How to Spot a Phishing Email: 12 Red Flags Anyone Can Check
You check your inbox every day without thinking twice. But hidden among the newsletters and order confirmations, there could be a message designed to steal your passwords, your money, or your identity. Learning how to spot a phishing email is one of the most valuable digital skills you can have — and you don’t need to be tech-savvy to do it.
Phishing emails fake the appearance of trusted companies, banks, or even coworkers. Their goal is simple: trick you into clicking a dangerous link, downloading malware, or handing over personal information. The good news? Most phishing attempts leave clues. You just need to know what to look for.
This guide walks you through 12 red flags that reveal a phishing email, with real-world examples and clear action steps for each one. By the end, you’ll be able to scan any suspicious message and decide whether it’s safe — in under 30 seconds.
What Is a Phishing Email, Exactly?
A phishing email is a fraudulent message that impersonates a legitimate sender. The word “phishing” comes from “fishing” — attackers cast a wide net, hoping a few people will bite.
These emails often look like they come from:
- Your bank or credit card company
- A delivery service (FedEx, UPS, DHL)
- A tech company (Apple, Google, Microsoft)
- A government agency (IRS, HMRC)
- A coworker or boss
The message usually urges you to take immediate action: confirm your account, update payment details, or claim a package. If you comply, you may end up on a fake website that captures your login credentials — or worse, install malware on your device.
What you should do: Treat every unexpected email asking you to act urgently as suspicious by default. Verify through a separate channel before taking any action.
How to Spot a Phishing Email: 12 Red Flags
Here are the 12 most reliable warning signs. You don’t need to spot all 12 — even one or two can confirm a message is fake.
1. The Sender Address Looks Wrong
The very first thing to check is who sent the email. Phishers often use addresses that almost look real but have subtle differences.
Real example:
| Legitimate Sender | Phishing Sender |
|---|---|
| support@paypal.com | support@paypa1.com |
| no-reply@amazon.com | no-reply@amazon-security.net |
| info@netflix.com | info@netfli.x-co.com |
Notice how “paypa1” swaps the letter “l” for the number “1.” The Amazon fake adds “-security” and uses a different domain. These tiny differences are easy to miss if you’re scrolling quickly.
What you should do: On a computer, hover over the sender’s name to reveal the actual email address. On a phone, tap the sender’s name to expand the details. If the domain doesn’t match the company’s official website, it’s almost certainly fake.
2. The Greeting Is Generic
Legitimate companies you do business with know your name. Phishers often don’t.
A real email from your bank might say: “Dear Sarah,” while a phishing email will say: “Dear Customer,” “Dear Valued Member,” or “Dear User.”
This isn’t always a red flag — some legitimate marketing emails use generic greetings. But a security alert or account notice that doesn’t address you by name should raise suspicion.
What you should do: If an email about your account uses a generic greeting, log in to your account directly (not through the email link) and check for alerts there.
3. The Message Creates Urgency or Fear
Phishing emails want you to act before you think. They use pressure tactics to bypass your logical brain:
- “Your account will be suspended in 24 hours”
- “Unauthorized login detected — verify immediately”
- “Final notice: Your payment failed”
- “You will lose access if you don’t respond now”
Real companies rarely demand instant action via email. They might notify you of a problem, but they typically give you days or weeks to resolve it — not hours.
What you should do: Slow down. Take a breath. If the email claims to be from your bank, call the number on the back of your card — not any number in the email.
4. Links Don’t Lead Where They Claim
This is the most dangerous red flag because the link text can say anything while pointing anywhere.
An email might show: Click here to verify your PayPal account
But the actual destination could be: http://paypa1-secure-login.malicious-site.xyz
The visible text and the underlying URL are completely separate. Phishers exploit this constantly.
What you should do: On a computer, hover over the link (don’t click!) and look at the preview in the bottom-left corner of your browser. On mobile, press and hold the link to see the URL. If the domain doesn’t match the company’s real website, don’t click. And remember — you can always navigate to the company’s site manually in your browser instead.
5. The Email Has Spelling and Grammar Mistakes
Many phishing emails originate from non-English-speaking countries, and the language errors show. Look for:
- Misspelled words (“verificate” instead of “verify”)
- Awkward phrasing (“Your account has been compromise”)
- Wrong verb tenses (“We detect unusual activity”)
- Random capitalization (“Click Here To Secure Your Account Now”)
Professional companies have editors and automated checks. A legitimate email from Apple or Chase will not read like a rough translation.
What you should do: If the writing feels off, compare it to a real email you’ve received from the same company. The difference in quality is usually obvious.
6. It Asks for Personal or Financial Information
No legitimate company will ask you to share sensitive information over email. This includes:
- Passwords or PINs
- Full credit card numbers
- Social Security or national ID numbers
- Bank account details
- Answers to security questions
Your bank already has your account information. Netflix already has your payment method. If an email asks you to “confirm” or “update” these details by replying or clicking a link, it’s a scam.
What you should do: Never share sensitive information via email. If you think the request might be real, contact the company directly through their official website or app.
7. The Design Looks Unprofessional
Major brands are meticulous about their email design. Phishing emails often cut corners:
- Blurry or stretched logos
- Misaligned text and images
- Colors that don’t match the brand
- Missing footer with unsubscribe options and company address
- Strange fonts the brand never uses
Compare a suspicious email side by side with a real one from the same sender. The visual differences are usually easy to spot.
What you should do: When in doubt, check the company’s real emails or visit their website to compare branding. Most big companies also have a “security” or “fraud” page showing examples of known phishing emails impersonating them.
8. Attachments You Weren’t Expecting
Email attachments are a common way to deliver malware. Dangerous file types include:
.exe— executable programs.zipor.rar— compressed files that may contain malware.docor.xlswith macros — documents that can run malicious code.pdf— sometimes rigged to exploit vulnerabilities
Even if the attachment looks harmless — like an “invoice” or “shipping label” — it could install malware the moment you open it.
What you should do: Never open an attachment you weren’t specifically expecting. If someone claims they sent you a file, confirm with them through a separate channel (a phone call or text message) before opening it.
9. The Email References a Service You Don’t Use
This is one of the easiest red flags to spot. If you get an email about your “Adobe Creative Cloud subscription” but you’ve never had one, it’s obviously fake.
Phishers cast a wide net. They send the same email to millions of addresses, hoping some recipients will happen to use the referenced service.
What you should do: If the email references a service, subscription, or account you don’t recognize, delete it immediately. Don’t click any links, even “unsubscribe” — that just confirms your email address is active.
10. The “From” and “Reply-To” Addresses Don’t Match
Some phishing emails send from one address but route replies to a completely different one. For example:
- From: notifications@amazon.com (spoofed or compromised)
- Reply-To: support@random-helpdesk.xyz
A legitimate company’s “from” and “reply-to” addresses will typically share the same domain. If they don’t match, something is wrong.
What you should do: Check both addresses before replying to any email that asks for information or action. On most email clients, you can see the reply-to address by tapping or clicking “Reply” (but don’t actually send the reply).
11. It Threatens Legal Action or Account Closure
Phishers love to threaten consequences because fear makes people act without thinking:
- “Legal action will be taken if you don’t respond”
- “Your account will be permanently deleted”
- “You will be reported to authorities”
- “Your IP address has been flagged for illegal activity”
Real organizations do not threaten legal action via email. They send formal letters through the mail or contact you through established channels. And no legitimate company will delete your account because you didn’t click an email link.
What you should do: Don’t panic. If you’re genuinely concerned, look up the organization’s contact information independently and reach out to them directly.
12. Something Just Feels Off
Trust your instincts. If an email gives you an uneasy feeling — even if you can’t pinpoint exactly why — there’s probably a reason.
Maybe the tone is slightly different from what you’d expect. Maybe the request is unusual. Maybe the timing is odd. Your brain often picks up on inconsistencies before you can articulate them.
What you should do: If something feels wrong, don’t engage with the email. Go directly to the source — visit the website, open the app, or call the official phone number. A few extra seconds of caution can save you from a lot of trouble.
How to Spot Phishing Email: Quick Reference Table
Print this out or bookmark it. It summarizes all 12 red flags for fast reference.
| # | Red Flag | Key Question to Ask Yourself |
|---|---|---|
| 1 | Fake sender address | Does the domain match the real company? |
| 2 | Generic greeting | Would this company know my name? |
| 3 | Urgency or fear | Is this creating artificial pressure? |
| 4 | Misleading links | Does the actual URL match the link text? |
| 5 | Spelling/grammar errors | Would a real company send something this sloppy? |
| 6 | Requests for sensitive info | Would this company ask for this over email? |
| 7 | Unprofessional design | Does this look like the brand’s real emails? |
| 8 | Unexpected attachments | Was I expecting this file? |
| 9 | Unknown service | Do I actually use this service? |
| 10 | Mismatched addresses | Do “From” and “Reply-To” share the same domain? |
| 11 | Legal threats | Would a real company threaten me over email? |
| 12 | Something feels off | Does my gut say this is suspicious? |
What to Do If You Click a Phishing Link
Even careful people make mistakes. If you clicked a link or opened an attachment from a suspicious email, here’s what to do:
-
Disconnect from the internet — Turn off Wi-Fi or unplug your Ethernet cable. This stops any malware from communicating with the attacker’s server.
-
Change your passwords — Use a different, clean device to change the password for the account that was targeted. If you reuse that password elsewhere (which you shouldn’t!), change it on all sites. A password manager makes this much easier.
-
Scan for malware — Run a full antivirus scan on the device you used. If you don’t have one installed, use a reputable free scanner like Microsoft Defender (built into Windows) or Malwarebytes.
-
Monitor your accounts — Check your bank statements, credit cards, and online accounts for unauthorized activity over the next several weeks.
-
Report the phishing attempt — Forward the email to the organization being impersonated and to your email provider’s abuse team. In the US, you can also report it to the FTC at reportfraud.ftc.gov.
-
Consider a credit freeze — If you shared financial information or your Social Security number, place a freeze on your credit reports at all three bureaus (Equifax, Experian, TransUnion). This prevents anyone from opening accounts in your name.
Extra Protection: Simple Habits That Reduce Your Risk
Spotting phishing emails is essential, but you can add extra layers of defense with a few simple habits:
-
Enable multi-factor authentication (MFA) on all important accounts. Even if a phisher gets your password, they can’t log in without the second factor.
-
Use a password manager to generate and store unique passwords. If one password gets phished, the rest stay safe. Learn more about whether password managers are safe and whether saving passwords in your browser is a good idea.
-
Keep your software updated. Security patches fix vulnerabilities that phishing-related malware exploits.
-
Use a VPN on public Wi-Fi. If you accidentally click a phishing link on public Wi-Fi, a VPN encrypts your traffic so attackers can’t intercept your data. Read more about whether a VPN protects you from hackers.
-
Verify before you trust. When in doubt, go directly to the source. Type the website address into your browser instead of clicking email links.
FAQ: How to Spot a Phishing Email
Can phishing emails look exactly like real ones?
Yes, sophisticated phishing emails can be nearly identical to legitimate ones. They may use the correct logo, formatting, and tone. However, they’ll usually fail on at least one of the 12 checks above — typically the sender address or the link destination. Always verify the sender’s domain and hover over links before clicking, no matter how real the email looks.
What’s the difference between phishing and spear phishing?
Phishing is a generic attack sent to thousands of people at once, like casting a wide net. Spear phishing targets a specific person or organization, using personalized details (your name, job title, or recent activity) to seem more convincing. Spear phishing is harder to detect but still leaves clues — especially mismatched sender addresses and unusual requests.
Can I get phished on my phone?
Absolutely. Phishing works on any device with email. In fact, it can be harder to spot phishing on a phone because you can’t easily hover over links to preview URLs, and the smaller screen hides sender details. Apply the same checks on mobile: tap the sender’s name to see the full address, and press and hold links to preview where they lead.
Should I reply to a phishing email to tell them I know it’s fake?
No. Replying confirms that your email address is active and monitored, which makes it more valuable to attackers. You may receive even more phishing attempts. Instead, report the email to your provider and delete it.
What if the phishing email came from someone I know?
If a friend or coworker sends a suspicious email, their account may have been compromised. Don’t click any links or open attachments. Instead, contact them through a different channel (phone call, text message, or in person) to ask if they actually sent it. If they didn’t, they need to secure their account immediately.
Conclusion: You Don’t Need to Be an Expert
Learning how to spot a phishing email isn’t about memorizing technical terms or understanding how hackers think. It’s about developing a simple habit: pause and check before you click.
The 12 red flags in this article are your checklist. Keep it handy, and run through it whenever an email asks you to click a link, open a file, or share information. Most phishing attempts fall apart under even a quick 30-second inspection.
Remember the basics:
- Check the sender’s real email address
- Hover over links before clicking
- Be skeptical of urgency and threats
- Never share sensitive information via email
- When in doubt, go directly to the source
Phishing only works when you don’t look closely. Now that you know what to look for, you’re already far harder to fool.
Want more tips on staying safe online? Bookmark SafeguardDaily and check out our guides on whether VPNs protect you from hackers, how safe password managers really are, and whether saving passwords in your browser is secure. Stay informed, stay safe.