Would You Spot a Dodgy Email? What Red Flags to Watch For in Your Inbox

Phishing email red flags aren’t always easy to spot. Most scammers don’t make spelling mistakes anymore. They send convincing emails that look like they’ve come from your team, your suppliers, or even your bank. Some use AI to polish their messages. Others hijack real email threads.

These scams often start small — a link, an invoice, a message asking “are you free?”. They don’t aim at IT departments. They aim at you.

Email is still their easiest way in

Scammers target inboxes because people trust them. You’re more likely to read and act on an email than a text or pop-up. If they get you to click, they can steal passwords, transfer money or install software that gives them access to your files. Some breaches cost thousands. Others shut companies down for days.

Red flags you can actually spot

If the sender’s name looks familiar but something about the address is off, stop there. Fake domains are a common trick. You might see ‘micros0ft.com’ instead of ‘microsoft.com’. They’re banking on you missing the detail.

Messages that feel urgent are another giveaway. If an email says your account will be locked in 24 hours, or demands payment today, it’s often bait. The goal is to make you act fast and skip checks you’d usually do.

Hovering over a link can also reveal a lot. If the text says it’ll take you to a known site, but the link shows something unrecognisable, don’t click. Attachments ending in .exe, .html or .scr are another risk. These often carry malware.

Scammers also play with your habits. If you usually approve payments through finance software, but the email says “just reply yes to confirm,” that’s a red flag. Anything that changes a usual process without warning needs checking.

Some messages are just… off. The tone might be too formal or vague. It might sound like it was written by someone who doesn’t know your business. Increasingly, these are written or edited by AI tools that remove the obvious errors but still don’t quite land. If it smells dodgy, it probably is.

Finally, a genuine-looking email from a colleague can be dangerous too. Their inbox may have been taken over. If something from someone you trust doesn’t match their usual tone, call or message them another way before responding.

Recent scams worth noting

MFA fatigue attacks are common now. They flood your phone or Microsoft app with login prompts, hoping you’ll approve one just to make it stop. Once you do, they’re in.

Reply-chain hijacks are even harder to spot. The scammer replies to an existing thread, using a real account they’ve already breached. The message might be short — “see the attached” or “thoughts?” — with a dodgy link inside.

CEO fraud is also widespread. A message from a director’s name lands in your inbox asking you to pay something or buy something. The timing feels believable. That’s the point. These scams are designed to blend into your day.

What to do when something feels off

If anything looks or feels wrong, stop. Don’t reply. Don’t click. Don’t download. Forward the email to your IT support or to [email protected]. If you’re using Microsoft Outlook, use the Report button.

You don’t need to be sure it’s a scam. You just need to raise the alarm.

How we help businesses like yours

We work with businesses across Kent to protect inboxes, train teams and reduce risk. That includes Microsoft 365 setup, scam filtering, and support if something slips through. You don’t need to be technical. You just need to know who to call.

If your team wouldn’t spot a dodgy email, we can help with customised training.

You may also like: Online hackers don’t stop for the holidays!