Live IT
All advice

Security · 4 min read

Phishing for non-technical staff: the 60-second checklist

Most phishing emails fail one of five basic checks. Teach your team those five, and the rest takes care of itself.

The single most effective security control in a small organisation isn't an expensive tool. It's a team that pauses for sixty seconds before clicking a suspicious link.

Most phishing emails fail one of five basic checks. Teach your team those five, and you've eliminated the majority of risk.

The five checks

1. Is the sender address correct?

Not the display name, the real address. Display names can say anything. Click or hover on the sender and check the part after the @. support@m1crosoft-billing.com is not Microsoft. hr@yourcompany-hr.co.uk is not your HR department.

2. Is the link going where it claims?

Hover over (don't click) any link. The real destination appears in the bottom corner of your screen or as a tooltip. If the text says "office.com" and the link goes to a long random URL, it's phishing.

3. Is the urgency manufactured?

Real urgent business almost never arrives as an email demanding action within the hour, especially from a sender or company you don't usually hear from. "Your account will be locked", "invoice overdue", "click within 24 hours", these are the standard pressure tactics.

4. Does it ask you to do something unusual?

Buying gift cards. Sending a bank transfer. Logging in via an unexpected link. Re-entering your password. Real internal processes don't suddenly change via a single email.

5. When in doubt, verify by another channel.

If "your boss" emails you to send £2,000 to a new account, ring them. If "Microsoft" emails about your account, open a new browser tab and go to office.com directly. Five seconds of friction defeats almost every targeted scam.

What to do when you spot one

  • Don't click any links or reply.
  • Don't forward it to colleagues to "warn them", that just creates more potential clicks.
  • Use the Report Phishing button in Outlook or Gmail. It removes the email and tells the platform.
  • If you already clicked or entered credentials, change the password immediately and tell your IT contact.

What to put in place

  • Multi-factor authentication on every account.
  • A clear, blame-free reporting process, staff who hide mistakes are far more dangerous than staff who report them.
  • Short, regular refreshers. One annual training session is not enough.

If you'd like me to run a phishing awareness session for your team, get in touch.

Need a hand with this?

I help small organisations across the UK with exactly this kind of work. Honest advice, plain English, no pressure.

Get in touch

More advice

Platforms

Google Workspace vs Microsoft 365 for small charities

Read article

Security

What is Cyber Essentials and does your organisation need it?

Read article