Who we help
Estate & Letting Agents Garages & Trade Businesses Accountants & Small Offices Manufacturing & Engineering
IT services
Cybersecurity Small Business IT Support IT Support & Managed Services Network Infrastructure Cloud Solutions
Castle IT
Blog Contact us Call 0191 809 0280 Book a free IT review
HomeBlogArticle
The Castle IT blog

How to Spot a Phishing Email (5 Quick Checks)

Cesar Castillo Botto · 4 June 2026 · 4 min read

The vast majority of cyberattacks on small businesses start the same way: a convincing email that tricks someone into clicking a link, opening an attachment or handing over a password. The good news is that most phishing emails give themselves away if you know what to look for. Here are five quick checks your whole team can use.

1. Check the sender's actual email address

The display name is easy to fake. What's harder to fake is the real address behind it. Click or hover on the sender name and look at the actual email address. "Microsoft Support" sounds official — but if the address is something like support@micros0ft-secure.net, it's a fake. Look for subtle misspellings, odd domains and extra words bolted on.

2. Hover over links before you click

On a computer, hover your mouse over any link (don't click) and the real destination appears at the bottom of the screen. If the text says one thing but the link points somewhere completely different — or to a string of random characters — don't click. On a phone, press and hold the link to preview where it goes.

3. Watch for urgency and threats

Phishing relies on panic. "Your account will be suspended in 24 hours." "Unusual login detected — verify now." "Your payment failed, update your details immediately." Real organisations rarely threaten you into instant action. That manufactured urgency is designed to stop you thinking — which is exactly when you should slow down.

4. Be suspicious of unexpected attachments

An invoice you weren't expecting. A "delivery note" from a courier you didn't order from. A document that demands you "enable content" or "enable macros" to view it. These are classic ways to deliver malware. If you weren't expecting it, don't open it — verify with the sender first, through a channel you trust.

5. Look for the personal touch (or lack of it)

"Dear Customer" or "Dear User" from your own bank is a red flag — they know your name. Generic greetings, clunky grammar and slightly-off branding all suggest a mass-sent fake. That said, modern phishing is getting more polished, including emails that appear to come from a colleague or your boss, so the other four checks still matter even when it looks personal.

What to do if you're not sure

The golden rule: if in doubt, don't click. Verify through a separate channel — ring the company on a number from their official website, or walk over and ask the colleague who supposedly sent it. And if you think someone on your team has clicked something dodgy, act fast: change passwords and get it checked. The sooner it's caught, the less damage it does.

Technology helps too. Good email filtering stops most phishing before it lands, and multi-factor authentication means a stolen password alone isn't enough to get in. Both are part of our cybersecurity setup, including staff training that turns your team into a human firewall.

Straight answers

FAQs — phishing emails

What should I do if I clicked a phishing link?
Don't panic, but act quickly. Disconnect from the internet if you entered any details, change the password for any account you may have exposed (from a different device), enable MFA if it isn't already on, and tell whoever handles your IT so they can check for anything further. Speed limits the damage.
Can phishing emails really get past spam filters?
Sometimes, yes. Filters catch the bulk of them, but attackers constantly tweak their methods, and targeted phishing aimed at your business specifically can slip through. That's why human awareness plus filtering plus MFA together are far stronger than any one alone.
What's the difference between phishing and spear phishing?
Phishing is mass-sent to thousands in the hope a few bite. Spear phishing is targeted at a specific person or business, often using real details about you or your colleagues to seem genuine. Spear phishing is harder to spot, which is why verifying unexpected requests matters.
How can I train my staff to spot phishing?
Short, regular reminders beat one big lecture. We provide practical security awareness training as part of our cybersecurity support, teaching teams the checks in this article and how to report anything suspicious without fear of getting told off.

Sort it before it breaks

This is exactly what our flat-rate £100/month Safety Net covers — backups, silent updates, monitoring and a local engineer who answers. Book a free IT review for a plain-English plan.

More from the blog

Head back to the blog for more no-jargon guides, or send us a question and we'll answer it next.