How to Spot a Phishing Email in Under 30 Seconds

Phishing emails are designed to make you act before you think. They play on stress, curiosity, and trust to push you into clicking, paying, or replying in a hurry.

The good news: once you know what to look for, you can spot a phishing email in under 30 seconds. A short pause and a few quick checks are usually enough to keep you, your business, or your charity out of trouble.

The guidance below is written for Canadian non-profits, small and medium-sized businesses, individual professionals, and corporate leaders who want practical steps they can share with their teams.

The 30-second test

Before you click anything, run this quick test. It will help you spot a phishing email fast:

• Who sent it? Look at the full email address, not just the display name. Watch for extra numbers, strange spelling, or the wrong domain (for example, @outlook.com instead of your bank’s domain).
• What does it want? Be cautious if it asks for passwords, gift cards, wire transfers, banking details, login codes, or tax information.
• Where do the links go? On a computer, hover over links first. On a phone, press and hold the link (without opening it) to see the address. If it looks strange, misspelled, or unrelated, do not click.
• Does it feel rushed? Phishing emails love urgency, fear, and secrecy: “right now”, “final notice”, “do not tell anyone”, “you’ll be locked out”. Watch for all‑caps subject lines or lots of exclamation marks.
• Does it make sense? If the message is unexpected or out of character, verify it another way before doing anything.

If even one of those checks seems off, treat the email as suspicious. Share this 30‑second test with your staff so everyone can spot a phishing email the same way. With practice, this becomes a quick habit rather than a long process.

What Phishing Emails Are

A phishing email is a message that pretends to be from a trusted person or organization in order to trick you into clicking a link, opening an attachment, sending money, or sharing private information.

The Canadian Centre for Cyber Security describes phishing as a form of social engineering: attackers study how people think and behave, then design emails that push those buttons.

Scammers often imitate:

• Banks and credit unions
• Delivery companies and couriers
• Cloud services (Microsoft 365, Google Workspace, Dropbox)
• Online stores and payment services
• Charities and non-profits
• Coworkers, suppliers, or executives
• Government agencies such as the Canada Revenue Agency or immigration offices

These emails almost always try to create pressure. They may say your account will be closed, a payment failed, a package is waiting, or that you need to confirm something right away. That pressure is part of the scam.

As one security trainer likes to explain, “If a message makes you feel rushed, scared, or flattered, that is your cue to pause and check it before you click.”

Learning how to spot a phishing email is about noticing that pressure and checking whether the message is what it claims to be.

Why Phishing Emails Work

Phishing works because it follows a simple pattern that targets human behaviour. Security guidance from the Canadian Centre for Cyber Security and Canadian Anti-Fraud Centre often highlights three stages:

1. The Bait – An email that appears to come from a bank, supplier, charity, or coworker. It may mention recent news, tax season, or a real service you use.
2. The Hook – The message creates urgency (“your account will be closed”), fear (“you are being audited”), curiosity (“payment attached”), or authority (“from the CEO”). That emotional push is what makes people click.
3. The Attack – Once you click or reply, the attacker steals passwords, installs malware, redirects payments, or tricks you into sending money.

You do not need deep technical skills to interrupt this process. If you pause long enough to notice the bait and question the hook, you can usually spot a phishing email before the attack succeeds. Attackers repeat this pattern because the same emotional triggers work on many different people and organizations.

Common Warning Signs

Phishing emails often share a few common traits. Even as attackers improve their spelling and design, these warning signs remain.

• Suspicious sender address
  The sender may use a name that looks familiar, but the actual address is slightly off. It might use extra numbers, odd spelling, or a domain that is close to the real one but not exact (for example, @r0yalbank.ca instead of @royalbank.ca).
• Links that do not match the message
  The message may include a link that appears legitimate at first glance but leads elsewhere. A fake login page can look very convincing, especially on a phone where the URL is hard to inspect.
• Pressure to act immediately
  The email may warn that your account is locked, a refund is pending, a bill is overdue, or a delivery cannot be completed unless you respond now. Urgency is a classic sign and a key reason you should spot a phishing email before you click.
• Unexpected attachments
  The message may contain an attachment you were not expecting. This is especially risky if it is a document, invoice, ZIP file, or anything that asks you to enable macros or view protected content.
• Unusual tone or request
  The language may feel slightly off for the person or brand. Maybe your CEO never writes in that style, or your supplier has never asked for a personal e‑transfer before.
• Generic greetings and mistakes
  Many phishing emails still use generic greetings (“Dear customer”) and small errors in grammar, formatting, or logos. Modern scams can look very polished, but when something feels a bit wrong, slow down.

If you see two or three of these together, assume the email is unsafe until you can verify it. Trust patterns, not just single details.

Common Scam Types

Some phishing emails are easier to recognize once you know the common patterns:

• Fake bank alerts saying your account is frozen
• Fake invoices from a supplier or contractor
• Delivery notices asking you to confirm shipping details
• Password reset emails you never requested
• Messages that pretend to be from Microsoft, Google, or another service, asking you to verify your login
• Charity impersonation messages asking for an urgent donation
• Business email compromise attempts where someone pretends to be a boss, board member, vendor, or client
• QR‑code phishing emails that ask you to scan a code instead of clicking a link
• Spear‑phishing emails aimed at a specific person (for example, the finance manager) using details from LinkedIn or your website
• “Whaling” emails targeting executives or board members with urgent, high‑value requests such as wire transfers or confidential reports

That QR code example is worth watching for because QR codes can bypass the usual habit of inspecting a hyperlink. When in doubt, open the official website in your browser instead of scanning a code from an email.

The more of these patterns you recognize, the easier it becomes to spot a phishing email at a glance.

Beyond Email: Text, Phone, and Social Media Phishing

Phishing is not limited to email. The Canadian Anti-Fraud Centre reports many scams now arrive by text, phone, or social media.

Here are related threats to watch for:

• Smishing (SMS phishing)
  Fraudulent text messages that claim to be from your bank, a courier, a government agency, or a streaming service. They often include a short link and urgent wording (“last chance to reschedule delivery”).
• Vishing (voice phishing)
  Phone calls that pretend to be from your bank, the Canada Revenue Agency, tech support, or even a family member. Caller ID can be spoofed, and artificial intelligence can mimic real voices.
• Social media and “angler” phishing
  Fake brand accounts on platforms like Facebook, X (Twitter), Instagram, or LinkedIn that respond to your public posts with “support” messages. They may send you to a fake login page or ask for private details.
• QR codes in the physical world
  Attackers can place fake QR code stickers over real ones on posters, parking meters, or restaurant menus, sending you to phishing sites.

Treat these messages the same way you would treat a suspicious email:

• Do not click links or share codes from untrusted messages
• Go directly to the official app or website instead
• Call the organization using a number you find yourself

Learning to spot a phishing email teaches the same habits that protect you from these other channels.

How AI Is Changing Phishing Emails

Artificial intelligence (AI) is changing both sides of the phishing problem.

Security companies such as Malwarebytes and ESET have reported that:

• Attackers use AI to write convincing emails
  Generative AI tools can write messages in perfect language, mimic a company’s tone, and even translate scams into many languages. Spelling mistakes are no longer a reliable warning sign.
• AI helps personalization at scale
  Attackers can scrape social media and public websites to build detailed profiles of targets, then craft spear‑phishing emails that mention real projects, donations, or deals.
• AI can fake voices and faces
  Deepfake tools can clone a CEO’s voice or create realistic video calls to demand urgent payments or confidential data.

On the defence side, AI also supports email security systems that flag suspicious patterns and block known bad links. But those filters are not perfect, especially for smaller organizations.

One security practitioner summed it up: “AI makes bad emails look better, so people have to think harder, not just look for mistakes.”

That is why the human skills you use to spot a phishing email—slowing down, checking details, and verifying requests—still matter just as much as any tool.

What To Do Before You Respond

If an email feels even slightly off, do not reply right away and do not click the links inside it.

Instead, verify the request using a trusted method:

• If the email claims to be from your bank, open the bank’s website yourself or use the official mobile app. Do not use the link in the message.
• If it claims to come from a coworker, text or call them using a known contact method, or speak to them in person.
• If it is about a donation, invoice, or grant, check whether the request matches your records before taking any action.

A simple pattern you can teach your team is:

1. Stop – Take your hands off the keyboard or phone for a moment.
2. Think – Does this message make sense? Is it expected? Is it typical for this sender?
3. Verify – Use a separate, trusted channel (official website, a known phone number, or an in‑person conversation) to confirm the request.

The Government of Canada’s Get Cyber Safe campaign offers similar advice: never use the phone numbers, links, or addresses in a suspicious message to verify its authenticity.

Never trust the sender’s name alone. Scammers can make a message appear to come from a known person, even when the real email address is different, or the account has been taken over.

This step is especially important for businesses and charities, where scammers may impersonate executives, finance staff, vendors, or donors. A quick verification can be the difference between spotting a phishing email and approving a fraudulent transfer. It is never rude to double‑check when money or personal data is involved.

What To Do If You Clicked

If you clicked a suspicious link, do not panic, but act quickly. Many Canadians only realize after the fact, and quick action can limit the damage.

Take these steps:

1. Close the page right away
   If you land on a page that looks odd, asks for information it normally would not, or does not match the URL you expected, close it.
2. Change passwords immediately
   If you entered a password, change it right away on the real website.
   • If you reuse that password anywhere else (banking, email, social media), change those as well.
   • Turn on multi‑factor authentication (MFA) if you have not already.
3. Protect your accounts
   If you entered a login code or MFA code, assume the scammer may have used it.
   • Review recent account activity.
   • Sign out of other sessions or devices if the service allows it.
   • Update your security questions and recovery options.
4. Scan your device
   If you opened an attachment and your device behaved strangely (pop‑ups, crashes, unusual slowness), disconnect from the internet if needed and run a full scan with your security tools or antivirus. Many Canadian users rely on tools from security vendors such as Bitdefender or Malwarebytes for this.
5. Contact your bank or provider
   If money was sent or payment details were exposed, contact your bank, credit card company, or payment platform right away. Ask for their fraud department.
6. Inform your IT or security team
   In a workplace, report what happened as soon as possible. Early reporting helps your team protect others and investigate.

Quick, honest reporting is far better than silence. Many organizations tell their staff they will not be punished for admitting a mistake, because that openness helps everyone spot a phishing email next time.

How To Report It

If the email is suspicious, do not forward it casually to coworkers or friends. That can spread confusion and make it easier for scammers to continue the attack.

Instead:

• At work
  Report it to your IT or security team right away, using whatever process they provide (security inbox, ticket, or “report phishing” button). Include the original email if possible.
• With your bank or service provider
  Follow the fraud-reporting process recommended by your bank, credit union, or service provider. Most have a dedicated email or online form for fraud and phishing.
• To email providers
  Use the “Report phishing” option in services such as Outlook and Gmail. This helps their filters learn and may protect other users.
• In Canada, the authorities
  Suspicious fraud and phishing can be reported to the Canadian Anti-Fraud Centre.
  If you have lost money, you can also contact your local police service in addition to the Centre.

The Government of Canada’s cybersecurity guidance encourages reporting malicious messages, because even a short report can help others avoid the same trap.

How Businesses and Charities Can Reduce Risk

Organizations need a stricter process because a single fake email can affect many people, including donors and customers. Phishing remains one of the most common ways attackers gain entry to Canadian networks.

Strengthen Your Technical Defences

You do not need to buy every security product on the market, but a few basics go a long way:

• Turn on multi‑factor authentication (MFA)
  Require MFA on email accounts and any system that handles payments, donor information, payroll, or access to cloud services. MFA makes it much harder for attackers to use stolen passwords.
• Keep software up to date
  Apply security updates to operating systems, browsers, and key business applications. Many phishing campaigns try to install malware that abuses old vulnerabilities.
• Use security filtering
  • Ask your IT provider about email filtering that screens out known phishing messages.
  • For web browsing, services such as CIRA Canadian Shield can block access to known malicious sites at the DNS level.
• Set up domain protection (SPF, DKIM, DMARC)
  Work with your IT team or provider to set up sender protection records for your domain. This makes it harder for attackers to send fake emails that appear to come from your address.
• Back up important data
  Keep regular, offline backups of critical systems and donor or customer records. If a phishing email leads to ransomware, backups can help you recover without paying.

Build Safe Processes Around Money and Data

Technology cannot replace good process. A few simple rules can significantly reduce the impact of phishing:

• Use a “two-person rule” for money
  Require secondary approval for wire transfers, changes to banking details, or large payments—especially if requested by email.
• Verify changes through a second channel
  For any change to vendor banking information, donor records, payroll details, or grant payments, confirm through a known phone number or in‑person contact.
• Write down what “urgent” really means
  Clearly define which requests are truly urgent and which steps must still be followed. This makes it easier for staff to say “no” when a suspicious email pushes them to skip checks.

For charities, it is especially important to watch for donation scams, fake sponsorship emails, and impersonation of board members or fundraising partners. A fake appeal sent from a look‑alike email address can damage both finances and reputation.

Train and Test Your Team Regularly

People are your first and last line of defence.

• Offer short, regular training
  Share real‑world examples from sources such as the Canadian Centre for Cyber Security or Get Cyber Safe so staff can see what modern phishing looks like.
• Run phishing simulations
  Many organizations run occasional internal phishing tests to see how staff react. Used respectfully, these are a helpful way to practise spotting a phishing email and reporting it.
• Create a no‑blame culture
  Encourage staff to report questionable messages, even if they have already been clicked. Emphasize learning, not blame.

A simple rule like “verify before you pay or share data” can prevent a lot of fraud.

A Simple Habit That Helps

A strong everyday habit is to pause before reacting to any unexpected email. That pause gives you just enough time to run the 30‑second test and often enough to stop the scam.

You do not need to become a cybersecurity expert to stay safe. You just need to notice when a message is trying to rush you, then verify it through a trusted channel.

If you are not sure, treat that feeling as a sign to slow down. Talk to a colleague, your IT team, or your bank. It is always better to double‑check than to rush and regret it later.

Quick Checklist

Use this checklist when an email seems suspicious. Keep it near your desk or share it in staff onboarding so everyone knows how to spot a phishing email:

• Check the sender’s address carefully
• Look for urgency, pressure, or secrecy
• Inspect links before clicking
• Be cautious with attachments, especially unexpected ones
• Watch for QR codes that may lead to fake sites
• Verify unusual requests through a separate, trusted channel
• Change passwords quickly if you entered them on a fake site
• Report the message if appropriate, then delete it
• Trust your instincts—if something feels off, slow down and check
• Encourage your team to follow the same checklist

Final Thought

Phishing emails are not going away. They will keep changing, using new tools and tactics, including AI. But the core idea stays the same: someone is trying to rush you into a mistake.

By teaching yourself and your team how to spot a phishing email in under 30 seconds, you protect more than just inboxes—you protect your finances, your data, and the trust of the people you serve.

As trainers often remind their classes, “You might not control every email you receive, but you do control how quickly you react to it.”

Share this guide with your staff, board, or leadership team. Then pick one simple step to start with this week: enable MFA, review your payment approval process, or run a short training using examples from the Canadian Anti-Fraud Centre or Get Cyber Safe.

Small, consistent habits are what keep your organization safe from the next suspicious email that lands in your inbox.