How to Spot Phishing Emails: 10 Red Flags
Phishing emails are the most common cybersecurity threat. Over 3.4 billion phishing emails are sent every day, and they account for more than 90% of data breaches. Learning to spot them is one of the most important digital safety skills you can develop.
1. The Sender Address Doesn’t Match
Check the actual email address, not just the display name:
Display name: "PayPal Security Center"
Email address: paypal-secure-2024@ru.randomdomain.xyz
^
Not paypal.comHover over the sender name before clicking anything. If the domain doesn’t match the company, it is a scam. Attackers spoof display names to look legitimate, but the underlying address always reveals the truth.
Pro tip: In Gmail, click the “Show details” arrow next to the sender name to see the full email address. In Outlook, right-click the message and select “View message details.”
2. Generic Greetings
Legitimate companies use your name:
| Phishing | Legitimate |
|---|---|
| “Dear valued customer,” | “Dear Sarah Chen,” |
| “Dear user,” | “Dear Mr. Johnson,” |
| “Hello account holder,” | “Hi Alice,” |
If an email from a service you use doesn’t address you by name, be suspicious. Companies you do business with have your name on file and use it in their communications. A generic greeting is a strong indicator that the sender does not actually know who you are.
Exception: Some legitimate marketing emails use generic greetings. But if the email claims to be urgent or about your account, a missing name is a major red flag.
3. Urgent or Threatening Language
Phishers create panic to override your judgment:
“Your account will be suspended within 24 hours!” “Unauthorized login detected. Verify immediately.” “You owe $499.99. Payment overdue.”
Legitimate companies don’t threaten you via email. If it creates urgency, it is probably fake. Phishers rely on your fear response — when you panic, you are less likely to check details before clicking.
Real-world example: A common phishing tactic is pretending to be from Netflix claiming your payment failed. The email says your account will be cancelled within 24 hours unless you update your billing information. The link leads to a fake Netflix login page that steals your credentials.
4. Suspicious Links
Hover over links (don’t click) to see the real destination:
Displayed link: https://paypal.com/reset-password
Actual link: https://phishingsite.ru/steal/passwordIf the URL doesn’t match the company’s official domain, don’t click. On mobile, press and hold the link to see the preview.
Common URL tricks to watch for:
- Misspellings: go0gle.com (zero instead of o), paypa1.com (one instead of l)
- Subdomain tricks: secure-paypal.com.phishing.com
- Unusual TLDs: .ru, .xyz, .top, .click
- URL shorteners: bit.ly, tinyurl.com (these hide the real destination)
5. Spelling and Grammar Errors
Phishing emails often contain:
- Awkward phrasing
- Missing words
- Incorrect capitalization
- Strange formatting
Legitimate companies proofread their emails. Errors are a red flag. However, be aware that some sophisticated phishing attacks now use AI-generated text that is grammatically perfect.
Why the errors? Some phishers deliberately include errors to filter out savvy recipients. If you notice the errors and delete the email, they have saved themselves from having to deal with a skeptical target. The errors are a feature, not a bug.
6. Unexpected Attachments
Email attachments from unknown senders should never be opened:
- Invoices you didn’t request
- Shipping notifications for items you didn’t order
- “Secure messages” in PDF format
- ZIP or RAR files
Attachments can contain malware that installs keyloggers, ransomware, or remote access tools on your computer. Even PDFs and Office documents can contain malicious macros.
Safe practice: If you receive an unexpected attachment from someone you know, message them through another channel (phone, chat) to verify they sent it. Their account may be compromised.
7. Requests for Personal Information
Legitimate companies never ask for:
- Your password (in any form)
- Social Security number
- Credit card details
- Bank account numbers
- Two-factor authentication codes
If an email asks for any of these, it is a phishing attempt. No legitimate organization will email you asking for your password or sensitive financial information.
Two-factor code scam: A newer phishing tactic asks for your 2FA code, claiming the company needs to “verify your identity.” In reality, the scammer is trying to log in to your account and needs the code that was sent to your phone.
8. Too Good to Be True
“You’ve won £5,000,000 in the lottery!” “Your tax refund of $1,200 is ready.” “Exclusive investment opportunity — guaranteed returns!”
If you didn’t enter a contest, you didn’t win. Delete. These emails play on greed and excitement, overriding your critical thinking. If something seems too good to be true, it is.
9. Mismatched Branding
Look closely at logos, colors, and formatting:
- Blurry or stretched logos
- Wrong company colors
- Missing footer information
- No physical address or unsubscribe link
Companies maintain brand consistency. Poor quality is a giveaway. Compare the suspicious email to a legitimate email you know you have received from the same company.
Real example: A common Amazon phishing email uses a slightly wrong shade of orange and a logo that is pixelated at the edges. These details are easy to miss if you are skimming, but obvious once you look carefully.
Real Examples
PayPal Phishing
From: "PayPal" <secure-notifications@paypal-update.net>
Subject: Your account has been limited
Dear Customer,
We have detected unusual activity on your account.
Your account has been temporarily limited.
Click here to verify your identity immediately.
PayPal TeamRed flags: Wrong domain, generic greeting, urgent language, requests identity verification.
Delivery Phishing
From: "FedEx" <tracking@fedex-delivery-alerts.xyz>
Subject: Package delivery failed
Your package could not be delivered.
Please download the shipping label and take it to your
local post office to reschedule delivery.
[Download Label (ZIP file)]Red flags: Suspicious domain, unexpected attachment (ZIP).
Microsoft 365 Credential Phishing
From: "Microsoft" <admin@m365-security-alerts.co>
Subject: Action Required: Your password will expire
Dear User,
Your Microsoft 365 password will expire in 48 hours.
Click below to keep your current password:
[Keep Current Password]
Microsoft Security TeamRed flags: Unknown sender domain, threat of service loss, asks you to “verify” by clicking a link.
What to Do If You Receive a Phishing Email
- Do not click any links or open attachments
- Do not reply
- Report it:
- Gmail: Click “Report spam”
- Outlook: Click “Report phishing”
- Forward to the impersonated company’s security team
- Delete it
If you clicked a phishing link:
- Change your password immediately (on a different device)
- Enable two-factor authentication if not already enabled
- Run a virus scan using Windows Defender or Malwarebytes
- Monitor your accounts for unusual activity for the next 30 days
- Contact your bank if financial information was entered
- Place a fraud alert on your credit report if sensitive data was involved
How Businesses Can Protect Themselves
For organizations, training employees to spot phishing is essential, but technical controls also matter:
- DMARC, DKIM, and SPF — email authentication protocols that make it harder to spoof your domain
- Advanced threat protection — tools that scan attachments and links before delivery
- Simulated phishing campaigns — test your employees with fake phishing emails to identify who needs additional training
- Reporting buttons — make it easy for employees to report suspicious emails
Related: Set up two-factor authentication and learn about password managers.
Frequently Asked Questions
What is the minimum system requirement for spot phishing emails?
System requirements vary by implementation. Most modern solutions require at least 4GB of RAM, a multi-core processor, and a stable internet connection. For specific applications, refer to the vendor documentation. Hardware requirements typically increase with scale — enterprise deployments need significantly more resources than personal or small business setups.
How does this compare to alternative approaches?
Every technology choice involves trade-offs. Some prioritize ease of use over customization, while others offer maximum control at the cost of complexity. Evaluating your specific needs, technical expertise, and growth plans helps determine the right fit. Many organizations use a combination of approaches to balance competing priorities.
What security considerations should I be aware of?
Security should be considered from the start, not as an afterthought. Keep all software updated, use strong authentication, encrypt sensitive data, and follow the principle of least privilege. Regular security audits and staying informed about emerging threats are essential practices for maintaining a secure deployment.
How do I troubleshoot common issues?
Start by isolating the problem: check logs, verify configurations, and test components individually. Common issues include network connectivity problems, permission errors, and version incompatibilities. Systematic troubleshooting — changing one variable at a time — helps identify root causes efficiently. Online communities and documentation are valuable resources when you encounter unfamiliar problems.
Related Concepts and Further Reading
Understanding spot phishing emails requires familiarity with several interconnected ideas and principles that together form a complete picture. Exploring these related concepts deepens your knowledge and provides context that makes the core material more meaningful and applicable. Each concept builds on the others, creating a web of understanding that supports deeper learning and practical application. Taking time to explore how these elements connect reveals patterns that accelerate comprehension and retention of new information.
The relationship between spot phishing emails and adjacent fields is worth particular attention. Many of the most important insights emerge at the boundaries between disciplines, where ideas from different areas combine to create new approaches and solutions that neither field could produce alone. Exploring these connections pays dividends in both breadth and depth of understanding, revealing patterns and principles that might otherwise remain hidden from view. Cross-disciplinary knowledge is increasingly valued as problems become more complex and interconnected.
For those looking to go beyond introductory material, several excellent resources provide deeper treatment of specific aspects of spot phishing emails. Academic journals, industry publications, authoritative reference works, and online courses each offer different perspectives and levels of detail. The key is to match your reading to your current learning goals and build knowledge progressively, focusing on quality over quantity in your study materials. A well-chosen resource that matches your current level is worth more than dozens of resources that are too basic or too advanced.