---

author: Wellforce IT Editorial Team author_credentials: Managed IT and cybersecurity advisory serving mid-market organizations in the Raleigh-Durham region schema_types: [Article, FAQPage] date: 2026-04-18

Signs of Phishing: A Channel-by-Channel Breakdown for Email, Teams, SMS, Voice, and QR Codes

Most phishing guidance treats the problem as an email problem. It isn’t — not anymore. Attackers route campaigns through Microsoft Teams messages, SMS, voice calls, and even QR codes printed on physical mail. If your team only knows how to spot a suspicious email, they’re blind to the majority of new attack surfaces.

This post categorizes phishing warning signs by the channel where they actually appear, gives you a direct answer suitable for quick reference, and walks through the first 30 seconds after someone on your team clicks something they shouldn’t have.

AEO Definitive Answer

What are the signs of phishing? The top phishing warning signs are: (1) urgent or threatening language demanding immediate action, (2) a sender address or phone number that doesn’t match the claimed organization, (3) unexpected attachments or links — especially shortened URLs, (4) requests for credentials, MFA codes, or payment outside normal workflows, (5) grammatical errors inconsistent with the supposed sender’s typical communication, and (6) mismatched display names versus actual domains or numbers. These red flags appear across email, chat, SMS, voice, and QR code vectors.

---

Phishing Signs by Channel: Email, Teams, SMS, Voice, QR Code

The reason a single flat list of phishing warnings fails is that each channel has its own trust cues — and its own ways those cues get exploited. Below is a channel-specific taxonomy.

Email Phishing

Email remains the most documented vector, so we’ll keep this section tight and focus on what has changed.

• Reply-to mismatch. The display name says “IT Help Desk” but the reply-to address is a freemail domain or a lookalike (e.g., wellforce-it.support@outlook.com instead of a corporate domain). This is still the single fastest way to verify legitimacy.
• OAuth consent prompts. AI-powered phishing campaigns increasingly bypass MFA entirely by tricking users into granting OAuth app permissions rather than entering passwords. According to RightHand AI’s 2026 phishing trends analysis, traditional MFA has been rendered “obsolete” against these attacks, which redirect users to legitimate Microsoft login pages that then request app-level consent. The phishing sign here is an unexpected app permission request — not a password prompt.
• Embedded tracking pixels or 1x1 images that fire before the user clicks anything. While invisible to the recipient, security teams should flag messages with unusual remote content calls.
• Attachment file types that don’t match context. An “invoice” arriving as an .html file or .iso disk image is a reliable phishing warning sign.

Microsoft Teams and Collaboration App Phishing

Teams phishing has grown sharply because users default to trusting internal chat. External guest access — the same feature that makes collaboration tools like Power Apps useful for B2B — also opens a door for threat actors.

• “External” tag ignored. Teams displays an “External” badge on messages from outside your tenant. Attackers register lookalike tenant names (e.g., “Wellforce-Support”) and rely on users disregarding the tag.
• File shares from unknown contacts. A SharePoint or OneDrive link shared via Teams chat from someone you haven’t interacted with before — especially one requiring you to sign in again — is a significant phishing warning sign.
• Unusual meeting invites. A Teams meeting invite from an external organizer with a generic subject line (“Q2 Review,” “Urgent: Action Required”) that doesn’t match any project you’re working on.
• Chat messages requesting MFA codes. No legitimate IT department asks for MFA codes over Teams chat. Ever.

SMS Phishing (Smishing)

SMS carries an outsized open rate, which is exactly why attackers use it. The phishing warning signs here are different from email because SMS strips away most visual identity cues.

• Shortened or obfuscated URLs. Links using bit.ly, t.co, or unfamiliar shorteners in a message claiming to be from your bank, shipping carrier, or SaaS vendor. Legitimate organizations sending transactional SMS typically use branded short domains.
• Messages from email-to-SMS gateways. If the sender shows as an email address rather than a phone number, the message was routed through a gateway — a common smishing technique.
• “Verify your account” with no prior context. You haven’t requested a password reset, haven’t placed an order, haven’t contacted support — yet you’re being asked to verify something.
• Toll-free callback numbers that don’t match official sources. The message says to call a number that, when searched, doesn’t appear on the company’s official website.

Voice Phishing (Vishing)

Vishing attacks often serve as a second stage: the attacker sends an email or SMS first, then follows up with a call to create perceived legitimacy.

• Caller ID spoofing with urgency. The caller claims to be from your IT department or Microsoft support, insists on immediate action, and pressures you to stay on the line. Legitimate support calls are almost always initiated by the user, not the vendor.
• Requests for remote access. “I need you to install a quick support tool so I can fix this” — no legitimate internal IT team cold-calls users and asks them to install remote access software.
• Background noise designed to sound like a call center. Some vishing operations use AI-generated ambient noise to mimic enterprise support environments.
• Refusal to verify their own identity. If you ask the caller for a ticket number, employee ID, or callback number and they deflect, that’s a definitive phishing warning.

QR Code Phishing (Quishing)

Quishing is the newest mainstream vector and one of the least understood. Attackers embed malicious QR codes in emails, printed documents, or even physical stickers placed over legitimate codes in shared spaces.

• QR codes in email. There is almost no legitimate business reason to put a QR code inside an email. The recipient is already on a device that can click a link. A QR code in an email exists to bypass link-scanning tools.
• QR codes on printed material in unexpected places. A sticker on a parking meter, a “Wi-Fi login” poster in a lobby, or a flyer in a shared workspace that wasn’t distributed by building management.
• The destination URL doesn’t match expectations. After scanning, preview the URL before opening it. If the QR code on a “Microsoft 365 password reset” flyer leads to a domain that isn’t microsoft.com, stop.
• Requests for credentials immediately after scanning. Legitimate QR codes for menus, event check-ins, or Wi-Fi access rarely require you to enter a username and password.

---

The Red Flags That Apply Across Every Channel

Despite channel-specific differences, a handful of phishing warning signs are universal:

Artificial urgency. “Your account will be locked in 15 minutes.” “Payment overdue — legal action pending.” The goal is to short-circuit your judgment. Legitimate organizations provide grace periods and multiple notification methods.

Requests that break normal workflow. Your CFO has never asked you to buy gift cards over chat. Your IT team has never asked for your password via SMS. Any request that deviates from established process deserves a second look.

Mismatched identity signals. The display name says one thing, but the underlying address, number, or domain says another. This applies to email headers, Teams tenant names, caller ID, and QR code destination URLs alike.

Emotional manipulation. Fear (“your account is compromised”), greed (“unclaimed refund”), and curiosity (“see who viewed your profile”) are the three emotional levers phishing campaigns pull regardless of channel.

As Fortra’s expert panel on phishing prevention emphasizes, regular employee training is the top recommendation across 33 security professionals — but that training needs to extend well beyond email scenarios to address the warning signs of phishing in every channel employees actually use.

---

What to Do in the First 30 Seconds After You Suspect Phishing

The window immediately after recognizing a phishing attempt — or realizing you’ve already interacted with one — matters more than most people think.

If you haven’t clicked or responded:

1. Don’t forward the message to colleagues to “check if it’s real.” Forwarding can trigger tracking pixels and spreads the malicious payload.
2. Use your organization’s built-in reporting tool (see next section).
3. If it arrived via SMS or voice, screenshot the message or note the phone number, then block the sender.

If you already clicked a link or entered credentials:

1. Disconnect the device from the network — Wi-Fi off, Ethernet unplugged. Don’t shut it down; your security team may need forensic data from memory.
2. From a different device, change the password for the compromised account immediately.
3. Notify your IT team or managed security provider. Include the timestamp, the channel (email, Teams, SMS, etc.), and what you entered or downloaded.
4. If you granted OAuth permissions to an app, go to myapps.microsoft.com, find the app under your account, and revoke consent.

Speed here isn’t about panic — it’s about limiting lateral movement. Attackers who obtain credentials often begin testing them within minutes.

---

How to Report Phishing in Microsoft 365 (Built-In Tools)

Microsoft 365 includes native reporting mechanisms that most organizations underutilize.

In Outlook (desktop and web):

• Select the suspicious message.
• Click the Report Message button in the ribbon (or the three-dot menu in Outlook on the web).
• Choose Phishing. This sends a copy to Microsoft for analysis and to your organization’s security team if your tenant is configured to receive submissions.

In Microsoft Teams:

• Right-click the suspicious message.
• Select More options > Report this message.
• Choose the reason (phishing, spam, etc.).

In the Microsoft 365 Defender portal:

• Navigate to Email & collaboration > Submissions.
• Submit URLs, email attachments, or email messages directly for Microsoft analysis.

If your organization doesn’t have the Report Message add-in deployed, that’s a configuration gap worth raising with whoever manages your Microsoft 365 environment. For organizations working with an IT advisory partner, this is a standard item in a security posture review.

---

FAQ Block

What are the warning signs of phishing?

The core warning signs of phishing include urgent or threatening language, sender identity mismatches (email address, phone number, or domain doesn’t match the claimed organization), unexpected requests for credentials or payment, suspicious links or attachments, and communication that breaks your organization’s normal workflow. These signs manifest differently depending on whether the attempt arrives via email, Teams, SMS, voice call, or QR code — see the channel-specific breakdown above.

How can you tell a phishing email from a real one?

Check three things in this order: (1) Does the sender’s actual email address — not just the display name — match the organization’s domain? (2) Does the email ask you to do something outside your normal process, like entering credentials on a page you reached through the email itself? (3) Hover over any links without clicking — does the URL match the claimed destination? If any of these checks fail, treat the email as suspicious and report it through your organization’s built-in tools.

What are signs of phishing in text messages?

SMS phishing (smishing) warning signs include shortened or obfuscated URLs, messages sent from email-to-SMS gateways (the sender appears as an email address), unsolicited “verify your account” requests, and callback numbers that don’t appear on the organization’s official website. Because SMS strips away visual branding cues, identity verification is harder — which is exactly why attackers favor it.

Are QR codes used for phishing?

Yes. QR code phishing — sometimes called “quishing” — uses malicious QR codes embedded in emails, printed flyers, or physical stickers to redirect victims to credential-harvesting sites. The key phishing warning sign is a QR code that leads to a login page, especially one requesting Microsoft 365, Google Workspace, or banking credentials. Always preview the destination URL after scanning before you interact with the page.

Why doesn’t MFA stop all phishing?

Modern phishing campaigns increasingly bypass MFA by using adversary-in-the-middle (AiTM) proxies that intercept session tokens in real time, or by tricking users into granting OAuth app consent — which doesn’t require a password at all. As noted in RightHand AI’s 2026 analysis, phishing-resistant authentication methods (FIDO2 keys, certificate-based auth) are now necessary to address what traditional MFA cannot.

---

The Practical Takeaway

Print the channel-specific phishing warning signs from this post and pin them — physically or digitally — where your team actually communicates. Not just in Outlook. In Teams. On the breakroom wall near the QR code for the lunch menu. Next to the phone in the front office.

Phishing training that only covers email is training for the last decade’s threat landscape. The signs of phishing are consistent in principle — urgency, identity mismatch, workflow deviation — but they look different in a Teams chat than they do in an inbox. Your team’s ability to recognize them depends on whether anyone has ever shown them what phishing looks like in the channels they actually use every day.