How to Avoid and Recognize Phishing Scams?


Knowing how to avoid and recognize phishing scams, a common method used by cybercriminals is easier than you might think. Unfortunately, most don’t know where to start or why this is important. Cybercriminals use phishing techniques to gain access to sensitive information, such as login credentials and financial data. These scams can be difficult to spot, as they often appear to be legitimate emails or websites. As a result, it is important for businesses to train their employees to recognize and avoid phishing scams.


Practical Advice to Avoid Phishing Scams, and on Training Employees:


  1. Simulation. Consider using simulated phishing attacks as a training tool. This can help employees learn to recognize phishing scams in a safe way. In some cases, this can also help reduce insurance premiums.
  2. Educate. Set aside 30 minutes to talk with employees on what phishing scams are and how they work.
  3. Hover. Be cautious when clicking links or attachments. It’s best to hover (hold cursor/mouse) over links to see the destination URL (the URL often appears at bottom left of application screen).
  4. Common Signs. Share the most common ways to identify a phishing email (see next section: “Spotting/Recognizing a Phishing Email”).
  5. Report. Encourage employees to report any suspicious emails or websites to your IT department, 3rd Party Provider, or a supervisor.
  6. Training. Conduct regular training session. These can be informal. The point is that a monthly 10 minute overview can make a tremendous difference.


Spotting/Recognizing a Phishing Email – Watch Out For:


  1. Urgency. An urgent call to action, or immediate threat.
  2. Unknown Sender. First time, infrequent, and external senders should be handled with caution. (NOTE: see domains and spelling)
  3. Generic. A generic greeting (eg: “dear sir”, “hello info”, etc) should be cause for increased concern.
  4. Spelling/Grammar. Many threats come from places where English is not the primary/official language. While spelling/grammar errors can be common, they should also be cause for concern.
  5. Domain. The domain the the portion of an email address after the “@” sign. If the domain does not look correct, take caution (eg: “” instead of “” – RN vs. M).
  6. Links/Attachments. Always hover over the link. The URL should be one that leads to a legitimate website.

Credit: Microsoft for providing the information in this section.


When All Else Fails


While employees are the first line of defense, it has become clear that something is likely to slip through the cracks. It is important to implement a suite of cybersecurity tools and services in a layered approach, so that a failure of one does not lead to a system-wide compromise. A layered approach is the idea of stacking security services (which often specialize in different areas of protection) to better protect your network.




By following these tips, businesses can effectively train their employees to recognize and avoid phishing scams, thus helping to protect the company and its sensitive information. 

Finally, use our recent post to learn more about Ransomware Prevention, Cyber Trends (2023/beyond), Cyber Threats, and the Rise of Malware. To reach CTS Companies, find our Contact Us Page, or simply search for IT Services in Michigan.