What Is Phishing?
Phishing is a cyberattack technique where criminals send deceptive emails — or messages via SMS, social media, or phone — impersonating trusted entities like banks, government agencies, delivery companies, or tech platforms. The goal is to trick you into clicking a malicious link, entering credentials on a fake website, or downloading malware.
Phishing remains one of the most common entry points for identity theft and financial fraud. Recognizing the signs before you click is the most effective protection available.
10 Red Flags in Phishing Emails
1. The Sender's Email Address Doesn't Match the Organization
The display name may say "PayPal Support" but the actual sending address might be something like support@paypal-security-alert.net. Always click on or hover over the sender name to reveal the true address.
2. Generic Greetings
Legitimate companies that hold your account will almost always address you by name. "Dear Customer," "Dear Account Holder," or "Dear User" are hallmarks of a mass phishing campaign.
3. Urgency and Threats
"Your account will be suspended in 24 hours." "Verify immediately or lose access." These pressure tactics are designed to override your rational judgment. Legitimate organizations give you time to act.
4. Suspicious Links That Don't Match the Brand Domain
Hover over any link before clicking. If the URL doesn't exactly match the organization's official domain — or uses lookalike characters (e.g., "arnazon.com" instead of "amazon.com") — do not click it.
5. Requests for Sensitive Information
Banks, government bodies, and reputable companies will never ask you to provide passwords, Social Security numbers, PINs, or full card numbers via email.
6. Unexpected Attachments
Unsolicited attachments — even if they appear to be invoices, shipping notices, or tax documents — can contain malware. If you weren't expecting a file, don't open it.
7. Poor Grammar and Spelling
While sophisticated phishing emails are often polished, many still contain grammatical errors, awkward phrasing, or inconsistent formatting. These are signs the message was not produced by a professional communications team.
8. Mismatched Branding
Logos may look slightly off, colors may not match the brand exactly, and email layouts may feel inconsistent with what the real organization typically sends. Trust your instincts if something looks "almost right."
9. The Offer Is Too Good to Be True
Unexpected prize notifications, unclaimed refunds, and surprise inheritance notices are classic lures. Real windfalls don't arrive unannounced in your inbox.
10. The "From" Domain Was Recently Registered
You can check domain registration age using tools like WHOIS. Scammers register domains days before a campaign and abandon them afterward. A domain that's only a few weeks old claiming to be a major bank is a certain red flag.
What to Do When You Receive a Suspicious Email
- Do not click any links or download any attachments.
- Go directly to the organization's official website by typing the URL yourself.
- Contact the organization through official phone numbers to verify the message.
- Mark the email as phishing/spam in your email client to improve future filtering.
- Report it to your national anti-fraud or cybercrime agency.
Already Clicked a Phishing Link?
Act quickly: change your password for the affected account immediately, enable two-factor authentication, check for unauthorized activity, and run a malware scan on your device. If financial information was entered, contact your bank right away.
Vigilance takes seconds. Recovering from identity theft can take months or years.