How to Recognize a Phishing Email
Phishing emails are designed to look exactly like messages you would trust. This is not an accident or a limitation of the attackers. It is the core of the strategy. The more convincingly a phishing email resembles a genuine message from your bank, your delivery company, or a service you use, the more likely you are to act on it without stopping to question it.
In the past, spotting a phishing email was often straightforward. The spelling was poor. The formatting looked off. The English was broken in ways that made the foreign origin obvious. Some of those clues still appear, but they are becoming less reliable. AI tools have made it easier for attackers to produce grammatically perfect, contextually plausible emails at scale. The surface-level quality of phishing emails has improved significantly, and relying on obvious errors to identify them is no longer enough.
What remains consistent are the structural patterns. The mechanisms that phishing emails use to manipulate people have not changed even as their presentation has improved. Understanding those mechanisms is what actually protects you.
What a Phishing Email Is Trying to Do
A phishing email is not the attack itself. It is the delivery mechanism for one of a small number of specific harmful outcomes.
The first and most common objective is credential theft. The email contains a link that goes to a fake login page designed to look like a service you use. You enter your username and password. The page captures them and the attacker now has access to your account.
The second objective is malware delivery. The email contains an attachment or a link to a download. When you open it, malicious software installs on your device. It might log your keystrokes, steal saved passwords, hold your files for ransom, or give the attacker remote control of your machine.
The third objective is social engineering, sometimes called business email compromise. The email impersonates someone you trust, whether that is your bank, a government body, or even a colleague, and asks you to take a real-world action. Transfer money to this account. Purchase gift cards and share the codes. Share a document. Confirm your personal details.
Every warning sign described in this post connects back to one of these three objectives. Recognizing the patterns means understanding what the attacker is trying to push you toward doing.
The Sender Address Is the First Thing to Check
The single most reliable check you can perform on a suspicious email is to look at the actual email address it came from, not the display name.
Your email application shows you a friendly name in the from field. This name is cosmetic and entirely under the sender’s control. It can say anything at all. An email can display the name Amazon Customer Service while the actual address sending it is a completely unrelated domain with a string of random characters.
To see the real address, click on or hover over the sender’s name in your email application. In Gmail, clicking the name shows a popup with the full address. In Outlook, look at the address displayed alongside the name in the header. The actual email address is the one that matters.
A legitimate email from Amazon comes from an @amazon.com address. A legitimate email from your bank uses their official domain. If the domain does not match the organization the email claims to be from, you are looking at a phishing attempt.
Watch specifically for look-alike domains. Attackers register addresses designed to fool a quick glance: paypa1.com instead of paypal.com, support-apple.com instead of apple.com, amazon-service.net instead of amazon.com. These are completely separate domains that have no connection to the real organizations. Check the address character by character if you are uncertain.
Urgency and Fear Are the Primary Manipulation Tools
Every phishing email creates some form of urgency or threat. This is not incidental. It is the mechanism.
When people feel anxious or under time pressure, they act before they think. Attackers rely on this psychological response. The urgency manufactured in a phishing email is designed to compress the gap between reading the message and clicking the link, before you have time to question anything.
The patterns are recognizable once you know to look for them. Your account has been suspended and will be permanently closed unless you verify within 24 hours. Unusual activity was detected. Log in immediately to protect your account. Your payment failed. Update your billing information to avoid service interruption. A package could not be delivered. Confirm your address now or it will be returned.
The combination of a threat of loss, a specific deadline, and a call to immediate action is the phishing template. Legitimate companies do communicate urgently when genuine issues arise, but they provide multiple ways to resolve the situation, they do not threaten permanent consequences as a first contact, and they do not give you a countdown to take action on their link.
When you feel a sudden spike of anxiety reading an email, that feeling is worth treating as a warning signal rather than a reason to act quickly. It is often the mechanism working as designed.
Requests for Passwords or Personal Information
A legitimate company will never send you an email asking for your password. This is a firm rule, not a general guideline.
Banks, email providers, payment processors, and every other legitimate service have access to your account through their own systems. They do not need you to reply with your password or enter it on a page accessed through an email link. If an email is asking you to confirm your current password, provide your PIN, share a verification code, or enter sensitive personal information through a link in the message, it is a phishing attempt regardless of how official it looks.
The same applies to requests for your social security or national identity number, credit card details, passport information, or any other high-value personal data through an email link.
The Link Goes Somewhere Different From What It Claims
In a phishing email, links are almost always the mechanism that delivers the attack. The visible text of a link can say one thing while it actually sends you somewhere completely different.
The link might display text that reads Log in to your PayPal account, while the actual URL goes to a convincingly-designed fake page hosted on an entirely different domain.
On a desktop computer, hover your mouse over any link before clicking it. The actual destination URL appears at the bottom of your browser window or in a tooltip near the cursor. Check that URL carefully. For a genuine PayPal email, the link should go to paypal.com, not paypal.some-other-site.com or login-paypal-secure.com or any other variation. Just paypal.com.
On a phone, press and hold any link without releasing to see a preview of the destination URL before it opens. On iOS and Android, this produces a popup showing the actual address. Check it before tapping to open.
If the URL looks wrong, do not click. Navigate to the relevant website directly by typing the address into your browser, or use the official app for the service in question.
Generic Greetings Signal Mass Phishing
Phishing emails sent to large numbers of people cannot personalize every message. They typically fall back on generic greetings like Dear Customer, Dear Account Holder, Dear User, or sometimes just your email address formatted as a greeting.
A genuine email from a bank or an online service you use will usually address you by name because they have your name on file.
This is a useful indicator but comes with an important caveat. Targeted phishing attacks, called spear phishing, are personalized. Attackers who have gathered information about you from social media, data breaches, or other sources can craft emails that include your full name, your employer, a recent purchase you made, or the name of a colleague. A personalized email is not automatically safe. All the other checks in this post still apply.
Unexpected Attachments Should Always Be Questioned
If an email arrives with an attachment you were not expecting, treat it with suspicion regardless of who the apparent sender is.
Common attachment-based attacks use Word or Excel files that prompt you to enable macros when you open them, PDFs containing malicious embedded links, compressed archive files containing executable programs, and in some cases directly executable file types.
The fact that the sender appears to be someone you know does not make an unexpected attachment safe. Email accounts belonging to people you know can be compromised, and attackers frequently use hacked accounts to send malicious files to the victim’s contact list specifically because messages from known senders receive less scrutiny.
If you receive an unexpected attachment from a colleague, a friend, or a company you deal with, confirm separately before opening it. A quick phone call, text message, or a separate email asking whether they meant to send you something takes thirty seconds and closes this risk completely.
What to Do With a Suspicious Email
The right response to a phishing email is to not click anything, not open any attachments, and not reply. If you want to verify whether there is a genuine issue with an account mentioned in the email, open a new browser window and navigate directly to that service’s website by typing the address yourself. Do not use any link, phone number, or contact detail provided in the suspicious email.
Report the email using your email application’s built-in reporting tool. In Gmail, the three-dot menu includes a Report Phishing option. In Outlook, the Report Message button handles this. Reporting helps improve the filters that protect other users.
After reporting, delete the email.
If you believe the phishing email may have been targeted at your organization rather than a generic mass attempt, or if you received it on a work account, tell your IT or security team. A targeted phishing campaign against a company often involves multiple employees being contacted simultaneously.
Frequently Asked Questions
Can a phishing email harm your device just by being opened?
Opening an email in a modern email client is very low risk. The danger comes from clicking links and opening attachments. Some older email clients rendered HTML emails in ways that could execute code, but modern web-based email services and current email apps protect against this.
How do attackers know which services I use?
For mass phishing campaigns, they often do not. They send emails impersonating popular services like Amazon, PayPal, major banks, and Netflix because statistically a large portion of recipients use them. For targeted attacks, they may have gathered information from data breaches, social media, or other sources.
What if the suspicious email came from someone I know?
Their email account may have been compromised. Contact them through a completely separate channel, such as a text message or phone call, to let them know so they can secure their account.
Is it safe to click the unsubscribe link in a suspicious email?
No. Clicking any link in a suspicious email, including an unsubscribe link, may confirm to the sender that your address is active and can lead to more phishing attempts. For suspicious emails, delete without clicking anything.
Will my spam filter catch all phishing emails?
No. Spam and phishing filters are effective at catching large volumes of known threats, but sophisticated or targeted phishing emails regularly bypass them. The fact that an email reached your inbox is not evidence that it is safe. Apply the checks in this post to any message that asks you to take action, regardless of where it landed.
