Phishing messages can range from very basic to highly sophisticated. Common “red flags” or indicators include:

• Suspicious sender or reply-to address: always treat messages from unknown or unfamiliar senders or accounts with extra caution.
• Unexpected message: messages from recognized senders that are unrelated to normal communications or job responsibilities can signal an account has been compromised or is fake.
• Suspicious attachment: messages with unexpected or unusual attachments can contain malware.
• Suspicious link: messages that encourage recipients to click and follow embedded hyperlinks may point to websites unrelated to the message and under the control of the attackers.
• Poor spelling: spelling and grammar errors may indicate a phishing attack since legitimate organizations typically avoid these mistakes in their communications.

Adopting the following best practices can minimize the chances of falling for a phishing attack: 

• Filter incoming messages: ensure that your IT systems screen incoming messages to reduce spam and other unwanted content. “Anti-spoofing” controls can verify the authenticity of senders and make it difficult for attackers to hit their target.
• Install malware detection and filters: your IT systems should automatically block or quarantine messages that contain viruses, ransomware or other malicious code. Use software that prevents, detects, and removes malware and performs real-time scans.
• Keep browsers and other software up to date: malicious attachments and malware often exploit security vulnerabilities made possible by outdated browsers and other software. Ensure that your IT staff regularly update all software and operating systems if it is not possible to set up automatic updates.
• Lock down workstations: hackers can exploit computers that allow software to be installed and settings to be configured by individual users. Restrict or disable administrative rights for normal users and limit the number of computers or accounts with high-level privileges or access to sensitive information. Individuals with high-level privileges should not share accounts or use them for non-work purposes.
• Require employees to use unique, complex passwords: the reuse of stolen passwords is a major phishing threat. Stronger authentication methods, such as one-time password tokens, cryptographic credentials, or biometric traits should be required for system administrators, users that handle sensitive information, and users with remote access to corporate resources.
• Identify external messages: you can detect phishing messages more easily if all external messages are clearly labeled as coming from outside the organization with a prominent message.
• Segment networks that contain sensitive data from other networks. You can limit the impact of compromised computers and accounts by restricting their access to other networks or systems. For example, public-facing webmail servers should be isolated from intranet systems or human resources databases.
• Use threat intelligence and endpoint protection tools. Advanced tools can detect, and in some cases, prevent attackers from gaining a foothold inside your network by flagging unusual patterns of system behaviour, such as irregular login attempts and large file downloads.
• Enable encryption on documents, devices, and databases that contain sensitive information, by default, to provide an extra layer of defence against unauthorized access, use, and disclosure by attackers.
• Conduct regular phishing awareness and training. Send simulated phishing attacks to employees to test their awareness and knowledge of how to respond. Routine tests raise awareness of security issues and help identify employees who need additional training.
• Enable users to report phishing and to request help. Organizations benefit from real-time feedback from employees on phishing threats

• Verify the sender by carefully examining the “From” address, which should be consistent with the display name and the context of the message. For example, an email message claiming to be from a bank should not have an “xbox.com” address domain (the domain is everything after the @). Some phishing attacks use a sender’s email address that is similar to, but not the same as, an organization’s official email address. An example would be “omtario.ca” instead of “ontario.ca.” 
• Do not provide usernames, passwords, or other access codes in response to an email request or unsolicited popup windows. Legitimate organizations never ask for this information via email and only collect it through their official websites or applications. When in doubt, follow up with the sender by phone.
• Do not open suspicious file attachments. If you receive an unexpected attachment, contact the sender (preferably by phone) to confirm that the attachment is legitimate. If you cannot confirm its legitimacy, report the attachment to your IT department, or delete it.
• Never click on suspicious links. Hover your mouse over parts of the message without clicking on anything. If the underlying hyperlink looks strange or does not match what the link description says, do not click on it — report it. Note that images can also contain suspicious links.
• Do not respond to suspicious or unwanted messages. Attackers benefit from learning more about potential targets. For example, asking to have an email address removed from a malicious party’s mailing list confirms that email is active, potentially leading to additional attacks. Downloading missing images confirms that the message was viewed. The best practice is to flag the message as spam or delete it. 
• Report suspicious messages. When you receive a suspicious message, and especially if you click on questionable links or attachments, notify your IT department immediately.
• Make it easy for all your employees to report suspected phishing messages, and to request and get help in case of a possible attack. Employees are often the last line of defence against phishing attacks. Awareness and training can and does improve security.