What are signs of a phishing email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've probably clicked on one before. Most people have. That's not failure: modern phishing emails are well-crafted and specifically designed to look like messages you'd normally act on. Knowing the warning signs doesn't make you immune, but it slows you down long enough to check.

Start with the sender address, not just the display name. "PayPal Customer Service" can be set to anything. The actual sending address is what matters. An email claiming to be from PayPal sent from paypa1-support.net is a phishing attempt. Hover over the "From" field or view the message headers to see the real address. Look for slight misspellings, extra characters, or unexpected domains.

Pressure tactics are a reliable red flag. "Your account will be suspended in 24 hours." "Unusual activity detected, act immediately." "You owe a balance that must be paid today." Legitimate services don't need to threaten you to get your attention. When urgency is manufactured, that's usually the point: to stop you from thinking clearly enough to check whether the email is real.

Requests for credentials or payment outside normal processes are almost always phishing. Your bank won't ask you to confirm your card number by replying to an email. Your IT department doesn't email you a login link out of nowhere and ask for your password. Legitimate services have authenticated portals. They don't need your credentials via email.

Check where the links actually go. Hovering over a link (without clicking) shows the destination URL in most email clients. If the email claims to be from Microsoft but the link goes to microsoft-account-verify.ru, that's your answer.

For organizations concerned about phishing targeting their staff or impersonating their brand, DMARC enforcement is the technical control that stops attackers from sending email that looks like it comes from your domain.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build a phishing awareness training plan

I want to improve phishing awareness for myself or my team. Here's my situation: - Whether this is for personal awareness or employee training: personal / team training - Team size (if training): number - Biggest concern: [clicking links / credential theft / wire fraud / impersonation] - Whether we've been targeted before: yes / no / not sure - Current awareness training in place: none / annual / regular / ad-hoc Give me the most important phishing warning signs to train on, with examples relevant to our context.

Edit the yellow boxes, then send to the AI of your choice.