How to Spot a Phishing Scam Email Before It Costs Your Business Money

Scam emails are getting harder to detect. Here’s how to spot them.  


Phishing scams are nothing new. In a high-tech world, however, they are smarter and more difficult to spot than ever. The good old days of badly spelt emails from Nigerian Royalty with money troubles are long gone. In their place are hyper-personalised, highly sophisticated and realistic messages harnessing the latest AI. To beat them, everyone has to be on their toes.  

Just recently, we learned our own clients were the target of a scam, with an email that looked realistic and believable. It came from what, at first glance, looked like our domain, and asked the client to make a tax payment into a new account. 


The email included lines like: 


Sounds legit, right? Sounds pressing too, right? A professional-sounding email, decent grammar and from a named person within the company, using our company email signature and believable domain. It’s easy to see how even a seasoned professional who has seen more than their fair share of phishing scams could be taken in.   

But if you’re not extremely careful, not only could you lose a substantial amount of cash, but HRMC may well still be waiting for their money with all the penalties that might come with it.  

Today, phishing scams are a world away from the old mass-mailed AOL password tricks of the 90s. They have become incredibly sophisticated, harnessing the latest AI and automation technology to effect realistic deepfake impersonations.  

Attackers can gather publicly available information from sites such as LinkedIn, Facebook, X, earnings calls, conference talks or any public-facing site to tailor highly convincing personalised emails. AI technology can even be used to replicate the voice, video or writing style of individuals to make the attack seem hyper-realistic.  


So, how can you guard against it?  


Let’s start by highlighting the red flags common in most scam emails (including the one referenced above).  

  • A slight difference in email domain. Like the scam above, the scammer used burgesshodgsons.co.uk (added an ‘s’), instead of burgesshodgson.co.uk. 
  • High urgency or threatening tone. In this instance, the mention of HMRC and a tax bill is intended to hurry a target into paying up.  
  • Abnormal communication channels. If a business executive is communicating from a personal email address, it’s worth checking why. In the scam mentioned above, when looking more closely, the ‘From’ line included “ For and On behalf Of BURGESS HUDGSON AUDIT LIMITED COMPANY <notdeadghost27@gmail.com>.” Not only do we not use a Gmail account, but it’s misspelling of our name. We will never send anything from a Gmail account, and we like to think we’d get our own name right.  
  • Mismatched domain names. Don’t rely on the display name. Double-check the actual email address to be sure.  
  • Unexpected additions. Be especially wary of any unexpected attachments, such as an invoice for work you know nothing about.  


Crucially, in our example email, many of the clearest signs are hidden away in the sender information. There were some other hints of a scam, such as the Account Name the scammer gave was a personal name, not a business name, and definitely not an HMRC account). 

If you receive an email like this, seemingly from a known contact – and especially if it’s asking you to make a payment – verify the information in the email using the contact details you have on file for that person. Don’t just reply to the email, and definitely don’t make a payment into a new account – get clear confirmation direct from a source you trust.  

Make sure everyone in your business is educated on the potential threats. It only takes one careless click or payment from one individual to breach your defences (and potentially lose you a lot of money).