Phishing emails are the leading way criminals steal passwords, compromise accounts, and deploy malware — and they’ve never looked more convincing. Attackers now clone real company logos, spoof legitimate sender names, and use AI to craft near-perfect English. Even security-conscious people get fooled. The difference between a safe click and handing over your credentials usually comes down to knowing exactly what to look for before you act.
The good news: even the most polished phishing email almost always slips up in one of five predictable ways. This guide walks you through each red flag with concrete examples so you can spot a suspicious message in seconds — and explains exactly what to do when one lands in your inbox.
Quick Answer
Check the actual sender email address (not just the display name), hover over any links before clicking, and watch for urgency or threats. Legitimate companies never demand you act within hours or threaten to lock your account. If anything feels off, go directly to the website by typing its address — never use the link in the email.
5 Red Flags in Phishing Emails
1. The Sender’s Address Doesn’t Match the Display Name
Attackers set the visible “From” name to something like “PayPal Security” or “Apple Support,” while the actual sending address is something like paypal-alert@secure-billing247.com. Always expand or hover over the sender name in your email client to reveal the full address. Legitimate companies send only from their own domain — @paypal.com, @apple.com — never a lookalike.
Pro tip: On Gmail, click the sender name to reveal the full From: address. In Outlook, hover over the name. In Apple Mail, tap the name once to expand it.
2. It Creates Urgency or Threatens Consequences
“Your account will be locked in 24 hours.” “Verify your payment now or your order will be cancelled.” Phishing emails are engineered to bypass rational thinking by provoking panic. Real companies do send account alerts, but they don’t threaten immediate disaster or give you a two-hour window to respond. When you feel pressured to click right now, that’s the moment to slow down.
3. The Link Doesn’t Go Where You’d Expect
Hover over any link before clicking — without clicking — and look at the URL in your browser’s status bar or preview tooltip. Phishing links use subtle misspellings (paypa1.com, arnazon.com) or long URLs designed to obscure the real destination. What matters is the domain immediately before the final slash. A link reading accounts.paypal.com.evil-site.ru belongs to evil-site.ru, not PayPal.
4. It Carries an Unexpected Attachment
No legitimate bank, government agency, or major retailer will email you an unsolicited Word document, ZIP file, or PDF and ask you to open it to verify your information. Malicious attachments install keyloggers or ransomware the moment you open them or enable macros. If you weren’t expecting a file, contact the sender directly through their official website before opening anything.
5. A Generic Greeting or Off Phrasing
“Dear Valued Customer” instead of your actual name is a classic phishing tell — companies that hold your account already know who you are. Modern AI has reduced obvious grammar mistakes, but attackers still slip up with awkward word choices, inconsistent fonts, or mismatched logos. Read the email out loud; anything that sounds slightly wrong probably is.
Real Email vs. Phishing Email: At a Glance
| Signal | Legitimate Email | Phishing Email |
|---|---|---|
| Sender address | Official company domain | Random or lookalike domain |
| Greeting | Your actual name | “Dear Customer” or “User” |
| Tone | Informational, calm | Urgent, threatening, or too good to be true |
| Links | Match the brand’s real domain | Misspelled or redirect-based domain |
| Attachments | Expected and clearly explained | Unsolicited, with vague instructions |
What to Do When You Spot a Phishing Email
- Don’t click anything — not links, not images, not the unsubscribe button. Some phishing emails confirm your address is active the moment you interact with them.
- Report it. In Gmail, click the three-dot menu and choose “Report phishing.” In Outlook, use Report → Report Phishing. This helps providers block the campaign for everyone.
- Delete and empty trash so you don’t accidentally open it later.
- If you already clicked: Change your password immediately on the targeted service, then enable two-factor authentication to block any unauthorised access attempt.
Troubleshooting tip: If you entered your credentials before realising the email was fake, check whether your address appears in any new breach reports — our guide on checking for data breaches walks you through the free tools. Also consider switching to a dedicated password manager so a stolen password never unlocks multiple accounts at once.
Common Mistakes to Avoid
- Trusting the display name over the address. The display name is set by the sender and verified by nobody. Always check the actual email address behind it.
- Clicking “Unsubscribe” in a suspicious email. Doing so confirms your address is active and can invite more attacks. Delete the message instead.
- Opening an attachment to “see if it’s safe.” There’s no safe way to preview a malicious file by opening it. Upload it to VirusTotal for a free scan before touching it.
- Assuming HTTPS means the site is legitimate. Phishing sites can hold valid HTTPS certificates. The padlock shows the connection is encrypted — not that the destination is trustworthy.
- Replying to ask if the email is real. If it’s fake, you’re just confirming your address to the attacker. Go to the company’s official website directly instead.
Frequently Asked Questions
Can phishing emails come from someone I know?
Yes. If a contact’s account is compromised, attackers use it to send phishing messages to their entire contact list — you’re more likely to trust a familiar name. Apply the same red-flag checks even when the sender is someone you know.
What is smishing?
Smishing is phishing delivered by SMS text message. The same red flags apply: unexpected urgency, suspicious links, and requests for personal information. Never tap a link in an unexpected text claiming to be from your bank or a delivery service.
Does my antivirus protect me from phishing emails?
Partially. Security suites scan links and attachments, but they can’t catch every new campaign on day one. Human awareness is still your most reliable filter against phishing.
Are phishing emails illegal?
Yes. Phishing is a federal crime in the United States under the Computer Fraud and Abuse Act, and illegal in most countries. You can report phishing attempts to the FTC at ReportFraud.ftc.gov.
If I just opened the email — not any link — am I infected?
Opening an email in modern clients (Gmail, Outlook, Apple Mail) is almost always safe. The real risk comes from clicking links or opening attachments, not from the act of opening the message itself.
Conclusion
Phishing emails rely on two things: realism and speed. Slow down, verify the sender address, hover over every link, and question any urgency — those three habits block the vast majority of attacks. If you want to harden your defences further, switching to a dedicated password manager and enabling two-factor authentication are the two highest-impact steps you can take right now.