(888) 646-1616

The Definitive Guide: How to Avoid Phishing

cybersecurity training, email, Phishing

Why Avoid Phishing?

Phishing is the #1 way that companies get hacked.

Why?  Because phishing works.

Check out these terrifying stats:

Yikes.

Most people don’t know how to avoid phishing.

We’ve put together the best tips and techniques that you can use to avoid phishing in your business.

1) Pay attention to phishing warnings

Most modern email systems do a pretty good job at warning you about possible phishing messages.

Many people ignore these warnings.  They do so at their own risk.

Here’s an example of Gmail’s warning:

Gmail phishing warning banner: “Be careful with this message. Similar messages were used to steal people’s personal information. Unless you trust the sender, don’t click links or reply with personal information.”

Even good ol’ Microsoft Outlook has a warning:

Outlook phishing alert banner: “This might be a phishing message and is potentially unsafe. Links and other functionality have been disabled. Click here to enable functionality (not recommended). Outlook blocked access to the following potentially unsafe attachments: image001.gif.”

Lesson 1 to avoid phishing: train your staff to spot the warnings AND to pay attention to them.

2) Get a top-notch phishing scanner

Most companies use an email service, like Google Workspace or Microsoft365, that has email scanners built in.

These aren’t too bad, and can work fine for companies that don’t have a lot of sensitive data.

But most readers of our articles are in heavily regulated industries.  Healthcare, financial services, manufacturing, etc.

You need a better scanner.

In fact, the best solution will use TWO scanners.  The first should be from a company that focuses specifically on email security.

For the second, it’s fine to use your email providers scanner.

That way you get two levels of protection before your users even see an email.

We like and recommend a system called Proofpoint.

We’d be happy to tell you more about it during a HIPAA or SEC Cybersecurity Strategy Session.

The best email scanners will do two things…

a) Each day, they’ll send you a digest of emails it blocks.  You can then decide whether to keep them blocked or release them.  This is WAY better than just having them dump to your Spam folder where you might miss something important.

Screenshot of an Adelia Risk “Quarantine Digest” email showing list of quarantined messages by score—including sender address, subject, delivery date/time, and actions like Preview, Release & Approve, or Block—which illustrates proactive email quarantine monitoring to prevent phishing attacks.

b) Every time you get a link, the best systems will protect you.

When you click on a link, the systems will scan the destination of the link in real-time.

If the website you’re visiting is bad or new, you’ll be blocked.

More on this later.

Lesson 2 to avoid phishing: use a best-of-breed phishing email scanner, and teach your staff how to use it.

3) Be on high alert when an email asks you to do anything

If you’re training your staff on spotting phishing attacks, this is the SINGLE most important message you need to drive home.

You need to be on super high alert any time an email asks you to do any of the following:

a) Click a link

b) Open an attachment

c) Update personal information, like usernames or passwords

d) Transfer money or pay an invoice

e) Reply to an email (or trick you into replying to an email)

f) Sign a document (Docusign phishing attacks are incredibly effective)

By the way, it doesn’t matter who the sender is.  We’ll talk more about this later, but you should be suspicious even if the email appears to come from your boss or a colleague.

Example Netflix phishing email claiming “We recently failed to validate your information… please click the button below to get started” with an “Update Account Details” button, illustrating how attackers impersonate trusted brands to trick users into revealing credentials.

Lesson 3 to avoid phishing: be on super high alert any time an email asks you to do something.

4) Go to the site, don’t click the link

If you get an email that appears to come from a service you use, stop.

Don’t click that link.

Instead, head over to the site directly and log in.

For example, see the “Netflix” message above?  Clicking the link would have taken me to a phishing site.

But if I go to www.netflix.com and log in directly, I’m safe and sound.

And when I log in, their site is smart enough to tell me if I need to “update my account details” or not.

Here’s another example, even worse:

Example American Express phishing message labeled “CardMember Alert” requesting profile validation via an attached HTML form, illustrating how attackers mimic trusted brands like Amex to harvest sensitive data—highlighting the importance of scanning and blocking malicious attachments.

If I really think my Amex account needs attention, you’d better believe that I’m going straight to www.americanexpress.com.

Lesson 4 to avoid phishing: never click links for major services.  Go straight to the site and log in.

5) Find the REAL sender

It is INCREDIBLY easy to make an email appear like it comes from any email address.

Don’t believe me?  Try this: http://www.deadfake.com/Send.aspx 

It’s a site that lets you send an email and make it appear like it comes from someone else.  Give it a try.  Just don’t do anything stupid.

For risky emails (#3, above), first check who REALLY sent your email.

How do you do this?  Depends on what you’re using as an email client.

In Gmail, click this little arrow:

Gmail display showing sender “WIRED <wired@eml.condenast.com>” with dropdown arrow—highlighting how email addresses can be spoofed even when the display name appears familiar, reinforcing the importance of verifying senders to maintain system and information integrity.

In Outlook, you can follow these step-by-step instructions.

For Outlook.com, you can follow these instructions.

The key thing here – don’t just assume that the email address that you first see on your screen is the correct one.

Here’s an example — in my inbox, this email appears to come from my friend Jim:

Email screenshot showing sender labeled “Jim H…” with an incongruous domain—illustrating how attackers may spoof familiar names to trick users, highlighting the importance of inspecting sender details and email domains for system and information integrity.

But when I click into it, it’s not from Jim at all…

Email header details showing sender labeled “Jim H…” with actual address “orthosf@aioros.ocn.ne.jp” and “mailed-by: aioros.ocn.ne.jp”—demonstrating how display names can be misleading, reinforcing the importance of checking full sender email and domain for system and information integrity.

Lesson 5 to avoid phishing: You’ll have to click down deeper to see the REAL sender.

6) Watch out for Copycat domains

The first trick hackers do?  They’ll send the email from a domain that looks similar to the company’s domain.

Here’s an example:

Gmail warning interface with sender displayed as “American Express <AmericanExpress@aep.com>,” showing the email header details including “reply-to” and “to” both as aep.com—demonstrating how phishing attempts can spoof trusted brands and why verifying actual sender domains is important for system and information integrity.

“aep.com” has nothing to do with American Express, but it sure sounds like it does!

Here are a few other examples — hacker sites on the left, legit sites on the right…

Examples of phishing copycat domains vs real domains: “help@microsoft-techsupport.biz” vs “help@microsoft.com”; “support@dropbox-usa.net” vs “support@dropbox.com”; “info@googlefinancialpartners.com” vs “info@google.com”, illustrating how attackers mimic trusted services with deceptive domains to evade detection.

They might also try to use free email services, like this:

  • microsoft.support@outlook.com
  • dropbox-support@yahoo.com
  • googlesupport@gmail.com

Lesson 6 to avoid phishing: check the sender and look out for copycat domains.

7) Watch out for Typosquatting

Remember how I said that hackers were registering 1.5 million phishing sites per month?

Here’s why.

Hackers use a trick called “typosquatting” to try to trick you into clicking on a link.

It’s easier to show than explain.  Here are some examples from excellent cybersecurity company Anomali:

Examples of malicious keyword and typographic domain variants: for example, legitimate "anomalibank.com" is safe (green check), while "update-anomalibank.com", "anomalibank-alert.x7462e7.com", and "wwwanomalibanksecure.com" are unsafe (red X). On the right, “domain.com” is safe, while “domian.com”, “domains.com”, “doma1n.com”, and “domain.cm” are unsafe — illustrating how typosquatting and deceptive keyword domains impersonate trust to bypass detection.

Lesson 7 to avoid phishing: train your team to watch out for typosquatting.

8) The Link Hover

Does your risky email have a link in it?

Here’s what you need to do.

Every single email program and web browser out there has a way that you can see where a link goes before you click on it.

All you have to do is hover your mouse over a link, but DON’T click on it.

First, let me show you how this works on a web page. This is an article we wrote recently about Wannacry ransomware. See the link on the page?

If I hover my mouse over the link, the destination pops up in the lower left-hand corner. Take a look…

Browser screenshot showing cursor hovering over a URL bar with the secure padlock and the “yougetsignal.com” address highlighted, demonstrating how to test external port visibility and network exposure as part of system and information integrity monitoring.

The location of the hover is going to vary based on what program and what browser you’re using.

Most of them are in the corner or will create a pop-up right on your screen.

After you do the hover, you’ll be able to see whether the link brings you to a legit site or a site that you don’t recognize.

Lesson 8 to avoid phishing: hover before you click.

Table of Contents

Share

Related Posts

  • vCISO

What is a vCISO? Discover Why Your Business Needs One

Laptop-chained-up CISO

In today’s digital age, cybersecurity is more critical than ever before. The ever-evolving cybersecurity threats pose

Read More
  • cybersecurity training, email, Phishing

Recognize, Prevent, and Report Phishing

Phishing scams can cripple an organization – so it’s important to know how to recognize, prevent,

Read More
  • business continuity planning

SEC Cybersecurity Guidance: Business Continuity Planning (Pt.1)

SEC Cybersecurity Guidance Business Continuity Planning

If you’ve come to this site, you’re probably doing some research about SEC Cybersecurity Guidance. As

Read More

Do you think we might be a good match?

Let’s Talk
888 646 1616