Recognising phishing: what can you teach your team in 20 minutes?

Phishing is no longer a badly-spelled Nigerian prince. Modern phishing is personalised, tailored, and designed to look like it came from inside your own organisation. Here's what everyone needs to know.

Phishing in 2026 is sophisticated: near-perfect language, look-alike domains, written by AI. Even so, there are tell-tale signs you can learn to spot.

The 5 red flags

\n
1. Urgency. "If you don't click within 4 hours, your access will expire." Genuine internal communications never say this.
\n
2. Suspicious sender. ceo@bed3rgeregeld.com (3 instead of e). noreply@microsoft-security.com (the legitimate domain is microsoft.com, not microsoft-security). Click on the display name to reveal the real address.
\n
3. Link hover check. Hover over the link. Does the URL match what's shown? office365login.com is not Microsoft.
\n
4. Unusual request. "Your CEO is asking you to urgently buy gift cards." A real CEO would never do this by email.
\n
5. Unexpected attachment. Invoices you weren't expecting, CVs out of nowhere. Don't open them without verifying first.
\n

What should you actually train?

\n
• Use a phishing simulation platform (KnowBe4, Cofense) — run a quarterly campaign.
\n
• Add a report button in Outlook / Gmail so reports land directly with IT.
\n
• No blame culture: anyone who clicks on a phishing test gets extra training, not a telling-off.
\n
• Short refreshers (5-min video) every six months.
\n

What NOT to do

\n
• Don't dismiss people for falling for it. That discourages reporting of real incidents.
\n
• Don't rely entirely on email filters. Modern phishing gets through most of them.
\n
• Don't just teach "look for typos." Modern phishing has no typos.
\n

If someone clicks: what now?

Report it to your IT/security lead immediately. Change your password. Revoke MFA sessions. Change passwords for any other affected accounts. See incident response.

See also: security pillar.