How to Spot a Phishing Email: A Guide for Your Whole Team

An email arrives in your inbox. It’s from your bank, FNB. The subject line reads: “URGENT: Security Alert – Irregular Activity on Your Account.” Your heart skips a beat. The email, complete with the official logo and branding, explains that a suspicious transaction has been flagged and your account has been temporarily frozen. To unlock it, you must click the link below and verify your login details immediately.

What do you do?

In that moment of panic, your gut reaction is to click the link. It’s a natural response, driven by the urgency and fear the email is designed to create. But that single click could be the one that unleashes a devastating cyberattack on your business. This is the insidious power of phishing.

Phishing is no longer a niche problem for large corporations. As of July 2025, it is the single most common and dangerous cyber threat facing small and medium-sized businesses in South Africa. We are, according to multiple global cybersecurity reports, one of the most targeted nations on the continent. Cybercriminals are not just sending out random spam; they are crafting sophisticated, localised attacks that impersonate SARS, your bank, your courier company, and even your own CEO.

The scary part? Your expensive firewall and antivirus software can’t always stop these emails from reaching your inbox. The final line of defence isn’t a piece of technology; it’s a vigilant, well-informed human being. It’s you, and every single person on your team.

This guide is designed to be your company’s essential training manual. We will move beyond theory and show you, with practical examples, how to dissect a suspicious email and spot the tell-tale red flags of a phishing attack. We will provide a clear action plan for what to do when you suspect an attack and explain why making cybersecurity a team sport is the only way to win. Share this guide. Discuss it with your colleagues. It might be the most important security meeting you have all year.

---

What is Phishing? The Deceptive Art of the Digital Con Artist

Before you can spot a phish, you need to understand the predator. Phishing is a type of social engineering attack where a criminal sends a fraudulent message designed to trick a person into revealing sensitive information or deploying malicious software.

The ultimate goal is almost always financial. The attacker wants to steal:

• Credentials: Your username and password for your email, banking, or company network.
• Financial Information: Business credit card numbers or banking details.
• Personal Data: ID numbers and addresses for identity theft.
• Access: They may try to trick you into installing malware or ransomware that can lock up your entire business’s data.

While email is the most common method, phishing has evolved. Be aware of these common variations:

• Spear Phishing: A highly targeted attack aimed at a specific individual or company. The email will often use the recipient’s name, job title, and other personal details to appear more legitimate.
• Whaling: A type of spear phishing aimed at senior executives (the “big fish” or “whales”), like the CEO or CFO, often with the goal of tricking them into authorising large fraudulent payments.
• Smishing (SMS Phishing): Phishing attacks conducted via text messages. You’ve likely seen these: “Your package from Takealot has a pending customs fee. Click here to pay: [suspicious link]”.
• Vishing (Voice Phishing): Phishing conducted over the phone, where a scammer might impersonate a bank official or a representative from your IT department.

The tactics change, but the core strategy is always the same: create a powerful emotional response—usually fear, urgency, or curiosity—to make you act before you think.

---

The Anatomy of a Phish: 7 Red Flags to Look For

A well-crafted phishing email can look incredibly convincing. It might use the exact logos, fonts, and layout of a real company. But no matter how good the disguise, they almost always have subtle flaws. Your job is to become a detective and learn to spot these clues.

Here are the seven red flags you and your team must be trained to look for.

Red Flag #1: The Sender’s Email Address is “Off”

This is the most reliable technical giveaway. At first glance, the sender’s name might look correct (e.g., “SARS eFiling”), but you must inspect the actual email address.

• Public Domains: A legitimate organisation like SARS, FNB, or Microsoft will never email you from a public domain like @gmail.com or @outlook.co.za. They will always use their own domain (e.g., @sars.gov.za).
• Lookalike Domains (Spoofing): This is a more devious trick. The scammer will register a domain that looks very similar to the real one.
  • Real: [email protected]
  • Fake: [email protected] (wrong domain extension)
  • Fake: [email protected] (the ‘o’ is replaced with a zero ‘0’)
  • Fake: [email protected] (an extra suffix added)

ACTION: Always hover your mouse over the sender’s name to reveal the full email address. On a mobile device, tap the sender’s name. If it doesn’t match the official domain of the company perfectly, it is a scam.

Red Flag #2: Generic Greetings and Impersonal Language

Your bank, your accounting software, and other services you have an account with know your name. A legitimate email will almost always address you personally.

• Phishing Email: “Dear Valued Customer,” “Dear Account Holder,” or “Good Day,”
• Legitimate Email: “Dear Pieter,” or “Hi Elize,”

If an email that is supposedly about your specific account uses a generic greeting, it’s a huge red flag that the same message has been blasted out to thousands of people.

Red Flag #3: A Sense of Extreme Urgency or Threats

This is the core psychological trick of phishing. The email is designed to make you panic and bypass your rational judgment. Look for threatening language and urgent deadlines.

• “Your account has been compromised and will be locked in 30 minutes if you do not act.”
• “We have detected suspicious activity. Click here IMMEDIATELY to secure your account.”
• “This invoice is overdue by 90 days. To avoid legal action, payment must be made today.”
• “Your Microsoft 365 password expires today.”

ACTION: Whenever you see language that creates pressure or fear, stop. A real organisation will not threaten you in this way over email. This is a deliberate tactic to make you click without thinking. Pause and scrutinize the rest of the email for other red flags.

Red Flag #4: Poor Spelling and Grammar

While AI has made phishing emails more sophisticated, many still contain obvious errors. Professional companies have teams of writers and editors who review their communications. An official email is unlikely to be littered with spelling mistakes or awkward, unnatural phrasing.

These errors often arise from the text being written by non-native speakers or being poorly translated. If the language just doesn’t “feel right,” trust your instincts.

Red Flag #5: Suspicious Links or Unexpected Attachments

The payload of a phishing email is almost always a link or an attachment. You must treat them as digital explosives until proven safe.

• Suspicious Links: A link in an email can be disguised. The text might say Click here to log into your FNB account, but the underlying destination could be a fraudulent website.
  • ACTION: NEVER click a link directly. On a computer, hover your mouse over the link. A small pop-up will show you the actual URL it will take you to. If that URL does not match the expected website, it’s a phish. On a mobile device, you can usually “long-press” the link to preview the real destination. If in doubt, always open a new browser window and type the company’s official web address in manually.
• Unexpected Attachments: Be extremely wary of attachments you weren’t expecting, even if they seem to come from a known contact. Common malicious attachments include:
  • Fake invoices (invoice.pdf.exe)
  • Shipping notifications (delivery_note.zip)
  • “Scanned documents” (scan_2025-07-17.html)

ACTION: Do not open any unexpected attachment. If you receive an invoice from a supplier that seems unusual, call them on their known phone number to verify it before opening.

Red Flag #6: An Unusual or Unexpected Request

This is particularly relevant for “spear phishing” attacks that target businesses. The email might appear to come from your CEO or a manager.

• “Hi, I’m stuck in meetings all day. Please urgently process a payment of R15,000 to this new supplier. Details in the attached invoice.”
• “I need you to buy R5,000 worth of iTunes or Steam gift cards for a client presentation. Scratch them and send me the codes ASAP. I will reimburse you.” (This is a very common scam).

ACTION: Any request that is unusual, urgent, involves money, and bypasses your normal company procedures should be considered highly suspicious. Always verify such requests out-of-band. This means using a different communication channel. Pick up the phone and call your CEO on their known number, or walk over to their desk. Do not simply reply to the email.

Red Flag #7: The Email Just “Feels Off”

Sometimes, an email passes all the technical checks, but it just doesn’t feel right. The tone might be slightly different from how a colleague normally writes, or the request might be out of character. Trust your gut instinct. Human intuition is a powerful security tool. It’s always better to be overly cautious and take a moment to verify, than to be optimistic and cause a major security breach.

---

The Action Plan: What to Do When You Spot a Phish

Training your team to spot a phish is half the battle. The other half is ensuring they know exactly what to do next. Create a simple, clear company policy.

Step 1: DON’T PANIC, DON’T CLICK, DON’T REPLY. The first rule is to not engage with the email in any way. Don’t click any links, don’t download any attachments, and do not reply to the sender (this just confirms your email address is active).

Step 2: REPORT IT. If your company uses Microsoft 365 or Google Workspace, they have built-in “Report Phishing” buttons directly in the inbox. Use them. This helps the platform get smarter at blocking similar emails in the future. You should also have an internal procedure, such as forwarding the suspicious email to your IT department or a designated manager.

Step 3: DELETE IT. Once reported, delete the email from your inbox and then empty your trash/deleted items folder. This removes the temptation to click on it later.

What if you DID click the link or open the attachment? If this happens, it’s crucial to act immediately and without shame.

1. Disconnect: Immediately disconnect the computer from the internet (unplug the network cable or turn off the Wi-Fi) to prevent any malware from spreading.
2. Report: Inform your manager or IT department immediately. Time is critical. They need to know what happened so they can assess the risk.
3. Change Your Passwords: If you entered any login details on a fake site, go to the real website immediately from a different, safe computer and change your password. If you reuse that password anywhere else, change it there too.

---

Making Security a Team Sport

A single, untrained employee can inadvertently bypass millions of rands worth of security technology. Your people are your greatest asset, but they can also be your biggest vulnerability. That’s why creating a security-conscious culture is paramount.

• Regular Training: Don’t make security training a once-off event during onboarding. Hold short, regular sessions (even just 15 minutes a month) to discuss the latest phishing tactics and review recent examples.
• Create a “No-Blame” Culture: Encourage employees to report suspicious emails and even their own mistakes without fear of punishment. It is far better to know that someone clicked a bad link so you can respond, than for them to hide it out of fear.
• Lead by Example: Senior management must follow the security protocols strictly. If the CEO is seen to be taking shortcuts, so will everyone else.
• Use Visual Reminders: Put up posters near workstations with the key red flags of a phishing email. Keep security top-of-mind.

Conclusion: The Human Firewall

In the ongoing war against cybercrime in South Africa, phishing remains the attacker’s primary weapon. They are not trying to hack their way through your firewall; they are trying to trick their way through your front door by fooling a trusted employee.

Technology alone cannot solve this problem. The only way to build a truly resilient business is to empower your team with knowledge and vigilance. By training every single person to become a human firewall—to pause, to scrutinize, and to question before they click—you are building the most effective and intelligent defence system your company can have.

An employee who can confidently spot and report a phishing attempt is more valuable than any piece of security software. Make this guide the starting point for that training. Your business’s security depends on it.