CyberCodeLab logo — neon green lab flask with terminal symbolCyberCodeLab
Phishing email alert — neon envelope with fishing hook, spoofed sender address and malicious link warning

cybersecurity · Basic · 2026-07-03

How to Spot Phishing Emails: 7 Red Flags Everyone Should Know

Phishing causes most account breaches — learn the 7 warning signs of a fake email, see real-world examples, and know exactly what to do when one lands in your inbox.

Over 90% of successful cyber attacks start with a phishing email. The good news: almost every phishing attempt shows the same warning signs, and once you know them, they are hard to miss.

What is phishing?

Phishing is a fake message designed to trick you into giving away something valuable — a password, a credit card number, or a click on a malicious link. The message pretends to come from someone you trust: your bank, a delivery company, a colleague, or a service like Google or Microsoft.

The 7 red flags

1. Urgency and threats

"Your account will be suspended in 24 hours." Attackers rush you because panic switches off critical thinking. Real companies almost never demand instant action by email.

2. The sender address doesn't match

The display name says PayPal, but the actual address is security@paypa1-support.xyz. Always look at the real address, not the friendly name — on mobile, tap the sender's name to reveal it.

3. Generic greetings

"Dear Customer" or "Dear User" instead of your name. Your bank knows what you're called; a spammer blasting a million inboxes doesn't.

4. Links that don't go where they claim

Hover over any link before clicking (on desktop) or long-press it (on mobile) to preview the destination. secure-login.bank.com.verify-account.ru is not your bank — the real domain is whatever comes just before the last dot-something (verify-account.ru here).

5. Unexpected attachments

Invoices you never ordered, "voicemail" attachments, ZIP files from strangers. Attachments are one of the most common malware delivery methods. When in doubt, don't open.

6. Spelling and formatting mistakes

Professional companies proofread. Odd grammar, stretched logos and inconsistent fonts are classic signs of a rushed fake.

7. Requests no real company makes

No legitimate organisation will ever email you asking for your full password, 2FA code, or card PIN. Ever. Any message that does is a scam, full stop.

A quick real-world example

From: Microsoft Support <account-alert@micros0ft-verify.com> Subject: Unusual sign-in activity — verify now!

Dear User, we detected a sign-in from Russia. Click here within 12 hours to verify your account or it will be permanently locked.

Count the flags: fake domain (1), urgency + threat (2), generic greeting (3), suspicious link (4). Four red flags in three lines.

What to do when you receive one

  1. Don't click any links or open attachments.
  2. Don't reply — replying confirms your address is active.
  3. Report it — use your email provider's "Report phishing" button.
  4. Delete it.
  5. If you already clicked and entered a password: change that password immediately, enable two-factor authentication, and change it anywhere else you reused it.

Build the habit

Check the sender's real address and hover over links — those two habits alone catch the vast majority of phishing attempts. For stronger account protection, read our guide on passwords and two-factor authentication, and use our free Password Generator to create strong, unique passwords.

Practice exercises

Reading about red flags is not the same as spotting them. Train the reflex on your own inbox — 15 minutes total.

Exercise 1 (5 min): Open your five most recent emails from companies (not people). For each, reveal the real sender address and compare it against the company's actual domain. You are building the single most valuable habit in email security.

Exercise 2 (5 min): In two newsletters or promotional emails, hover over every link (or long-press on mobile) without clicking. Read the true destination and identify the real domain — the part just before the last dot-something. Note how often it differs from the visible link text.

Exercise 3 (5 min): Find your email provider's Report phishing button right now (Gmail: three-dot menu → Report phishing; Outlook: Report → Phishing). Knowing where it is before you need it means you will actually use it — and each report trains the filters protecting everyone else.

Test yourself

Answer from memory first, then check yourself against the answer.

Q1What is the single most reliable way to unmask a phishing email?

Check the real sender address, not the display name — 'PayPal' from security@paypa1-support.xyz is a fake. On mobile, tap the sender's name to reveal the actual address.

Q2How do you find where a link really leads without clicking it?

Hover over it on desktop and read the URL preview in the corner; long-press on mobile. The real domain is whatever comes just before the last dot-something — bank.com.verify.ru belongs to verify.ru, not your bank.

Q3You clicked a phishing link and entered your password. What now?

Change that password immediately on the real site, change it anywhere else it was reused, enable two-factor authentication, and report the email. Speed matters — automated attacks use stolen credentials within hours.