Unsurprisingly, it seems that security experts use fundamentally different processes for identifying phishing messages from novices.  Novices seem to use context gleaned from individual messages and processed on a per-message basis (pictures look "odd", grammar doesn't match how the person actually talks, request is unusual).  Experts have more strict, but broader rules (URLs match organization sending message)