How to Spot Phishing Emails After a Data Breach
After a breach, attackers often follow up with phishing emails and texts. They're hoping fear and confusion will make you click fast. Here's how to recognize those messages and respond calmly.
Why phishing gets worse after a breach
When your email appears in a breach, criminals may gain:
- The exact services you use (for example: a store, SaaS app, or social network)
- Your name and sometimes your role or company
- Old passwords they can try or reference
That lets them send emails that sound more believable: "We noticed suspicious activity on your RealServiceName account. Click here to verify."
🚨 Red flags to watch for
Most phishing messages share a few common traits:
- Pressure or panic — "Your account will be closed in 24 hours."
- Unexpected links or attachments — especially for invoices, refunds, or "secure documents."
- Strange sender addresses — correct brand name, but weird domain (like support@realbrand-security-check.com).
- Typos or odd formatting — broken logos, grammar issues, or generic greetings like "Dear user."
Simple rules for staying safe
When in doubt, follow these rules:
- Never log in through links in "urgent" emails or texts
- Instead, type the website address yourself or use a saved bookmark
- Don't open unexpected attachments—even PDFs—unless you're sure they're legitimate
- If a message mentions a payment or refund, verify it by logging into your account directly
Examples of common post-breach phishing themes
- "Your account was locked; confirm your identity."
- "We noticed a new login from [country]; click to secure your account."
- "Important security update required; open the attached document."
- Business email compromise — fake messages pretending to be from your boss or finance department
These all play on fear. The solution is the same: step back, verify through the official site or phone number, and don't rush.
For regular people: a 10-second check
Before clicking anything, quickly check:
- "Was I expecting this email?" If not, be suspicious.
- "Is the sender's email address exactly right?" Watch for extra words or numbers.
- "Are they pushing me to act right now?" Real companies rarely threaten you on a timer.
If any answer feels off, don't click. Log in directly to the service instead.
For MSPs and IT teams: turning phishing into a teachable moment
After sharing breach findings with clients, you can:
- Send a short, branded "How to spot phishing" one-pager
- Give examples tailored to the tools they actually use (M365, payroll, CRM, etc.)
- Encourage staff to forward suspicious emails to IT instead of guessing
- Explain that asking IT first is always cheaper than recovering after a click
The calm way to respond
If you do click something suspicious or enter your password on a fake site:
- Change that password immediately
- Turn on MFA for that account if it's not already on
- Watch for unusual logins or password reset emails
- Tell your IT team if it's a work account—they'd rather know early
Want a clear view of which breaches might be fueling phishing?
Run a calm breach check with EmailBreachGuard →