Don’t Be Fooled: 5 Phishing Tactics to Watch Out for (And How to Spot Them)

PhishingCyber ResilienceCyber Security
Written By Jordan Stewart

April 1st is usually a day reserved for harmless jokes. 

You know the sort, your timeline has probably been awash with anything from fake announcements to made-up products, a WhatsApp ‘forwarded many times’, or the odd prank email that gets a brief exhale through your nose, before everyone moves on with their day for another year.

But outside of today, there’s a different kind of deception that isn’t quite so light-hearted.

Phishing.

And unlike an April Fools’ joke, phishing emails aren’t designed to make you laugh. They’re designed to catch you off guard, get you to act quickly, and ultimately give something away, whether that’s your login details, financial information or access to a system.

The problem is, they’re getting better.

So, with that in mind, here are five of the most common phishing tactics we’re seeing right now, and what to look out for before you get caught out.

1. The “Urgent Action Required” Email

This is one of the oldest tricks in the book, and yet, it still works. (If it ain’t broke, and all that..)

You receive an email that looks like it’s from a trusted source, Microsoft, your bank, a supplier, or even someone internally, like your CEO or MD. It tells you that something needs your immediate attention, and typically, it’s something like:

Your account is about to be locked.
A payment has failed.
There’s been suspicious activity.
You’ve got a voicemail on Microsoft Teams.

All you need to do is click the link and “resolve the issue”.

What to look for

Urgency is the red flag here.

Phishing emails rely on you acting quickly, before you stop and think. Legitimate organisations rarely demand immediate action without giving you time or alternative ways to respond.

If it feels rushed, it’s worth pausing.

2. The “Familiar Name, Slightly Off” Sender

At a glance, the email looks completely legitimate.

The name is correct. The branding is there. The tone feels right.

But the email address tells a different story.

micr0soft.com
rnicrosoft.com
accounts-payable@your-supplier.co

Small changes like that are so easy to miss, especially when you’re scanning emails quickly.

What to look for

Always check the full sender address, not just the display name.

Attackers rely on the fact that most people don’t look past what appears in bold at the top of the email.

If you’re still not sure it’s legitimate, hovering over the link should reveal where it’s trying to send you, and chances are, it’s not to where it claims.

3. The “Internal Request” That Isn’t

These are becoming more common and, really, much more convincing.

An email appears to come from a colleague, a manager or even a director, and it’s asking you for something simple:

“Can you quickly send me those details?”
“Are you available to process this payment?”
“Can you confirm this information for me?”

The tone is casual. The request feels normal.

But it isn’t coming from who you think.

What to look for

Look for context.

Does the request fit with that person’s role? Or is someone who doesn’t deal with payments asking finance questions?
Is the timing unusual?
Does it match how they normally communicate?
Are you even expecting a message/request from that person?

When in doubt, verify through another channel, such as picking up the phone if you’re not in the same building. Otherwise, you can just go and physically ask them.

4. The “Too Good (or Too Bad) to Ignore” Message

Some phishing emails lean more on emotion, rather than on urgency.

You’ve won something.
You’re owed a refund.
There’s been an issue with a recent transaction.

Regardless of the delivery or hook, the goal remains the same. Get you to click.

What to look for

If something feels out of the ordinary, sadly, it probably is.

Unexpected rewards, unusual financial notifications or anything that seems slightly off should be treated with caution.

5. The “Clean and Professional” Phish

Not all phishing emails are full of spelling mistakes anymore.

In fact, many are now well written, well designed, and almost indistinguishable from legitimate communications.

AI tools have made it easier to generate convincing emails at scale, removing one of the traditional warning signs, as factors such as grammar or syntax could have been indicators otherwise.

What to look for

You now can’t rely on grammar or design as your only indicator that something is fishy, because even a polished email can be malicious. 

Focus instead on:

  • Where the email came from

  • What it’s asking you to do

  • Whether that request makes sense

Why This Still Works

Phishing doesn’t succeed because people are careless.

It succeeds because it’s tried thousands - if not millions - of times a day, and just needs one to be able to exploit normal behaviour. 

And if you’re busy, you trust familiar brands, or you respond quickly to colleagues, then you’re their ideal target.

Attackers build their tactics around those habits, and with you in mind.

A Simple Rule That Goes a Long Way

If there’s one takeaway from all of this, it’s this:

Don’t let urgency override judgment.

Take a moment.
Check the details.
Verify if something feels off.
If you’re not expecting the email, ignore it.

That small pause is often the difference between catching a phishing attempt and falling for it.

Final Thought

April Fools’ Day is built on harmless deception.

Phishing isn’t.

The emails may look convincing, the requests may feel routine, and the timing may seem urgent. But the intent is very different.

Phishing isn’t just about spotting obvious scams. It’s about recognising subtle signals and building habits that prevent small mistakes from becoming bigger problems.

Because, unlike a prank, phishing doesn’t come with a punchline.

Jordan Stewart
Next

Cyber Essentials vs Cyber Essentials Plus: What’s the Real Difference?