TL;DR: Phishing emails have become sophisticated enough to fool experienced professionals. This decision tree gives staff a consistent, reliable process for evaluating suspicious emails — five questions that, answered in order, identify the vast majority of phishing attempts before any damage is done.
Why Decision Trees Work Better Than Rules
Security awareness training typically teaches rules: “Never click links in emails.” “Check the sender address.” “Look for spelling mistakes.” These rules are fine in theory but fail in practice because they are applied inconsistently. The rule “never click links in emails” is immediately violated every time someone clicks a legitimate email newsletter.
A decision tree is different. It is a process — a sequence of questions that leads to a clear conclusion. Staff who follow the process do not need to remember rules; they just need to answer questions in order.
The Decision Tree
START HERE: You have received an email and something feels off.
Question 1: Were you expecting this email?
YES → You requested a password reset, you are expecting an invoice from this supplier, or you scheduled a meeting that generated a confirmation. The email fits a context you created.
If YES: Continue to Question 2 as a precaution, but the risk level is lower.
NO → You were not expecting this email. It is unsolicited.
If NO: Your guard should be higher. Continue to Question 2.
Question 2: Do you recognise the sender — and does the email address match?
How to check the sender: In Outlook, click on the sender’s display name to expand the full email address. The display name (“Microsoft Support”) can be set to anything; the actual email address is what matters.
RECOGNISED SENDER, EMAIL MATCHES → The email came from the person or organisation it appears to be from.
Continue to Question 3.
RECOGNISED SENDER, EMAIL DOES NOT MATCH → The display name shows someone you know, but the actual email address is different from their normal address. This is a strong phishing indicator.
Examples:
- Display name: “David Thompson” / Email:
david.thompson@yourcompany-ap.com(instead of@yourcompany.com) - Display name: “Microsoft” / Email:
support@microsoft-security-alert.info - Display name: “Commonwealth Bank” / Email:
alerts@combank-security.net.au
RESULT: High risk. Do not click, do not reply. Report to IT.
UNRECOGNISED SENDER → You do not know this sender and you were not expecting their email.
Continue to Question 3 with heightened caution.
Question 3: Is there a link or attachment? Does it match what you expect?
NO LINK OR ATTACHMENT → The email contains no clickable links and no files. Continue to Question 4.
THERE IS A LINK:
Hover over the link (do not click) and look at the URL that appears in the bottom of your browser or in the tooltip. Ask:
- Does the domain name match the organisation sending the email?
- Is the domain recognisably legitimate (microsoft.com, commonwealthbank.com.au) or does it look like a fake (microsoft-security-account.com, combank-alerts.info)?
- Is there a very long, random-looking URL that does not relate to any organisation name?
If the URL matches and looks legitimate: continue to Question 4.
If the URL does not match or looks suspicious: RESULT: High risk. Do not click. Report to IT.
THERE IS AN ATTACHMENT:
- Is the file type expected? (Invoices should be PDFs. Documents should be .docx. Spreadsheets should be .xlsx.)
- Were you expecting this file? Did the sender mention it previously?
- Does the filename make sense? (Random strings of numbers and letters are suspicious.)
- Is the file an executable (.exe, .msi, .bat), a compressed file (.zip, .rar), or a JavaScript file (.js, .vbs)? These are high-risk file types.
If the attachment type matches and you were expecting it: continue to Question 4.
If you were not expecting the attachment, or the file type is unusual: RESULT: High risk. Do not open. Report to IT.
Question 4: Is the email creating urgency or asking you to do something unusual?
Read the email content and ask:
- Is it demanding immediate action? (“Your account will be closed in 24 hours”, “Urgent: payment required today”)
- Is it asking you to bypass normal processes? (“Don’t mention this to anyone”, “Process this before checking with your manager”)
- Is it asking for credentials, payment, or sensitive information?
- Is it asking you to do something you have never been asked to do before?
NO unusual urgency or requests → Continue to Question 5.
YES, unusual urgency or request → Urgency is the most common technique used to prevent careful thinking. Slow down, not speed up.
If the request involves:
- Money or payment: Do not act. Call the apparent sender on a known phone number to verify.
- Credentials or passwords: Do not provide. No legitimate organisation asks for passwords by email.
- Downloading software: Do not download. Call IT.
- Remote access: Do not provide. No legitimate IT provider needs to be invited in by clicking an email link.
RESULT: High risk. Do not act. Verify by phone or report to IT.
Question 5: Does this email make sense in context?
Apply business judgement:
- Does this request fit with how this organisation or person normally communicates with you?
- Have you received similar emails before?
- Is the content, writing style, and tone consistent with previous genuine emails from this sender?
- Does the sender’s email address match the email thread you have with them in your sent items?
YES, it makes sense → The email is probably legitimate. If you are still unsure, the safest action is always to call the sender directly (on a known number) to confirm.
NO, something does not add up → Trust your instinct. If something feels wrong, it probably is.
RESULT: If unsure, call the sender directly or report to IT.
Summary: The Five Questions
- Were you expecting this email? (Yes = lower risk, No = higher risk)
- Does the sender’s email address match who they claim to be? (Mismatch = High risk)
- Does the link or attachment look legitimate? (Suspicious URL/file type = High risk)
- Is the email creating urgency or asking for something unusual? (Yes = High risk)
- Does this email make sense in context? (No = call to verify)
What to Do When You Are Unsure
The safest response to any suspicious email is: do nothing with the email, and call IT.
- Do not reply to ask if the email is genuine
- Do not forward the email to a colleague to ask their opinion (you may forward a malicious attachment to them)
- Do not click anything “just to see what it is”
- Do not try to unsubscribe from a suspected phishing email (unsubscribe links in phishing emails often confirm your email is active)
Report it:
- In Microsoft Outlook: Use the “Report Phishing” button in the Home ribbon
- Via email: Forward to [IT security email — fill in your address]
- By phone: [IT helpdesk number — fill in]
Reporting phishing emails — even ones you are not 100% sure about — helps your IT provider identify attack patterns and improve your organisation’s defences. False alarms are always better than missed threats.
Training Exercise: Apply the Decision Tree
Use these sample scenarios to practice the decision tree with your team.
Scenario A:
You receive an email from noreply@microsoft-accounts.com with the subject “Your Microsoft 365 account will be locked in 24 hours.” The email contains a button: “Verify My Account.”
Question 1: Were you expecting this? No. Question 2: Does the email address match Microsoft’s real domain (microsoft.com)? No — microsoft-accounts.com is not microsoft.com. Result: High risk. Do not click. Report to IT.
Scenario B: Your CEO emails from their normal company email address, asking you to process an urgent wire transfer to a new vendor before end of business. They say they are in meetings and cannot be called.
Question 1: Were you expecting this? No. Question 2: Does the email address match? Yes — it appears to be their real address. Question 3: No link or attachment. Question 4: Is there unusual urgency? Yes — “before end of business.” Are they asking for something unusual? Yes — bypassing normal payment approval by saying they cannot be called. Result: High risk. Call the CEO on their personal mobile to verify — not using any number in the email. Do not process any payment without verbal confirmation.
(Note: This is a Business Email Compromise scenario. The CEO’s account may be compromised, or the email may be from a spoofed domain that passed spam filters.)
For more detailed phishing examples with annotated breakdowns, see Phishing Email Examples Swipe File.
For technical email security controls that reduce phishing email delivery, see Email Security for Australian Businesses.
If you want help running phishing simulations and security awareness training for your team, book a Right Fit Call with CX IT Services.