How to Spot a Phishing Email Before It Tricks You

Phishing emails have gotten genuinely convincing. The era of poorly-spelled messages from foreign princes ended years ago. Today's attacks replicate corporate email design pixel-perfectly, spoof sender addresses convincingly enough to fool email clients, and build narratives based on what they've harvested from previous data breaches. Techniques that reliably exposed phishing five years ago often fail against modern campaigns.

This guide focuses on the structural patterns that phishing still cannot fully hide — tells that exist regardless of how polished the design looks.

Why Phishing Works Even on Careful People

Phishing succeeds by compressing your thinking time. The message is engineered to create a mental state where clicking feels more urgent than pausing. Your bank reporting suspicious activity on your account. A workplace IT notice that your credentials expire in 24 hours. A package delivery failure that requires immediate action. Every element — subject line, visual design, language — is calibrated to make immediate action feel safer than waiting to think.

Understanding phishing as an emotional manipulation technique, rather than just a technical problem, fundamentally changes how you engage with suspicious messages. The tells below become easier to notice once you're looking for them deliberately.

Check 1 – The Actual Sender Address (Not the Display Name)

Email clients show the display name prominently — "Apple Support" or "Amazon" or "Your Bank." Attackers set this to anything they want. What they cannot easily fake is the actual email address behind it.

Click or tap on the sender's display name to expand and reveal the full address. An email claiming to be from Apple that sends from support@apple.helpdesk-notifications.com is not from Apple. The real domain would be @apple.com — nothing added, nothing different. The domain immediately to the left of the top-level domain (.com, .net, etc.) is what to check. That's the actual sender.

Check 2 – Artificial Urgency and Fear

Legitimate companies almost never send emails threatening to terminate your account, suspend your access, or take legal action unless you click a link in the next 24 hours. If a message creates time-sensitive threats — verify now or lose access, unauthorized login detected, confirm immediately — slow down. This pattern of manufactured urgency is the most reliable indicator of a phishing attempt, consistent across every industry and attack type.

Real financial institutions and services do send security alerts. But they direct you to log in through your usual method — through your browser or app — not through a link embedded in the email. The link in the email exists specifically to bypass your normal security habits.

Check 3 – Hover Links Before Clicking

On desktop email clients, hovering over any link shows the actual destination URL in the status bar. On mobile, long-pressing a link displays a URL preview. Compare that destination to what the email claims it is. If the link goes to a different domain, an IP address, a URL shortener, or anything that doesn't match the company's known domain — don't click.

Attackers use multi-layer redirects that make preview URLs look legitimate but then redirect through other domains before reaching the phishing page. When possible, visit the website directly by typing the address yourself rather than following any email link.

Check 4 – Unexpected Attachments

Treat every unexpected attachment as a potential threat, even from known senders. Malware frequently spreads by compromising email accounts and sending itself to everyone in the contact list — so a malicious attachment can arrive looking like a message from your colleague.

File types to be particularly cautious with: .exe, .zip, .iso, .js, macro-enabled Office files (.docm, .xlsm). Regular PDFs and Office documents can also be weaponized, though less often. When uncertain, open through Google Drive's online viewer — it renders without executing macros or scripts.

Check 5 – Look Past the Design

A well-crafted phishing email copies the logo, color scheme, and layout of the real company's communications exactly. Don't let polished design lower your guard. Instead check: the actual sender address, the quality of language (subtle grammar issues, unusual phrasing, or slightly-off formal tone remain consistent tells), and how the email addresses you. Generic greetings like "Dear Customer" or "Hello User" are a flag — real companies with your account information use your actual name.

Check 6 – Context Mismatch

Ask whether this email makes sense given your actual account activity. An Amazon shipping notification for an order you didn't place. A password reset you never requested. A subscription renewal for a service you cancelled. A travel booking confirmation from an airline you haven't used in years. These context mismatches are meaningful signals. Real emails arrive because something actually happened in your account or with your service.

If You Already Clicked

If you clicked a link but entered no information, you may be fine — but some attacks execute drive-by malware downloads without requiring any input. Run a full malware scan immediately using Malwarebytes Free.

If you entered credentials, change that password immediately from a different device, review your account for unauthorized activity, and enable two-factor authentication if you haven't already. If you entered payment information, contact your bank right away to flag potential fraud on that card.

The consistent theme across all these checks is the same: slow down. Phishing is designed to prevent you from thinking. Creating a 10-second pause to check the sender address and hover over links before clicking anything suspicious is genuinely enough to stop the vast majority of attacks.