Blog · Cybersecurity

How to Spot a Fake Email Before You Click

A simple guide for families and small businesses to recognize phishing emails, fake invoices, and suspicious links before they cause damage.

By Mike  |  July 2026  |  6 minute read

Most Fake Emails Are Designed to Look Normal

The most dangerous fake emails don't always look ridiculous. They don't come from a foreign prince, they're not full of spelling mistakes, and they don't scream that something's wrong. Most of them look like ordinary business messages: a password reset, a Microsoft 365 alert, a shipping notice, a bank warning, a shared document, an invoice.

That's exactly what makes phishing effective. Criminals aren't trying to impress technical people. They're trying to catch normal people in the middle of a busy day, checking email on a phone, working through a long list of tasks.

I've walked into offices the week after someone wired money based on a spoofed vendor email. It's always the same story: someone was moving fast, the message looked routine, and nobody stopped to check. It's a bad day for everyone involved, and it's almost always avoidable.

The good news is you don't need to become a cybersecurity expert to protect yourself. You just need to slow down and know what to look for.

Illustration of warning signs on a suspicious email
Fake emails are built to look routine — the warning signs are usually small.

The Goal Is Usually to Make You Act Fast

Most fake emails are built around urgency. The message wants you to click quickly, download something, enter a password, approve a payment, or respond before you have time to think.

Common examples include:

  • Your account will be closed today.
  • Your mailbox is almost full.
  • Your payment failed.
  • Your invoice is attached.
  • Your package cannot be delivered.
  • Your password expired.
  • Your boss needs gift cards right away.

Urgency isn't proof that an email is fake, but it's a good reason to slow down. Real companies send urgent messages too — criminals just count on the panic.

Red Flag #1: The Sender Address Looks Slightly Wrong

Always check who actually sent the email. The display name might say Microsoft, Amazon, Apple, your bank, or even your boss — but the real address underneath can be something else entirely.

A fake email might show a friendly name like “Microsoft Support” while the actual address is total nonsense. On a phone, you may need to tap the sender's name to see the full address.

Don't trust the name alone. Check the address.

Red Flag #2: The Link Doesn't Match the Company

Before clicking a link, stop and look at where it's actually going. On a computer, hover over the link with your mouse. On a phone, press and hold it carefully to preview the address.

A fake Microsoft login link might not go to microsoft.com. A fake bank message might not go to your bank's real site. A fake delivery notice might use a strange shortened link.

When in doubt, don't click the email link at all. Open your browser and type the website yourself, or use the company's official app.

Red Flag #3: The Message Asks for Passwords or Codes

Legitimate companies shouldn't ask you to reply with your password. Be just as careful if someone asks for a one-time code, an MFA approval, or a verification number.

Here's how a common version of this attack works: the criminal already has your password and tries to sign in with it. Then they contact you pretending to be support and ask for the code that just popped up on your phone. If you hand it over, you've handed over access.

Never share MFA codes, password reset codes, or login approvals with someone who contacted you out of the blue.

Red Flag #4: Unexpected Attachments

Attachments are another favorite trick. Fake invoices, receipts, resumes, scanned documents, and shipping forms can carry malicious links or files.

If you weren't expecting the attachment, slow down. If it came from a vendor, coworker, or client, verify it another way before opening it — a quick phone call or a separate text message can save you a very expensive afternoon.

Red Flag #5: Money, Gift Cards, Wire Transfers, or Changed Payment Instructions

Small businesses need to be especially careful with anything involving money. Criminals often pretend to be a vendor, customer, executive, or employee. They might send a fake invoice, ask to change bank details, or pressure someone into buying gift cards.

Any email that changes payment instructions should be verified outside of email. Call the person or company using a number you already know is real — never the number sitting inside the suspicious message.

What to Do Instead of Clicking

If an email feels off, don't argue with it and don't reply. Just take these steps:

  • Don't click links or open attachments.
  • Check the sender address carefully.
  • Go directly to the official website or app.
  • Call the sender using a known number if money or account access is involved.
  • Report the message to your IT provider or email administrator.
  • Delete the email if it can't be verified.

For Small Businesses, One Click Can Affect Everyone

For a family, a fake email can expose personal accounts. For a business, one fake email can expose company email, customer information, invoices, payroll, files, or your whole Microsoft 365 environment.

That's why small businesses shouldn't rely on luck. A solid setup includes multi-factor authentication, strong password habits, email security settings, employee training, and a clear process for verifying anything that looks unusual.

The goal isn't to make employees afraid of every email. It's to make them confident enough to pause, check, and ask before something turns into a real problem.

A Simple Rule That Works

If an email asks you to do something urgent, unusual, or financial, verify it outside of email. That one habit stops most of this before it starts — slow down, check the sender, inspect the link, and confirm anything involving money, passwords, or account access.

Frequently Asked Questions

Is every strange email dangerous?

No. Some emails are just poorly written or automated. But if an email asks you to click, download, pay, reset a password, or share information, it deserves a closer look.

What should I do if I clicked a suspicious link?

Close the page, don't enter any information, and change your password if you already typed it in. If it was a work account, notify your IT provider or administrator right away.

Should I forward suspicious emails to my IT provider?

Yes. If you have IT support, forwarding suspicious emails lets them safely review the sender, the link, and any attachment.

Does multi-factor authentication help?

Yes. MFA can stop many account takeovers even when a password's been stolen. It's not perfect, but it's one of the most important protections you can put in place.

Final Thoughts

Fake emails work because people are busy, not because people are careless. The best defense is one simple habit: slow down before you click.

That's really the whole goal at Mike's IT Consulting: help families and businesses build the kind of everyday habits that quietly prevent expensive problems.

Need help securing your office email?

Mike's IT Consulting can review your Microsoft 365 environment, improve phishing protections, and help your team spot suspicious emails before they cause damage.

Request a Free Assessment

← Back to all posts