Most security breaches don't start with some sophisticated hack. They start with someone on the team clicking a link in an email that looked completely normal. The good news: you don't need technical training to catch most of these — you just need to know what to look for.
Here's a quick checklist you can run through in about 10 seconds, before you click anything.
Check the actual sender address, not just the name. Email clients show a display name by default, and that name is trivial to fake. "Microsoft Support" can be sitting on top of an email address that has nothing to do with Microsoft. Tap or hover on the sender name to see the real address underneath.
Watch for manufactured urgency. "Your account will be suspended in 24 hours." "Immediate action required." "Verify now or lose access." Real companies send renewal reminders and account notices, but they rarely try to panic you into acting in the next five minutes. Urgency is a pressure tactic, and it's one of the most reliable red flags there is.
Hover over links before you click them. On a computer, hovering over a link shows you the actual destination URL in the corner of the screen. On a phone, a long press does something similar. If the link text says "microsoft.com" but the actual destination is some unrelated domain, that's your answer.
Never log in from an email link. If an email asks you to "verify your account" or "confirm your password," don't click through. Open a new browser tab and go to the site directly, the way you normally would. Legitimate companies will never need you to log in specifically through their email link.
When in doubt, ask before you click. If an email looks slightly off but you're not sure, it costs nothing to ask a coworker or forward it to whoever handles IT. It costs a lot more to find out the hard way.
None of this requires special software or a background in cybersecurity — it just requires a five-second pause before clicking. That pause is exactly what phishing emails are designed to prevent, which is why urgency is such a common tactic.
If you want your whole team walked through this — and tested with a real (harmless) simulated phishing attempt to see where the gaps actually are — that's exactly what our Phishing & Social Engineering Kit does. We'll also have a short video on this same topic up soon on our Videos page.