How to Identify Phishing Emails

Phishing is a cyberattack where criminals send fraudulent emails that impersonate legitimate organizations to steal login credentials, financial information, or install malware.

You can identify most phishing emails by checking for urgent language, misspelled sender domains, suspicious links, and generic greetings like “Dear Customer.” Real companies use your actual name and don’t threaten immediate account closure.

According to the FBI’s Internet Crime Complaint Center, phishing attacks resulted in $52 million in losses in 2022. The average person receives 14 phishing emails per month. Knowing how to spot them protects your accounts and financial information.

What Phishing Is and Why It Works

Phishing emails pretend to be from trusted organizations. Banks, shipping companies, government agencies, tech support, and even your employer. The goal is getting you to click a malicious link or download an infected attachment.

These attacks work because they exploit urgency and fear. “Your account will be closed in 24 hours.” “Suspicious activity detected.” “Package delivery failed.” The email pushes you to act fast without thinking critically.

Criminals make phishing emails look legitimate. They copy company logos, use official-looking email formats, and steal actual employee names from LinkedIn. Some phishing emails are sophisticated enough to fool security professionals.

The most successful phishing attacks target human psychology, not technical vulnerabilities. You might have excellent antivirus software, but clicking a phishing link bypasses all of that protection.

What Are the Signs of a Phishing Email?

Phishing emails reveal themselves through consistent patterns. Watch for these warning signs.

1. Urgent or Threatening Language

“Act now or your account will be suspended.” “Verify within 24 hours.” “Immediate action required.” Legitimate companies rarely threaten immediate consequences via email.

Real security alerts give you time to respond. Your bank won’t close your account if you don’t click a link within an hour. Government agencies send official mail, not threatening emails.

Phishers use urgency to override your judgment. They want you clicking before you notice the red flags. If an email makes you panic, stop and verify it through official channels.

2. Generic Greetings

“Dear Customer.” “Dear Account Holder.” “Hello User.” Companies you have accounts with know your name. They use it in emails.

Your bank emails you as “Dear John Smith,” not “Dear Valued Customer.” Amazon uses “Hello Sarah,” not “Dear Amazon Customer.” Generic greetings signal mass phishing campaigns sent to thousands of addresses.

Check your past legitimate emails from the company. Compare how they address you. Consistent generic greetings are a major red flag.

3. Misspelled Sender Domain

The email claims to be from [email protected] instead of [email protected]. Notice the “1” instead of “l.” Or [email protected] instead of [email protected].

Phishers register domains that look similar to legitimate companies. They rely on you not examining the sender address closely. Common tricks include:

• Substituting numbers for letters (paypa1.com, g00gle.com)
• Adding extra letters (paypall.com, amazoon.com)
• Using different domain extensions (paypal.net instead of paypal.com)
• Adding hyphens or underscores (pay-pal.com, pay_pal.com)

Always check the full sender email address, not just the display name. The display name can say “PayPal Support” while the actual address is from a random domain.

4. Suspicious Links That Don’t Match

Hover your mouse over any link in the email without clicking. Your browser or email client shows the actual destination URL. If the email claims to be from Chase Bank but the link goes to chase-verify.com or some random string of characters, it’s phishing.

Legitimate companies link to their actual domains. Bank of America links go to bankofamerica.com. IRS links go to irs.gov. If you see unexpected domains, shortened URLs, or IP addresses instead of company names, don’t click.

Some phishers use link shorteners like bit.ly or tinyurl to hide the real destination. Legitimate companies rarely use shortened links in official emails because they understand it looks suspicious.

5. Requests for Personal Information

No legitimate company emails you asking for passwords, Social Security numbers, credit card numbers, or account PINs. These requests only appear in phishing emails.

Banks already have your account information. They don’t need you to “verify” it via email. The IRS contacts you through official mail, not email requests for tax information. Tech support doesn’t email asking for your password.

If you receive any email requesting sensitive information, it’s phishing. Delete it immediately.

6. Unexpected Attachments

You receive an email with an invoice attachment, but you didn’t order anything. Or a resume from someone you never contacted. Or a shipping notification with a PDF you need to “review.”

Phishing attachments install malware when opened. Common malicious file types include:

• .exe files (programs that run code)
• .zip files (compressed archives that can contain malware)
• Microsoft Office documents with macros (.docm, .xlsm)
• PDF files with embedded scripts

Never open unexpected attachments. If you were expecting a file, verify with the sender through a different communication method before opening.

7. Poor Spelling and Grammar

Professional companies proofread their emails. Multiple spelling errors, awkward phrasing, and grammatical mistakes suggest a phishing attempt, especially from companies known for polished communication.

Some phishing emails are well-written, so don’t rely on this alone. But obvious mistakes combined with other red flags confirm phishing. Legitimate emails from major corporations don’t have subject lines like “You Account Has Been Compromise.”

8. Too Good to Be True Offers

“You’ve won $1,000,000.” “Congratulations, you’re our lucky winner.” “Claim your free iPhone now.” If you didn’t enter a contest, you didn’t win anything.

Prize scams are common phishing tactics. Similar to 419 scams, these emails try to steal your information or money by promising unrealistic rewards. Real prize notifications come from companies you actually interacted with and never ask for payment to claim prizes.

9. Mismatched URLs in Email Body

The email text says “Click here to verify your Amazon account” but when you hover, the URL shows randomwebsite.com/verify.php. The displayed text doesn’t match the actual link destination.

This is different from misspelled domains. The phisher is actively trying to hide where the link goes by displaying fake text. Always hover before clicking any link in any email.

10. Unusual Sender Behavior

Your coworker who normally emails you during business hours sends an urgent request at 3 AM. Your bank that usually sends monthly statements suddenly sends three “security alerts” in one day. Your credit card company uses a different email format than usual.

Pattern breaks signal compromise. If someone’s account was hacked, phishers use it to send emails to everyone in the contact list. These emails exploit trust in the sender’s name. Understanding how to handle emails from unknown senders applies equally when familiar contacts start sending suspicious messages.

When something feels off about an email from a known contact, verify through another method. Call them, message them on a different platform, or walk to their desk if they’re in your office.

How Do I Know If an Email Is Legitimate?

Verify suspicious emails before clicking anything. Here’s how to confirm legitimacy.

Check the full sender address. Click on the sender’s name to reveal the complete email address. Verify it matches the company’s official domain exactly. Look for subtle misspellings or unusual domains. If you’re evaluating an unfamiliar sender, learn how to verify if an email sender is legitimate by checking email headers and domain authentication.

Hover over all links. Don’t click. Just hover your mouse to see the real destination. The URL should match the company’s official website domain.

Contact the company directly. Don’t use contact information from the suspicious email. Go to the company’s official website yourself (type it in your browser, don’t click links) and use the contact information listed there. Ask if they sent the email.

Check your account directly. If the email claims there’s a problem with your account, log in through the official website or app, not through email links. Check if the alert appears in your account dashboard.

Search for the exact email text. Copy a unique phrase from the email and search it on Google. If it’s a known phishing scam, security researchers have probably documented it. You’ll find warnings and examples.

You can also use reverse email lookup to verify sender information and find all accounts associated with an email to check if the sender has a legitimate online presence. Learning how to find out who owns an email address helps you identify whether suspicious senders are real companies or scammers using fake identities.

Common Phishing Email Scenarios

Phishers use the same scenarios repeatedly because they work. Recognize these common templates.

Fake bank security alerts. “Suspicious activity detected on your account. Click here to verify your identity.” The email looks like your bank with official logos and formatting. The link goes to a fake banking login page that steals your credentials.

Package delivery notifications. “Your package delivery failed. Update your address to reschedule.” You weren’t expecting a package, but maybe someone sent you something? The link installs malware or steals your address and payment information.

Password reset requests. “You requested a password reset. Click here to continue.” You didn’t request anything. The link takes you to a fake login page that captures your current password when you enter it.

Prize winner notifications. “Congratulations! You’ve been selected to receive a $500 gift card.” You need to “verify your information” to claim it. They’re harvesting personal data for identity theft.

Invoice scams. An attached invoice for services you didn’t purchase. “Your account will be charged unless you dispute this within 48 hours.” The attachment contains malware or links to a fake payment portal.

CEO fraud. An email appearing to be from a company executive asking you to wire money urgently or share confidential information. The email address looks similar to the real executive but comes from a fake domain.

Tax season scams. Fake IRS emails claiming you owe taxes or are due a refund. The IRS never initiates contact via email. They send official letters through postal mail.

What Happens If I Click a Phishing Link?

Clicking a phishing link can compromise your accounts, install malware, or steal your information. The exact consequence depends on what type of phishing attack it is.

If the link takes you to a fake login page and you enter your credentials, the phishers now have your username and password. They’ll try these credentials on your actual accounts immediately. They may also test them on other services since many people reuse passwords.

Some phishing links install malware the moment you visit the page, without you downloading anything. This malware can log your keystrokes, steal files, encrypt your data for ransom, or turn your computer into part of a botnet.

Other phishing links start downloads automatically. Opening these files installs trojans, ransomware, or spyware on your system.

Mobile users aren’t immune. Phishing links work on phones and tablets. They can steal saved passwords, access your contacts, and install malicious apps.

What to Do If You Clicked a Phishing Link

Act immediately if you clicked a phishing link. Speed matters.

Disconnect from the internet. Turn off Wi-Fi or unplug your ethernet cable. This stops malware from communicating with its command server and prevents further data theft.

Change your passwords immediately. Use a different device to change passwords for all important accounts. Start with email, banking, and any account using the same password you might have entered on the phishing site. Use unique, strong passwords for each account.

Run a full antivirus scan. Use reputable antivirus software to scan your entire system. Let it quarantine or delete any threats it finds. Consider running multiple scanners for thorough detection.

Check your accounts for suspicious activity. Review recent transactions on your bank accounts and credit cards. Look for unauthorized login attempts in your email and social media account security logs. Check if any account settings were changed.

Enable two-factor authentication everywhere. Even if your password was stolen, two-factor authentication prevents unauthorized access. Use authenticator apps, not SMS when possible, as phone numbers can be stolen through SIM swapping.

Monitor your credit reports. Place a fraud alert with the credit bureaus if you suspect your personal information was compromised. Consider a credit freeze to prevent new accounts from being opened in your name.

Report the incident. File a report with your IT department if this happened on a work device. Report to the FTC at identitytheft.gov if personal information was stolen. Report to local police if you lost money.

Should I Report Phishing Emails?

Yes, you should always report phishing emails. Reporting helps security researchers track phishing campaigns and protect others from the same attacks.

Your reports contribute to databases that email providers use to filter future phishing attempts. When enough people report the same phishing email, providers can block it for everyone.

How to Report Phishing Emails

Report phishing through multiple channels for maximum effectiveness.

Forward to the Anti-Phishing Working Group: Send the complete phishing email to [email protected]. This international coalition analyzes phishing attacks and shares data with security companies.

Report to the FTC: File a complaint at reportfraud.ftc.gov. The Federal Trade Commission tracks these scams and uses reports to identify patterns and pursue enforcement actions.

Report to the impersonated company: Most companies have dedicated phishing report addresses. Common ones include:

• Amazon: [email protected]
• Apple: [email protected]
• PayPal: [email protected]
• Microsoft: [email protected]
• Google: [email protected]

Check the company’s official website for their specific reporting address. Forward the phishing email as an attachment, not just the text, so they can analyze the headers.

Report in your email client: Gmail, Outlook, Yahoo, and other email providers have built-in phishing report buttons. Use them. This trains their spam filters and protects other users.

Report to your IT department: If you received the phishing email at work, always inform your IT security team immediately. They need to know if other employees might be targeted and can block the sender across the organization.

Protecting Yourself Beyond Email

Phishing extends beyond email. Be aware of SMS phishing (smishing), phone call phishing (vishing), and social media phishing.

Text message scams use the same tactics. Urgent alerts about package deliveries, account problems, or prize winnings. The same verification rules apply. Don’t click links in unexpected texts.

Phone scammers impersonate tech support, government agencies, or your bank. They create urgency and request remote access to your computer or immediate payment. Legitimate organizations don’t call demanding immediate action or payment via gift cards.

Social media phishing includes fake login pages, messages from compromised friend accounts, and malicious links in comments. Be skeptical of unexpected messages even from people you know. Their account might be compromised.

Understanding how to find hidden profiles on social networks and how to find someone on all social networks can help you verify if someone contacting you is legitimate or an impersonator.

Frequently Asked Questions