Most phishing attacks don’t begin with a dramatic hack. They begin with an ordinary-looking email: a delivery update, a password reset, a message from your bank, or a note that appears to come from your boss.
It takes only one rushed click to hand over a password, install malware, or send money to a criminal. The good news is that phishing emails usually leave clues. Once you know where to look, those clues become much harder to miss.
What Is a Phishing Email?
A phishing email is a fraudulent message designed to make you act before you stop to verify what you’re seeing. The sender may want your login details, financial information, personal data, or access to your device.
Some phishing messages are broad and generic. Others are carefully tailored. A targeted scam, often called spear phishing, might use your name, employer, recent purchase, or job title to feel believable. Criminals can gather much of that information from social media profiles, public websites, or breached data.
That’s why spotting a phishing email isn’t just about catching misspellings. Today’s scams can use polished writing, copied company logos, and convincing email templates. The real test is whether the message stands up to a closer look.
7 Red Flags That Help You Spot a Phishing Email
1. The sender’s name looks right, but the address does not
A sender can label an email “PayPal Support” or “Microsoft Security” without actually working for either company. Check the full email address, not only the display name.
For example, [email protected] may look plausible at a glance. But it is not an official PayPal address. Watch for extra words, swapped letters, unusual hyphens, or domains that use .co instead of .com.
If the address feels almost right, treat it as wrong until proven otherwise.
2. The message creates panic or artificial urgency
Phishing emails want you moving fast. They may claim your account will be closed today, your payment has failed, or suspicious activity requires “immediate action.”
That pressure is deliberate. When people feel rushed, they are less likely to inspect a link or question an unusual request.
A legitimate company may alert you to an account issue. But you do not need to use the link in the email to deal with it. Open a new browser window, type the company’s website yourself, and check your account there.
3. It asks for information a real organization should never request
Be especially cautious if an email asks you to share or confirm:
- Passwords or one-time verification codes
- Full bank account or card details
- Social Security or national identity numbers
- Remote access to your computer
- Payment by gift card, cryptocurrency, or wire transfer
Reputable companies do not ask for passwords by email. Neither does a legitimate IT department. If someone asks for a multi-factor authentication code, they may already have your password and need that final piece to enter your account.
4. The link does not lead where it says it does
Before clicking a link on a computer, hover over it. Your browser or email app should show the actual web address. Compare that address with the organization the email claims to represent.
A message may say “Review your invoice” while the link leads to a string of unrelated words and numbers. That is a strong phishing warning.
Also, don’t rely on the padlock icon alone. HTTPS encrypts a connection, but it does not prove the website belongs to a trustworthy business. Phishing sites can use HTTPS too.
5. An attachment appears unexpectedly
Unexpected attachments deserve caution, even when they seem to come from someone you know. A compromised email account can send convincing messages to everyone in its contact list.
Be wary of attachments with extensions such as .exe, .js, .zip, .iso, .docm, or .xlsm. Files using macro-enabled Office formats can contain malicious code.
If a colleague sends an invoice you weren’t expecting, verify it through a separate channel first. Send a new message, call them, or speak to them directly. Do not reply to the suspicious email.
6. The greeting, writing, or design feels slightly off
“Dear Customer” is not automatic proof of a scam. Plenty of legitimate companies use generic greetings. But it becomes meaningful when paired with other warning signs.
Look for awkward wording, inconsistent fonts, blurry logos, strange spacing, or brand colors that look close but not quite right. Modern phishing messages are often well written, especially with AI tools making poor grammar less reliable as a signal. Still, visual and contextual inconsistencies remain useful clues.
Trust the feeling that something is off. Then verify it.
7. The request is unusual, even if it comes from someone familiar
Some of the most costly phishing scams impersonate a manager, vendor, friend, or family member. The email may ask you to buy gift cards, change payroll details, send an urgent payment, or share a file.
The request matters more than the name in the sender field. If it is unusual, expensive, confidential, or time-sensitive, confirm it independently. A two-minute phone call can prevent a serious loss.
What to Do When You Suspect Phishing
Don’t click, download, reply, or forward the email. Report it using your email provider’s phishing-reporting option, then delete it.
If the message appears to come from your workplace, send it to your IT or security team. If it impersonates a business, contact that business through contact details found on its official website.
If you already clicked a link or entered your password, act quickly:
- Change the password for that account immediately.
- Change it anywhere else you reused it.
- Turn on multi-factor authentication.
- Review account activity and payment methods.
- Contact your bank or relevant provider if financial information was involved.
The FTC’s phishing guidance and CISA’s advice on avoiding phishing offer practical reporting and recovery steps.
A Pause Is Your Best First Defense
Learning how to spot a phishing email does not mean treating every message with paranoia. It means building one simple habit: pause before you act.
Check the sender. Inspect the link. Question urgency. Verify unexpected requests somewhere outside the email itself.
That small pause is often all it takes to turn a convincing scam into an email you delete and forget.

