email?

sample phishing email

Red flags in this sample phishing e-mail include:

  • The domain is micros0ft.com while the official domain is Microsoft.com – the o in soft is a zero in the fake domain
  • Microsoft and any other company will never ask you for your personal information via email
  • The link does not go to Microsoft.com, it leads to the fake address where they steal your password – (visible in the training PDF version of this file)

6 Tips to Recognize a Phishing Email

1: The message contains a mismatched URL

One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs. Oftentimes the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

2: URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name help.tucu.ca would be a child domain of tucu.ca because tucu.ca appears at the end of the full domain name (on the right-hand side). Conversely, tucu.ca.maliciouslink.com would clearly not have originated from tucu.ca because the reference to tucu.ca is on the left side of the domain name.

3: The message contains poor spelling and grammar (LESS RELIABLE IN 2025)

Historical context: Poor spelling and grammar used to reliably identify phishing attempts from non-English-speaking attackers.

2026 reality: AI tools now generate grammatically perfect phishing emails indistinguishable from legitimate corporate communications. Attackers can create flawless English emails regardless of their language skills.

What to do: Don’t rely on grammar checks alone. Professional-looking emails with perfect spelling can still be phishing attempts. Focus on technical verification (Tips #1, #2, #4, #5) rather than appearance.

Still suspicious: Unusual phrasing, awkward word choices, or overly formal language (like “Dear valued customer” instead of your name) can indicate AI-generated content, but these aren’t reliable indicators on their own.

4: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank doesn’t need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5: You didn’t initiate the action

Many phishing attempts will try to claim you need to reset your password, or simply give the password to them. Reputable companies will never ask for your password or any other personal information via email, as they already have it.

6: The message creates artificial urgency or uses emotional manipulation

Phishing emails rely on emotional manipulation to bypass rational decision-making. Watch out for the following.

Urgency tactics:

  • “Your account will be suspended in 24 hours”
  • “Immediate action required”
  • “Respond within 2 hours or lose access”
  • “Final notice before account closure”

 

Fear tactics:

  • “Suspicious activity detected on your account”
  • “Multiple failed login attempts”
  • “Your security has been compromised”
  • “Unauthorized charges detected”

 

Authority tactics:

  • “Your manager requested this information”
  • “IT department requires immediate password verification”
  • “Compliance audit – provide documentation immediately”
  • “CEO needs you to purchase gift cards urgently”

Legitimate companies rarely create artificial urgency for account issues and don’t threaten immediate suspension without prior warnings. They provide multiple notification methods (email, in-app notices, and SMS) and don’t pressure immediate responses for sensitive requests.

If an email creates panic or demands immediate action without verification options, treat it as suspicious regardless of how professional it looks.

What To Do If You Get A Phishing Email

Immediate Actions:

  1. Do NOT click any links or download attachments.
  2. Do NOT forward the email (forwarding can execute malicious code).
  3. Do NOT reply to the sender,
  4. Take a screenshot showing the full email including sender information.
  5. Report immediately to your IT support team (don’t wait until morning).

For Microsoft 365 Users:

  1. Use the “Report Message” button in Outlook:
  2. Click the three dots (…) on the email
  3. Select “Report Message”
  4. Choose “Phishing” This sends the email to Microsoft for analysis and removes it from your inbox.

Frequently Asked Questions About Phishing

Do phishing emails always have grammar mistakes?

No, phishing emails do not always have grammar errors anymore because AI tools like ChatGPT generate grammatically perfect phishing emails with professional formatting indistinguishable from legitimate corporate communications.

Traditional red flags (poor spelling, awkward phrasing, unprofessional design) no longer reliably identify phishing attempts.

Employees must verify through technical methods (checking actual sender domain, hovering over links to see true destination, confirming requests through separate communication channels) rather than relying on grammar or appearance. Organizations should implement technical phishing protection (Microsoft Defender for Office 365, email authentication) rather than depending solely on employee vigilance.

If you clicked a phishing link, immediately contact your IT support team, before taking any other action, and do not enter any passwords or information on the website you reached.

If you already entered credentials, change your password immediately from a different device and enable multi-factor authentication if not already active.

Your IT team will scan your device for malware, check your Microsoft 365 account for signs of compromise (unusual login locations, forwarding rules, sent items), reset any potentially compromised credentials, and monitor for lateral movement to other accounts. Quick reporting limits damage. Most successful phishing attacks spread because the initial victim delayed reporting out of embarrassment.

Modern phishing attacks bypass spam filters by using compromised legitimate accounts (sending from real business email addresses), fresh domains with no spam history, legitimate cloud hosting services (appearing to come from Microsoft or Google infrastructure), and AI-generated content with no malware signatures. Attackers also use “low and slow” tactics, sending small volumes from each compromised account to avoid triggering volume-based filters.

This is why organizations need time-of-click protection (Microsoft Safe Links) that re-verifies URLs when clicked, not just when the email arrives, and behavioral analysis that detects unusual patterns even from legitimate sender addresses.

Protect Your Business From Phishing Attacks

Employee awareness is your first line of defense, but it’s not enough on its own. Modern phishing attacks require technical protection layers including email filtering, link protection, and multi-factor authentication.

TUCU’s team of Microsoft 365 security experts help Toronto and Durham Region businesses implement email security using Microsoft 365’s advanced threat protection features.

Need help securing your business email? Contact us for a security assessment.

Related Posts

Share This Post

Let's Talk About Your IT
Tell us what’s working, what’s not, and what’s keeping you up at night. We’ll tell you what we’d do about it.
Book A Call

Book A Discovery Call

Tell us about your IT challenges. Let’s discuss how TUCU might help.