How to Spot a Phishing Email: 8 Warning Signs and What to Do Next

What Is Phishing?

Phishing is a type of cyberattack where criminals send fraudulent messages — usually emails — that impersonate a trusted entity (your bank, a popular service, even your employer) to trick you into revealing sensitive information or clicking a malicious link.

Modern phishing emails can look remarkably legitimate. Logos are copied, writing is polished, and links look almost right. That's why knowing the specific red flags matters — you can't rely on "it looks fake" alone.

8 Warning Signs of a Phishing Email

1. The Sender's Email Address Doesn't Match

The display name might say "PayPal Support," but hover over or click on the sender's address. Phishing emails often come from domains that are slightly off: paypal-support.com, paypa1.com, or completely unrelated domains like randomstring@cheaphost.net. Legitimate companies always email from their official domain.

2. Urgent or Threatening Language

Phrases like "Your account will be suspended in 24 hours," "Immediate action required," or "Unauthorized login detected" are designed to trigger panic and bypass careful thinking. Legitimate companies rarely pressure you with extreme urgency. Slow down when you see this.

3. Suspicious or Mismatched Links

Before clicking any link, hover your mouse over it (on desktop) to preview the actual URL in the status bar. If the email claims to be from Amazon but the link shows amaz0n-secure.ru or a URL shortener like bit.ly/xxxxx, don't click it. On mobile, press and hold a link to preview the URL.

4. Generic Greetings

Legitimate companies that have your account on file typically address you by name. "Dear Customer," "Dear Account Holder," or "Dear User" are common in mass-sent phishing attempts. Not a guarantee on its own, but a warning sign when combined with others.

5. Requests for Sensitive Information

No legitimate bank, government agency, or major tech company will ask you to confirm your password, full credit card number, or Social Security number via email. Ever. If an email asks for this, it's a scam.

6. Unexpected Attachments

Phishing emails often carry malicious attachments disguised as invoices, shipping notices, or documents. Be especially wary of .exe, .zip, .docm, or .xlsm files from unexpected senders. Even PDFs can contain malicious scripts.

7. Spelling and Grammar Errors

While sophisticated attacks are now well-written, many phishing emails still contain awkward phrasing, odd punctuation, or subtle spelling errors. These can slip through when attackers translate templates across languages. Read emails carefully.

8. The Offer Seems Too Good to Be True

Unexpected prize winnings, inheritance notices, unclaimed refunds, or investment opportunities with guaranteed returns are classic lures. If you didn't enter a contest, you didn't win it.

What to Do If You Suspect a Phishing Email

1. Don't click anything. Not links, not images, not "unsubscribe" buttons — phishing unsubscribe links are often traps too.
2. Don't download attachments. Even if the email looks partially legitimate.
3. Verify independently. If the email claims to be from your bank, close the email and go directly to your bank's website by typing the URL yourself. Call the official number on the back of your card if needed.
4. Report it. Use your email client's "Report Phishing" or "Mark as Spam" feature. In the US, you can forward phishing emails to reportphishing@apwg.org.
5. Delete it. Once reported, delete the email from your inbox and trash.

What If You Already Clicked a Link?

Don't panic — act quickly:

• If you entered credentials: Change your password on that service immediately, from a different device if possible. Enable two-factor authentication.
• If you downloaded something: Run a full malware scan with reputable antivirus software.
• If you provided financial information: Contact your bank immediately to flag the account for suspicious activity.
• Inform your IT team if this happened on a work device or account.

Building a Phishing-Resistant Habit

The most effective defense isn't technical — it's behavioral. Develop a habit of pausing before acting on any email that asks you to click, download, or provide information. One second of skepticism is worth more than any spam filter.

Combined with strong, unique passwords and two-factor authentication on all important accounts, this habit makes you a very difficult target.