Phishing emails are behind more than 90% of successful cyberattacks, yet most look convincing at first glance. Scammers have learned to copy real logos, mimic the tone of banks and delivery companies, and even personalise messages with your name. Knowing what to look for before you click is one of the most practical security skills you can develop.
The six warning signs below appear in almost every phishing email — sometimes just one, sometimes several at once. Spotting any one of them is enough reason to pause, close the message, and verify through the company’s official website instead.
Quick Answer
Phishing emails almost always show at least one of these signs: a mismatched sender address, urgent or threatening language, a generic greeting, suspicious links, unexpected attachments, or a request for passwords or payment details. When in doubt, go directly to the company’s official website rather than clicking any link in the email.
6 Warning Signs That Reveal a Phishing Email
1. The Sender’s Address Doesn’t Match the Display Name
The name shown in your inbox — “PayPal Support” or “Amazon Security” — is chosen by the sender and means nothing on its own. Click or tap the name to reveal the actual sending address. Legitimate companies send from their own domain (e.g., support@paypal.com); scammers use lookalikes such as support@paypa1-secure.com or random addresses like noreply@xz882k.ru.
Pro tip: On mobile, tap and hold the sender name to expand the full address. On Gmail or Outlook desktop, hover your cursor over the display name to see the real email address behind it.
2. Urgent or Threatening Language
“Your account will be suspended in 24 hours.” “Immediate action required or your order will be cancelled.” Scammers manufacture pressure so you react before you think. Legitimate companies rarely demand instant action by email — they give you time to log in and verify through official channels at your own pace.
3. Generic or Mismatched Greetings
A company that holds your account knows your name. “Dear Customer,” “Dear Account Holder,” or “Hello User” is a reliable sign the message was sent in bulk to thousands of addresses. Note that sophisticated spear-phishing attacks do use your real name, so always pair this check with a look at the sender address.
4. Links That Lead Somewhere Unexpected
Before clicking any link, hover over it on desktop (or long-press on mobile) to preview the real destination URL. Watch for:
- A domain with extra words or hyphens: amazon-secure-login.com instead of amazon.com
- An IP address in place of a domain name: http://192.168.1.44/login
- A URL shortener that hides the real destination entirely
Troubleshooting tip: If you already clicked a suspicious link but didn’t enter any credentials, close the browser tab immediately, run a scan with your device’s built-in security app (Windows Security or Google Play Protect on Android), and change the password for any account the email appeared to come from.
5. Unexpected Attachments
Real invoices, shipping updates, and bank statements are available inside your account portal — they don’t arrive as unsolicited email attachments. Be especially cautious with .zip, .exe, .docm, or .xlsm files, which can execute malicious code the moment you open them. Even a PDF can carry embedded scripts that exploit outdated reader software.
6. Requests for Passwords, Payment Details, or Authentication Codes
No bank, government agency, or reputable online store will ask you to confirm your password, full card number, or a two-factor authentication code over email. If you receive such a request, navigate directly to the company’s website by typing the address yourself and log in from there to check whether anything actually needs your attention.
Common Phishing Types at a Glance
| Type | Who It Targets | Common Lure | Key Red Flag |
|---|---|---|---|
| Mass phishing | Everyone | Fake bank or delivery alert | Generic greeting, mismatched domain |
| Spear phishing | Specific individuals | Uses your real name or employer | Unexpected request from a known brand |
| Smishing | Mobile users | Text message with a suspicious link | Unfamiliar short code or phone number |
| Vishing | Anyone | Phone call from “tech support” | Caller asks for remote access or codes |
| Clone phishing | Previous email recipients | Copy of a real email with swapped links | Duplicate of a message you already received |
Common Mistakes to Avoid
- Trusting the display name alone. Always check the actual sending address — the friendly name shown in your inbox is trivial to fake. Fix: click the sender name to expand the full email address.
- Clicking “Unsubscribe” in a suspicious email. Any click in a scam message can confirm your address is active and trigger a flood of follow-up attacks. Fix: use your email client’s built-in “Report phishing” button instead.
- Assuming HTTPS means the site is safe. The padlock confirms the connection is encrypted, not that the site is legitimate. Phishing sites routinely use HTTPS. Fix: check the full domain, not just the padlock.
- Forwarding the message to verify it. Forwarding an email with a malicious attachment spreads the risk to the recipient. Fix: report it via the dedicated phishing-report feature in Gmail or Outlook.
- Assuming polished design means it’s real. Logos, colour schemes, and email signatures are trivial to copy. Fix: judge by the sender address and the content of the request, never by appearance alone.
Frequently Asked Questions
What should I do if I accidentally clicked a phishing link?
Don’t enter any information on the page that opens. Close the browser tab immediately, run a security scan on your device, and change the password for any account connected to that email. If you did enter credentials or payment details, contact your bank or the relevant company right away.
Can phishing emails come from someone I know?
Yes. If a contact’s email account is compromised, attackers can send phishing messages that appear to come from that trusted person. Always verify unexpected requests for money, login details, or file downloads by calling the person directly before acting.
How do I report a phishing email?
In Gmail, open the message, click the three-dot menu (⋮), and choose “Report phishing.” In Outlook, use the built-in “Report” button in the toolbar. You can also forward suspicious messages to the Anti-Phishing Working Group at reportphishing@apwg.org.
Is there a free tool that checks links before I click?
Google’s Safe Browsing Transparency Report lets you paste any URL and check whether it has been flagged as dangerous. Most modern browsers also display an automatic warning when you navigate to a known phishing or malware site.
Do phishing emails always contain spelling mistakes?
Not anymore. AI-generated phishing campaigns are often grammatically flawless. Spelling errors were once a reliable filter, but their absence today is not proof that a message is safe — always check the sender address and the nature of the request.
What’s the difference between phishing and spam?
Spam is unsolicited bulk email, usually commercial in nature. Phishing is a deliberate attempt to steal credentials, money, or personal data by impersonating a trusted entity. All phishing is a form of spam, but the vast majority of spam is not phishing.
Conclusion
Spotting phishing emails becomes second nature once you know the patterns. A mismatched sender address, artificial urgency, and suspicious links appear in the vast majority of scams — catching any one of them is enough to stay safe. If you suspect your credentials have already been exposed, check for data breaches now and act before attackers do. If you use Gmail, setting up filters and labels can automatically route suspicious bulk mail away from your primary inbox. Stay sceptical, verify before you click, and your accounts will be far harder to compromise.
Last updated: June 22, 2026