How to Spot a Fraudulent Email: 9 Warning Signs Your Employees Must Know
Practical guide to identifying phishing emails at work. 9 concrete warning signs with real-world examples, verification techniques, and a step-by-step procedure when in doubt.
Your CFO receives an email from DocuSign. Subject line: "Signature required - Invoice #F-2847." The email is well-formatted, the logo looks right, the tone is professional. She clicks "Review document" and enters her Microsoft 365 credentials on the page that appears.
Except the sender was docu-sign@notif-secure.com, not dce@docusign.net. The login page was hosted on microsft-login.com, not microsoft.com. And invoice #F-2847 doesn't exist.
In 2024, 74% of French companies were targeted by at least one phishing attempt (CESIN Barometer, 2025). The median time between receiving a phishing email and clicking the link: 21 seconds (Verizon DBIR, 2024). Your employees don't spend five minutes pondering suspicious emails. They click, or they don't. The decision happens in seconds.
This guide lists 9 concrete warning signs to spot a fraudulent email before clicking. Each sign is illustrated with a real example from campaigns observed in France between 2024 and 2026. At the end, you'll find a simple procedure for when an email seems off, and a printable checklist for your teams.
Sign 1: The sender's address doesn't match the organization
First reflex: look at the email address, not the display name.
An email can show "BNP Paribas Customer Service" as the sender name while actually coming from service-bnp@secure-notifications.com. The display name is free-form - anyone can write whatever they want. Only the address matters.
Real examples observed in France:
- "DocuSign" sent from docu-sign@notif-secure.com (the real DocuSign domain is docusign.net)
- "Chronopost" sent from chronopost-livraison@suivi-colis.info (the real domain is chronopost.fr)
- "Ameli" (France's health insurance) sent from contact@assurance-maladie-remboursement.com (the real domain is ameli.fr)
How to check: click on the sender's name to reveal the full address. On mobile, long-press the name. Compare the domain (the part after @) with the organization's official website.
Watch for lookalike domains. Attackers register domains that resemble the real ones: arnazon.com instead of amazon.com, bnp-paribas.info instead of bnpparibas.com. Check every letter. In 2025, the APWG counted more than 4.8 million active phishing sites worldwide, most using lookalike domains registered days before the attack (APWG, Phishing Activity Trends Report Q4 2024).
Sign 2: The link doesn't point where it claims
Before clicking a link, hover over it (without clicking). The destination URL appears in the bottom-left corner of your browser, or in a tooltip.
What to check:
- Does the domain in the URL match the organization? A "View your EDF invoice" link pointing to edf-facture.serveur-web.ru has nothing to do with EDF (a major French energy provider).
- Does the domain use HTTPS? The absence of a padlock is no longer a reliable signal (attackers use HTTPS too), but a plain HTTP link on a banking or government site is suspicious.
- Does the URL contain deceptive subdomains? For example: bnpparibas.com.verification-compte.net. The real domain here is verification-compte.net, not bnpparibas.com. The domain is always the last part before the first "/".
Real example: a "Microsoft 365" email asks you to "Verify your account" with a button pointing to login.microsoftonline.com.auth-verify.net. The employee sees "microsoftonline.com" in the URL and thinks it's legitimate. The real domain is auth-verify.net.
On mobile, long-press the link to display the URL without opening it. If you can't verify the link, don't click.
Your team hesitating over an email? Instead of hunting for clues, just forward it. nophi.sh analyzes the email in 30 seconds and delivers a verdict: phishing, suspicious, or legitimate. No more guessing.
Sign 3: A sense of urgency or threat
Phishing emails play on panic. If an email pushes you to act within minutes or face consequences, slow down.
Classic attacker phrases:
- "Your account will be suspended in 24 hours"
- "Immediate action required or penalties will apply"
- "Suspicious login attempt detected - secure your account now"
- "Unpaid invoice - final notice before legal action"
Legitimate services don't impose a few-hour deadline for an administrative action. Your bank won't suspend your account because you didn't click a link within the hour. Government agencies don't threaten to cancel your benefits by email.
The psychological mechanism at play: cybersecurity researchers call this "System 1 hijacking." Psychologist Daniel Kahneman distinguishes two modes of thinking: System 1, fast and instinctive, and System 2, slow and analytical. Artificial urgency forces your brain to stay in System 1 and act without thinking (Vishwanath et al., Computers in Human Behavior, 2018).
The counter is simple: when an email pressures you, take 30 seconds to verify through another channel. Call the organization at their official number (not the one in the email). Go to the website by typing the address yourself in your browser.
Sign 4: A request for credentials or sensitive information
No legitimate service asks for your password by email. None. Not Microsoft, not Google, not your bank, not the tax office, not your energy provider.
If an email redirects you to a login page, check the URL of that page before entering anything. And ask yourself: was I expecting this email? Did I initiate this action?
Common suspicious requests:
- "Confirm your password to maintain access to your account"
- "Update your bank details to receive your refund"
- "Enter your card number to release your package"
The CNIL (France's data protection authority) states that "public authorities and reputable companies never request sensitive data (passwords, bank details) by email or SMS" (CNIL, phishing recommendations, 2024).
Sign 5: Unusual mistakes or an off tone
Phishing emails of 2020 were riddled with obvious spelling errors. That's no longer the case. In 2026, attackers use AI-assisted writing tools, and emails are often grammatically flawless.
The signal has evolved: don't look for glaring errors anymore - look for tone mismatches.
What should raise a flag:
- An unusually formal tone from someone you know casually (your boss suddenly using formal language when they usually don't)
- Phrasing that doesn't match the organization's usual style ("Dear valued customer")
- A mix of languages or typographic conventions (British punctuation in an email supposedly from a US company)
- Unusual capitals or excessive punctuation ("URGENT!!! Your parcel is WAITING!!!")
Sign 6: An unexpected attachment
You weren't expecting an invoice? You didn't request a document? The attachment is probably booby-trapped.
File types to handle with caution:
- .exe, .scr, .bat, .cmd: executables. Never open these from an email.
- .zip, .rar, .7z containing an executable: attackers compress malicious files to bypass filters.
- .docm, .xlsm: Office files with macros. Macros can execute code on your machine.
- .pdf: PDFs can contain malicious links or exploit vulnerabilities in the PDF reader. An unexpected PDF deserves verification.
- .html: an HTML file as an attachment is almost always a phishing attempt. It displays a fake login page directly on your machine, without going through a remote server (making it undetectable by network filters).
The rule: if you weren't expecting the attachment, don't open it. Contact the sender through another channel to confirm they sent it.
Cybermalveillance.gouv.fr (France's national cybercrime assistance platform) recommends "never opening attachments from a doubtful message, as some contain viruses" and "verifying the plausibility of the message by directly contacting the organization involved" (Cybermalveillance.gouv.fr, phishing response guide, 2025).
Sign 7: You're not the logical recipient
You receive an urgent wire transfer request from the CEO, but you work in tech support. HR sends you a "health insurance update" even though you left that plan six months ago. Accounting receives an invoice from a vendor that works exclusively with procurement.
Attackers don't know your company's org chart. They send to broad lists hoping someone will bite. If the email doesn't logically concern you, that's a signal.
Special case: CEO fraud. The email appears to come from your CEO and requests an urgent, confidential wire transfer. In France, CEO fraud cost companies more than EUR 400 million between 2020 and 2024 (Office central pour la repression de la grande delinquance financiere - France's financial crime unit, 2024). The common thread: urgency, confidentiality, and a recipient who doesn't dare verify with management.
The rule is absolute: any financial request received by email must be confirmed by phone, calling at the usual number (not a number provided in the email).
Do your employees know how to spot these signs under pressure? Reading this guide is one thing. Reacting correctly to a fake email in their inbox on a Tuesday morning is another. Phishing simulations test your team's real reflexes with realistic scenarios. Those who click receive a 3-minute micro-lesson on the mistake they just made.
Sign 8: The email contains a QR code
"Quishing" (QR code phishing) has surged by 400% between 2023 and 2025 according to ENISA (European Union Agency for Cybersecurity, Threat Landscape 2025). Attackers embed QR codes in emails because anti-spam filters can't analyze them as effectively as text links.
Observed examples:
- A "Microsoft 365" email asking you to scan a QR code to "reactivate two-factor authentication"
- A fake invoice PDF containing a QR code "to view details online"
- A "DHL" email with a QR code to "reschedule delivery"
The rule: never scan a QR code received by email. If the organization wants to redirect you to a page, they can use a standard link. A QR code in an email is almost always an attempt to bypass security filters.
Sign 9: The offer is too good to be true
An unexpected refund from health insurance. A prize for a contest you never entered. An exceptional bonus from your employer. A free phone from your carrier.
If you didn't ask for anything and something is being offered, the email is fraudulent. This signal seems obvious in the abstract, but it still works: phishing campaigns exploiting fake Ameli (French health insurance) refunds remain among the most effective in France according to Cybermalveillance.gouv.fr (annual report 2024).
What to do when an email seems suspicious
You've spotted one or more warning signs. Here's what to do next.
1. Don't click anything
No link, no attachment, no "Unsubscribe" button. Even the unsubscribe link can be booby-trapped.
2. Don't reply
Replying confirms to the attacker that your address is active and monitored. They'll target you again.
3. Verify through another channel
If the email appears to come from a colleague, call them. If it claims to come from an organization, go to the official website by typing the address yourself (don't copy the link from the email). Contact customer service at the usual number.
4. Forward the email for verification
If your company uses a verification tool like nophi.sh, forward the suspicious email. The AI analyzes the sender, links, headers, and attachments, and delivers a verdict in 30 seconds: confirmed phishing, suspicious, or legitimate. The employee receives an explanation of the identified signals, which reinforces their learning with each verification.
5. Report the email
Use the "Report as phishing" button in your email client (available in Gmail, Outlook, and most modern clients). If your company has an internal reporting process, follow it. Every report helps the security team protect other employees.
6. If you already clicked
If you've already clicked a link or entered information, see our incident response guide. The first 15 minutes are decisive.
Printable checklist: the 9 warning signs at a glance
Post this list in common areas or send it to your teams.
| # | Sign | Verification |
|---|---|---|
| 1 | Suspicious sender address | Click the name to reveal the full address. Compare the domain with the official website. |
| 2 | Questionable link | Hover over the link without clicking. Check that the domain matches. |
| 3 | Urgency or threat | Ask yourself: does this organization usually send me this type of message? Verify by phone. |
| 4 | Request for credentials | Never enter a password from a link received by email. Go directly to the official site. |
| 5 | Off tone | Compare with usual emails from this sender. |
| 6 | Unexpected attachment | Don't open it. Contact the sender through another channel. |
| 7 | Illogical recipient | Ask yourself: does this request actually concern me? |
| 8 | QR code in an email | Never scan it. Legitimate organizations use links. |
| 9 | Too-good-to-be-true offer | If you didn't ask for anything, it's fake. |
The gap between knowing and doing
Your employees probably already know most of these warning signs. The problem isn't a lack of knowledge - it's behavior under pressure. An employee reading this guide on a calm Tuesday morning will spot a fraudulent email. The same employee on a Friday at 5 PM with three urgent projects will click on the fake DocuSign without checking the sender's address.
That's why written guides aren't enough. Effective anti-phishing training requires repeated practice: regular simulations that test real reflexes under real working conditions, followed by immediate feedback when an employee makes a mistake.
The average click rate on a phishing email without prior training is 33% (KnowBe4, Phishing By Industry Benchmarking Report 2025, based on 67.7 million simulations). After 12 months of regular simulations with training at the point of error, it drops to under 5%.
Test your team's reflexes. Launch your first simulation in 15 minutes. Free trial. No installation required.
Sources
- CESIN, Barometre de la cybersecurite des entreprises, 2025 edition
- Verizon, Data Breach Investigations Report 2024
- APWG, Phishing Activity Trends Report Q4 2024
- ENISA, Threat Landscape 2025
- CNIL (France's data protection authority), phishing recommendations, 2024
- Cybermalveillance.gouv.fr (France's national cybercrime assistance platform), phishing response guide, 2025
- Cybermalveillance.gouv.fr, annual report 2024
- ANSSI (France's national cybersecurity agency, cyber.gouv.fr), digital security best practices
- KnowBe4, Phishing By Industry Benchmarking Report 2025
- Office central pour la repression de la grande delinquance financiere (France's financial crime unit), 2024
- Vishwanath A. et al., "Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility," Computers in Human Behavior, 2018
Launch your first phishing simulation | What to do if an employee clicked