How to spot a phising email

calendar Sep 20, 2025 · 5 min read

Overview

Why Phishing Still Works

Phishing attacks rely on a simple premise: trick you into treating a malicious message as trustworthy. By mimicking familiar brands, exploiting urgency, or playing on emotions, attackers increase the odds that you’ll click a link, open an attachment, or divulge credentials. Even savvy users can fall prey when the cues are subtle, so learning to recognize the tell‑tale signs is essential for keeping personal and professional data safe.

Common Red Flags to Watch For

Sender address anomalies

  • The display name may look legitimate, but the actual email domain often contains misspellings, extra characters, or a completely different domain (e.g., support@paypa1.com instead of support@paypal.com).
  • Look for subtle Unicode tricks where characters from non‑Latin alphabets resemble Latin letters.

Urgent or threatening language

  • Phrases such as “Your account will be suspended,” “Immediate action required,” or “You’ve won a prize—claim now!” create pressure to act without thinking.

Generic greetings

  • Mass‑mailed phishing attempts usually start with “Dear Customer,” “Hello User,” or simply “Hi.” Authentic communications from banks, workplaces, or services often address you by name.

Suspicious links

  • Hover over any hyperlink before clicking. The tooltip (or status bar) reveals the true destination URL, which may differ dramatically from the displayed text. Look out for misspelled domains, unexpected subdomains, or URL shorteners that hide the final address.

Unexpected attachments

  • Attachments with extensions like .exe, .scr, .zip, .rar, or even Office files that request macro activation (.docm, .xlsm) are classic delivery vehicles for malware. If you weren’t expecting a file, delete it.

Poor spelling or grammar

  • Many phishing emails originate from non‑native speakers or automated generators, resulting in awkward phrasing, typos, or inconsistent capitalization.

Requests for personal information

  • Legitimate companies rarely ask for passwords, Social Security numbers, or payment details via email. Any such request should raise immediate suspicion.

Below is a sample phishing email that illustrates many of the red‑flags discussed earlier. It’s a fabricated example—any resemblance to a real message is purely coincidental.

Example of a Phising Email

Subject: ⚠️ Your PayPal Account Has Been Suspended – Verify Now!

From: PayPal Support <support@paypa1.com>

To:youremail@example.com

Dear Customer,

We have detected unusual activity on your PayPal account and, as a precaution, we have temporarily suspended it.

To reactivate your account and avoid permanent closure, please verify your identity within the next 2 hours. Failure to do so will result in loss of funds and removal of your account.

Click the link below to confirm your details:

👉 https://secure-paypal-login.com/verify?session=7f9c2d

Once you have completed the verification, you will receive a confirmation email and regain full access to your account.

Thank you for your prompt attention to this matter.

Sincerely,

PayPal Support Team
support@paypa1.com
www.paypal.com

Why this email is suspicious

  • Sender domain typo: paypa1.com (the letter “l” is replaced with the numeral “1”).
  • Urgent language: “within the next 2 hours,” “temporary suspension,” “avoid permanent closure.”
  • Generic greeting: “Dear Customer.”
  • Misleading link text: The visible URL suggests a PayPal login, but hovering reveals a completely different domain (secure-paypal-login.com).
  • Request for personal info: The linked page would ask for login credentials, security questions, or even a full SSN—information PayPal never asks via email.
  • Unusual tone: Professional companies usually address you by name and provide a case/reference number.

Recognizing these cues helps you spot phishing attempts before you click, enter credentials, or download malicious attachments. Stay vigilant!

A Step‑by‑Step Verification Process

  1. Inspect the sender – Compare the visible name with the actual email address. If the domain doesn’t match the official website of the claimed organization, treat the message as suspicious.

  2. Examine links safely – Hover, don’t click. If the URL looks odd, copy it (without opening) and paste it into a trusted URL‑expander service or a sandboxed browser session to see where it leads.

  3. Validate through an independent channel – If the email claims there’s a problem with your bank account, log in directly by typing the bank’s URL into your browser or use the official mobile app. Do not use the link provided in the email.

  4. Check with the organization – Many companies publish phishing awareness pages (e.g., “How to identify a fake email from us”). Use those resources or contact customer support via a known phone number.

  5. Report the email – Forward suspicious messages to your IT department, security team, or the organization’s abuse address (often phish@domain.com). Most email providers also have built‑in “Report phishing” buttons.

Tools and Resources That Help

  • Browser extensions such as Netcraft or Microsoft Defender SmartScreen flag known malicious domains.
  • Email security gateways (Proofpoint, Mimecast, Microsoft Defender for Office 365) automatically quarantine many phishing attempts before they reach your inbox.
  • Public blacklists like PhishTank or Spamhaus let you manually verify a questionable URL.
  • Password‑vault managers (Proton Pass, Bitwarden, KeePass) can autofill credentials only on verified domains, reducing the chance of entering credentials on a spoofed site.
  1. Disconnect – Turn off Wi‑Fi or unplug the network cable to stop any ongoing communication.
  2. Run a full antivirus/malware scan – Use reputable security software to detect and remove any payloads.
  3. Change passwords – Immediately update passwords for the affected account and any other accounts that reuse the same credentials. Enable MFA wherever possible.
  4. Monitor for unusual activity – Keep an eye on bank statements, credit reports, and login logs for signs of unauthorized access.
  5. Notify the organization – Inform the legitimate service that your credentials may have been compromised so they can take protective actions (e.g., forced password resets).

Quick Recap

  • Scrutinize the sender’s email address, not just the display name.
  • Hover over links; don’t trust the visible text.
  • Be wary of urgent language, generic greetings, and unexpected attachments.
  • Validate any request for personal data through an independent, trusted channel.
  • Use security tools, report suspicious messages, and act fast if you think you’ve been compromised.

Final Thoughts

Phishing thrives on human psychology—urgency, curiosity, fear, and trust. By slowing down, questioning inconsistencies, and leveraging the security tools at your disposal, you can break the attacker’s chain of success. Make these habits part of your daily routine, share them with colleagues and friends, and stay one step ahead of the next phishing wave.

Stay vigilant, stay safe, and keep your inbox clean.