Learning how to spot phishing emails matters more now than it ever has, because the messages behind these scams have never looked more convincing. Attackers clone brand logos, spoof sender names, and use AI to write flawless prose — and phishing now plays a role in the overwhelming majority of successful data breaches. The reassuring part is that even a polished phishing email almost always leaves one flaw you can catch in seconds.
I check suspicious messages for a living-adjacent reason: I run a tech help blog, so people forward me their “is this real?” emails constantly. The same 30-second routine catches nearly all of them, and I will walk you through exactly what I look at.
Quick Answer
Check four things before acting on any suspicious email: does the sender’s real address match the company’s true domain, does each hovered link point to that brand, is the message manufacturing urgency or threats, and does it ask for passwords or personal data? If even one answer looks off, do not click anything.
What are the warning signs of a phishing email?
Every phishing email I have inspected trips at least one of five wires. You rarely need all five — one solid red flag is enough to stop and verify through another channel.
1. The sender address does not match the brand
The display name in your inbox (“PayPal Support”) can say anything — it is the actual email address behind it that matters. Click or tap the sender name to expand the full address. A real PayPal email comes from @paypal.com, not @paypal-secure-account.net or @paypa1.com (the digit “1” swapped for the letter “l”). Misspelled domains and odd TLDs like .ru or .xyz tacked onto a brand name are immediate red flags. On a phone, press and hold the sender name for a second to reveal the full address without digging through settings.
2. Urgent or threatening language
“Your account has been suspended — verify now or lose access within 24 hours.” Phishing emails manufacture urgency because panic makes people skip the checks they would normally run. Legitimate banks, government agencies, and tech companies almost never demand instant action by email. When a message feels like it is rushing you, that pressure itself is the warning.
3. Links that do not go where they claim
Hover over any link before clicking on desktop, or long-press it on mobile, to preview the real destination URL. A genuine Microsoft link looks like account.microsoft.com — not microsoft-account-verify.com or a shortened bit.ly URL that hides the destination entirely. Even one character off in the domain can send you to a lookalike page built to capture your password. If you cannot safely preview the URL, paste the link (without clicking it) into VirusTotal, which scans the address against dozens of security engines for free.
4. Generic greetings and awkward phrasing
“Dear Valued Customer” instead of your name signals a bulk send. Real services you hold accounts with know who you are. Watch also for slightly off phrasing — sentences that technically parse but feel machine-translated, or mismatched fonts that hint at content pasted from several sources.
5. Unexpected attachments or requests for credentials
No legitimate company sends an unexpected attachment and tells you to open it to “verify your identity.” Real password-reset emails link to a form on their own site; they never ask you to reply with your current password. Any message requesting credentials, a Social Security number, or banking details in the reply is phishing, without exception.
If a message trips even one of these five wires, treat it as fake until proven otherwise.
What are the main types of phishing attacks?
Phishing is not only an email problem. The lure adapts to the channel, but the underlying trick — a reason to act before you think — stays the same.
| Type | Delivery | Common lure | Key giveaway |
|---|---|---|---|
| Email phishing | Account suspension, delivery notice | Mismatched sender domain | |
| Spear phishing | Email (targeted) | Uses your name, employer, or real contacts | Specific personal detail paired with an urgent request |
| Smishing | SMS/text | Package tracking, bank alert | Short link hides the real destination |
| Vishing | Phone call | Tech support, IRS, “your account” | Asks you to install software or pay in gift cards |
| Clone phishing | Resent “updated” version of a real email | Link destination changed from the original |
Knowing the delivery channel helps, but the giveaway is almost always the destination, not the disguise.
What should I do if I clicked a phishing link?
Act quickly — the first few minutes matter most. Here is the order I tell people to follow when they message me in a panic.
- Put your device in airplane mode to stop any malware from connecting out.
- Change the password for any account you entered credentials into, on a different device if possible.
- Enable two-factor authentication on that account immediately. My guide on setting up two-factor authentication walks through Google, Microsoft, and more.
- Run a malware scan using Windows Defender or Malwarebytes Free.
- Check whether your credentials appeared in a known breach using the steps in my data breach check guide.
- Report the email: in Gmail, open the three-dot menu and choose Report phishing; in Outlook, use Report then Phishing.
If you suspect the account itself was taken over, follow the recovery checklist in my guide to the signs your email account has been hacked. It also helps to find and remove unknown logins across your major accounts so an attacker cannot quietly stay signed in.
Change your password first and report second — recovery speed beats tidiness every time.
Common Mistakes to Avoid
- Trusting the display name alone. Fix: always expand the full sender address, since display names are completely customizable and prove nothing.
- Clicking “Unsubscribe” in a suspicious email. Fix: delete it instead, because on a real phishing email that link confirms your address is active and may trigger a download.
- Assuming the padlock icon means the site is safe. Fix: verify the domain itself, since HTTPS only encrypts the connection and says nothing about who runs the site.
- Reporting before changing your password. Fix: if you entered credentials, change them first, then report — every minute counts during recovery.
- Relying entirely on your spam filter. Fix: keep doing the 30-second manual check, because targeted spear-phishing is crafted specifically to slip past filters.
Frequently Asked Questions
Can phishing emails look exactly like the real thing?
Yes, the visual design can be a perfect match. Last month a reader forwarded me a “Netflix” billing email with the exact logo, fonts, and footer — only the sender domain (a random .top address) gave it away. The tell is always the sender domain and link destinations, not the look.
What should I do with a phishing email I did not click?
Report it, then delete it without replying. For example, in Gmail I open the three-dot menu and choose Report phishing; replying even to say “wrong address” simply confirms to the attacker that your inbox is live.
Is it safe to open a phishing email without clicking anything?
Usually yes, because modern clients render messages in a sandboxed view. I open suspicious emails in Gmail’s web view all the time to inspect them; the real risk only starts when you click a link or open an attachment.
Do phishing emails only target passwords?
No, the goal varies widely. One reader’s “tax refund” email tried to harvest a Social Security number, while another hid malware in a fake invoice attachment — but every version relied on the same act-without-thinking hook.
How do I report phishing to authorities?
Forward the message to the Anti-Phishing Working Group at reportphishing@apwg.org and file a report with the FTC. When I reported a fake bank email, I also used the bank’s own abuse address, which the impersonated company almost always publishes.
Will antivirus software catch phishing emails automatically?
It catches many but not all. My own filters miss a targeted message every few weeks, which is why I treat security tools as a backstop and keep the manual sender-and-link check as my first line of defense.
Conclusion
Phishing emails run on speed and panic, and you neutralize both by making the 30-second sender-and-link check an automatic habit. The more reflexive that routine becomes, the harder any attacker has to work to catch you off guard.
Share this guide with anyone who has ever forwarded you a “is this legit?” email — a five-minute read could save them from a very bad day.