How to Spot Phishing Emails Before They Trick You

Phishing remains the single most common way people lose access to their accounts, money, and identity. The attacks have grown polished — modern phishing emails copy real logos, mimic real domains, and reference real services you actually use. The good news: nearly every phishing attempt still has tells, and once you know what to look for you can stop them in seconds.

What Phishing Actually Is

Phishing is a social engineering attack delivered by email (or SMS, in which case it's called "smishing"). The attacker pretends to be a trusted brand — your bank, a delivery service, your employer, Microsoft, Apple, PayPal — and tries to trick you into clicking a link, opening an attachment, or replying with sensitive information. The goal is almost always one of three things: steal your password, install malware, or trick you into wiring money.

The Red Flags Every Email Should Be Checked Against

Urgency and fear: "Your account will be closed in 24 hours." "Suspicious login detected — verify now." Real companies rarely give you a panic deadline. Urgency is designed to bypass your judgment.

Mismatched sender address: The display name might say "Apple Support," but the actual email is support@apple-verify-account.com. Always click or hover the sender name to see the real address.

Generic greetings: "Dear Customer" or "Dear User" instead of your name is a hint the sender doesn't actually know you.

Suspicious links: Hover over any link before clicking. The URL preview should match the brand exactly. Watch for tricks like paypa1.com, arnazon.com, or extra subdomains like secure.paypal.com.login-update.net.

Unexpected attachments: PDFs, ZIPs, or Office documents you didn't ask for, especially ones that prompt you to "Enable Editing" or "Enable Macros," are a classic malware delivery method.

Spelling and grammar mistakes: Big companies have copy editors. Awkward phrasing or typos are a giveaway.

The Newer Tricks

Modern phishing has evolved. AI-generated emails are now grammatically perfect. Attackers buy lookalike domains the day before sending. Some phishing pages even use real HTTPS certificates, so the padlock icon alone is no longer proof of safety. And "spear phishing" targets you by name, referencing your job title or a coworker — often using information scraped from LinkedIn.

A Simple 10-Second Habit That Stops Most Attacks

Before you click anything in an email, ask three questions: Was I expecting this? Does the sender's domain exactly match the brand? Does the link, when I hover, point to that same domain? If the answer to any of these is "no" or "I'm not sure," don't click. Open a new browser tab, type the company's address yourself, and log in there. If something is genuinely wrong with your account, you'll see it in the dashboard.

What to Do If You Already Clicked

If you entered a password on a phishing site, change that password immediately on the real site — and anywhere else you reused it. Turn on two-factor authentication. Run a malware scan if you downloaded anything. And report the email: most providers have a "Report Phishing" button that helps protect everyone else.

Stay Calm, Stay Curious

The single best defense against phishing isn't a tool — it's a small pause before you click. Scammers depend on speed and panic. The moment you slow down to verify, their entire playbook falls apart.