diff --git a/doc/errors.but b/doc/errors.but
index cea3201c..e3db184e 100644
--- a/doc/errors.but
+++ b/doc/errors.but
@@ -39,6 +39,9 @@ the one PuTTY has cached for this server}, means that PuTTY has
 connected to the SSH server before, knows what its host key
 \e{should} be, but has found a different one.
 
+(If the message instead talks about a \q{certified host key}, see
+instead \k{errors-cert-mismatch}.)
+
 This may mean that a malicious attacker has replaced your server
 with a different one, or has redirected your network connection to
 their own machine. On the other hand, it may simply mean that the
@@ -60,7 +63,8 @@ If you've configured PuTTY to trust at least one
 \k{config-ssh-kex-cert}), then it will ask the SSH server to send it
 any available certified host keys. If the server sends back a
 certified key signed by a \e{different} certification authority, PuTTY
-will present this variant of the host key prompt.
+will present this variant of the host key prompt, preceded by
+\q{WARNING - POTENTIAL SECURITY BREACH!}
 
 One reason why this can happen is a deliberate attack. Just like an
 ordinary man-in-the-middle attack which substitutes a wrong host key,