If you run a law firm, a CPA practice, or an insurance agency, your inbox is where your business actually happens — client files, signatures, wire instructions, deadlines. That also makes it the front door someone is most likely to knock on while pretending to be someone else.
The good news: you don’t need to become a suspicious person to know how to spot a phishing email. You need one five-second habit and one house rule. That’s it. Let me walk you through both.
Why these emails work on smart people
Phishing emails don’t succeed because people are careless. They succeed because they’re engineered to short-circuit careful people — they borrow a name you trust and add time pressure. “Your client needs this filed today.” “The partner needs gift cards for a client meeting in an hour.” “Updated wire instructions attached, please process before close of business.”
And the old advice — look for bad spelling and clumsy grammar — doesn’t hold up anymore. Modern scam emails are clean, polite, and professionally written. The tells have moved, so the habit has to move too.
How to spot a phishing email in five seconds
Before acting on any email that asks you to pay, click, or log in, check three things. First, the actual sender address, not the display name — on a phone, tap the name to expand it. “Jennifer Alvarez” means nothing if the address behind it is a string of letters at a domain you’ve never seen, or a near-miss like yourbank-secure.com. Second, the ask. Urgency plus secrecy plus money or passwords is the classic combination — any two of those together should slow you down. Third, the link. Hover over it on a computer, or press and hold on a phone, and look at where it really goes before you click. If you’re being asked to log in somewhere, skip the link entirely and type the site’s address yourself.
Five seconds. That’s the whole habit.
The house rule that beats every filter
Here’s the rule I’d ask every professional office to adopt this week: any request to send money, change payment details, or share credentials gets verified through a second channel before anyone acts on it. Email says the client changed their bank? Call the client — on the number you already have on file, not the one in the email. The partner emails asking for an urgent payment? Walk down the hall or call their cell.
This matters most in professional services because of one specific scheme: the spoofed client. Someone studies a real transaction — a home closing, a settlement, a tax payment — then emails your office posing as the client with “updated” wire instructions. The email reads naturally because it’s built from real details. The only reliable defense is that phone call, every time, no exceptions — even when the request looks routine, and especially when it’s urgent.
any request to send money, change payment details, or share credentials gets verified through a second channel before anyone acts on it.
Make it safe to ask
Knowing how to spot a phishing email is a team habit, not a solo skill. The offices that handle this best aren’t the ones with the most suspicious staff — they’re the ones where nobody feels silly forwarding an email and asking “is this real?” If your team is afraid of looking foolish, they’ll stop asking, and the one email that matters will slip through.
Same goes for mistakes. If someone clicks a bad link, the most valuable thing they can do is say so immediately — a clicked link reported in five minutes is a non-event; one hidden for three days is a real problem. Reward the report, never punish the click.
What to do this week
Gather your team for ten minutes — that’s genuinely all this takes. Agree on the house rule: money, payment changes, and passwords always get a phone-call verification on a known number. Write it down, then walk everyone through the five-second check on a real email from the inbox.
If you’d like a second set of eyes, we offer a free email security and wire-fraud risk review for professional firms — and if you’re a Menifee Chamber of Commerce member, just mention the Chamber when you reach out. Email hello@simonsayssystems.com.
