Phishing is the single most common way email accounts get compromised — not because attackers are brilliant, but because the emails are good enough to slip past a tired, busy reader. The good news is that almost every phishing message trips at least one of a small set of warning signs. Learn these ten red flags and you will catch the vast majority of attacks before they catch you.
1. Urgency or Threats
"Your account will be suspended in 24 hours." "Final notice." "Immediate action required." Phishing emails manufacture panic because panicked people don't verify. Legitimate organizations almost never demand instant action under threat. Any email that pressures you to act immediately — especially involving account closure, legal action, or payment — is a prime phishing candidate.
2. Mismatched or Suspicious Sender Address
The display name can say anything, but the actual email address cannot be faked as easily. An email claiming to be from "Netflix" but sent from no-reply@netfl1x-billing.com is phishing. Always expand the sender details and read the full domain. Watch for lookalike domains with swapped letters (rnicrosoft.com instead of microsoft.com), extra words (microsoft-security.com), or unusual top-level domains.
3. Generic Greetings
"Dear Customer," "Dear User," or no greeting at all. Real companies you do business with know your name and use it. Mass-produced phishing emails are sent to millions of addresses at once and rarely personalize. A bank that holds your mortgage will not open with "Dear Valued Customer."
4. Requests for Sensitive Information
No legitimate organization will ever email you asking for your password, full Social Security number, credit card number, PIN, or 2FA code. If an email requests any credential or verification code, it is phishing — full stop. Banks, email providers, and government agencies all have policies against this. They may direct you to log in via their website, but they will never collect secrets through email.
5. Mismatched or Hover-Deceptive Links
The visible link text and the actual destination are often different in phishing emails. A button labeled "Sign in to your account" may point to login-account-verify.ru instead of the real site. On a computer, hover over any link (without clicking) and read the URL that appears in the bottom corner of your browser. On mobile, long-press to preview. If the destination doesn't exactly match the organization's real domain, don't click.
6. Unexpected Attachments
Attachments are a major delivery method for malware. Be especially wary of .zip, .exe, .scr, password-protected documents, and macro-enabled Office files (.docm, .xlsm). Even PDFs can carry malicious links. If you weren't expecting a document from this sender, don't open it — verify through a separate channel first.
7. Spelling, Grammar, and Formatting Errors
Modern phishing has improved, but many campaigns still contain telltale errors: odd phrasing, broken sentences, inconsistent capitalization, or formatting that doesn't match the brand's real emails. A polished company like Apple does not send emails with subject lines like "Your Apple ID has Been suspend." One error might be nothing; several are a flag.
8. Too Good to Be True Offers
You've won a lottery you didn't enter. A package is waiting for you. Someone wants to transfer you millions. An investment guaranteeing returns. These appeal to greed and curiosity, and they are always scams. Real prizes don't arrive via cold email, and legitimate financial opportunities don't require you to send money or credentials first.
9. Requests to Update Payment or Delivery Details
One of the most effective phishing templates impersonates a delivery service (FedEx, UPS, DHL, USPS) or a subscription (Netflix, Amazon, Microsoft) claiming a problem with your payment or delivery. The email includes a "fix it" link that leads to a fake page harvesting your card details. Always handle billing issues by logging into the service directly — never through an email link.
10. Inconsistent Branding or Logos
Phishing emails often reuse stolen logos but get the details wrong: wrong colors, low-resolution images, missing footers, or links that don't go where the real brand's links go. Compare a suspicious email to a known-good email from the same company. If the layout, fonts, or footer language differ, be suspicious.
What to Do When You Spot a Phishing Email
- Don't click, don't reply, don't open attachments. The safest action is no action.
- Report it using your email provider's "Report phishing" button. This trains spam filters and helps protect other users.
- If you already clicked a link or entered credentials, change that account's password immediately and enable two-factor authentication. Then follow our email hacked response plan.
- Forward suspicious emails to the organization being impersonated (e.g.,
spoof@paypal.com,phishing@irs.gov) and toreportphishing@apwg.org.
The Layered Defense
Spotting phishing is important, but it shouldn't be your only protection. Combine vigilance with technical safeguards: a password manager that won't autofill credentials on fake domains, passkeys that can't be phished at all, and hardware-key 2FA that defeats even the most convincing fake login pages. Each layer catches what the others miss.
The Bottom Line
Phishing succeeds through volume and psychology, not sophistication. Attackers send millions of emails knowing that even a tiny click rate pays off. Your defense is a habit: pause, verify the sender, check the link, and never act on urgency. Memorize these ten red flags, and you'll see phishing attempts for what they are — obvious, once you know what to look for.