🎣 How to Spot Phishing Emails: Red Flags, Real Examples, and What to Do

📅 September 25, 2025 ⏱️ 15 min read 🛡️ Email Security
How to spot phishing emails guide showing red flags, fake email examples, and security warnings with annotations
You're not careless for almost clicking that urgent email from your bank. Phishing attacks fool security professionals, executives, and everyday people every single day because they're designed to bypass your common sense by triggering fear, urgency, or curiosity. This guide shows you exactly what to look for, walks through real examples, and tells you what to do if you've already clicked—no judgment, just practical help.

TL;DR: Quick Protection Summary

What Phishing Is (In Plain English)

Phishing is a digital con game where attackers send fake emails, texts, or calls pretending to be someone you trust—your bank, your boss, a delivery company, or a popular website. The goal is stealing passwords, financial information, or access to your accounts by making you act before you think.

Attackers use phishing because it works and requires no technical skills. Instead of hacking through security systems, they hack human psychology with urgency, authority, or fear.

Quick distinctions:

The Top Red Flags (and Why They Work)

These warning signs appear in almost every phishing attempt. Attackers count on you being busy, distracted, or trusting—but knowing these patterns gives you the advantage.

1. Mismatched Sender Name vs. Email Domain

Red flag: Display name says "PayPal Security" but the actual email address is customer-verify@paypa1-secure.net

FLAG: Look at domain after @ symbol

What to do: Hover over the sender's name (don't click) to reveal the real email address. Legitimate companies use their own domains consistently.

2. Urgent or Threatening Tone

Red flag: "Your account will be CLOSED in 24 hours!" or "Immediate action required to avoid penalties"

Why it works: Urgency bypasses your critical thinking and creates panic

What to do: Legitimate companies don't threaten closure via email. Log into your account directly through the official app or website (not email links) to check.

3. "Verify Your Account" or Password Reset You Didn't Request

Red flag: "We detected unusual activity. Click here to verify your identity and restore access."

Why it works: Combines urgency with a helpful-sounding action

What to do: Never click verification links in unsolicited emails. Go directly to the service's website or app yourself.

4. Unexpected Attachments

Red flag: "Your invoice is attached" when you haven't ordered anything, or "Resume.pdf.exe" with a double extension

FLAG: .exe is executable malware

What to do: Don't open attachments you weren't expecting. Contact the sender through a known channel to verify.

5. Shortened or Obfuscated Links

Red flag: Links using bit.ly, tinyurl, or long strings of random characters that hide the real destination

Spot it: Hover over any link (don't click) to see where it actually goes. Look for misspellings or odd domains.

6. Typosquatting Domains

Red flag: amazom.com, paypa1.com (number 1 instead of letter L), or micros0ft.com (zero instead of O)

Why it works: Your brain autocorrects minor misspellings when you're reading quickly

What to do: Read domains character by character, especially before entering passwords.

7. Requests for Gift Cards or Wire Transfers

Red flag: "Buy gift cards and send photos of the codes" or "Wire payment to this account immediately"

Why it works: These payment methods can't be reversed or traced

What to do: No legitimate business or government requests payment via gift cards. This is always a scam.

Realistic Phishing Email Examples (Annotated)

Example 1: "Your Account Will Be Locked" (Payment Service Phishing)

From: PayPal Security <noreply@paypa1-services.net>

FLAG: Domain is paypa1 with number 1, not paypal.com

Subject: Urgent: Verify Your Account Within 24 Hours

Body:

Dear Valued Customer,

We have detected unusual activity on your PayPal account and have temporarily limited access to protect your security.

To restore full access, please verify your information immediately:
[Verify Account Now]

Failure to complete verification within 24 hours will result in permanent account closure.

Thank you for your immediate attention.
PayPal Security Team

FLAG: Generic greeting "Valued Customer" instead of your name
FLAG: Creates urgency and fear with "24 hours" deadline
FLAG: Button links to paypal-verify-secure.com, not paypal.com
FLAG: Unrealistic consequence ("permanent account closure")

What to do now:

  1. Don't click the link or button
  2. Open PayPal's official app or type paypal.com directly in your browser
  3. Log in and check for any actual security alerts or messages
  4. Report the email using PayPal's phishing report feature
  5. If you already clicked, change your password immediately and enable two-factor authentication

Example 2: "Delivery Attempt Failed" (Package Scam)

From: FedEx Delivery Service <delivery-notify@fedx-tracking.com>

FLAG: Domain is fedx, not fedex.com

Subject: Delivery Attempt Failed – Action Required #8847293

Tracking Number: FX8847293LP

We attempted to deliver your package on October 15, 2025, but no one was available to sign.

Your package contains: [1 item]

To reschedule delivery, please confirm your shipping address and identity:
[Confirm Delivery Details]

Your package will be returned to sender if not claimed within 48 hours.

Attachment: Delivery_Invoice.pdf

FLAG: You didn't order anything
FLAG: Vague package description
FLAG: Link goes to fedex-rescheduling.net
FLAG: Unexpected attachment (likely malware)

What to do now:

  1. Delete the email without opening attachments
  2. If expecting a package, check tracking directly on the carrier's official website using your order confirmation
  3. Real delivery services leave physical notices and send texts/emails from verified domains
  4. Report the email to your email provider and the actual company being impersonated

Example 3: "Urgent Request from Your Boss" (CEO Fraud/BEC)

From: Jennifer Martinez <jmartinez.ceo@gmail.com>

FLAG: CEO using personal Gmail, not company domain

Subject: Urgent: Need Your Help With Something

Hi,

I'm in back-to-back meetings all day and need your help with something time-sensitive.

Can you purchase 10 Apple gift cards ($500 each) for client gifts? I need the codes sent to me by 3 PM today.

I'll reimburse you right away once this is complete. Please don't mention this to anyone else yet as it's confidential.

Thanks,
Jennifer
Sent from my iPhone

FLAG: Gift card request is classic scam
FLAG: Secrecy prevents verification
FLAG: Generic signature with no company details

What to do now:

  1. Don't respond or purchase anything
  2. Contact your boss through a known channel (call their office number, walk to their desk, use company chat)
  3. Forward the email to your IT or security team
  4. Remember: No legitimate business transaction requires secrecy or personal gift card purchases

Common Password Mistakes (Q&A to Help Real People)

Is it really that bad to reuse the same password?

Yes, because if one website gets breached, attackers try that same password on every major site (email, banking, social media). One compromised password can cascade into complete identity theft.

Do this next: Use a password manager to generate and store unique passwords for every account. Start with your email, banking, and most-used accounts first.

What's a strong passphrase and how do I make one I won't forget?

A passphrase is a string of random words that's easy to remember but hard to crack: correct-horse-battery-staple or blueWhale!Jumps72Mountains. It's longer than typical passwords, which makes it exponentially more secure.

Do this next: Create a passphrase using 4-5 unrelated words, mix in numbers and symbols, and store it in your password manager.

Should I change my password if I clicked a suspicious link?

Yes, immediately. Even if you didn't enter your password on the fake site, malware might have been downloaded that could capture keystrokes.

Do this next: Change your password from a trusted device, enable two-factor authentication on the account, and run a full malware scan.

Are password managers safe and how do I start?

Password managers are significantly safer than reusing passwords or writing them down. They encrypt your passwords with a master password only you know. Even if the company's servers are breached, attackers get encrypted data they can't read.

Do this next: Choose a reputable password manager, create a strong master passphrase, and start by saving passwords for your 5-10 most important accounts.

What To Do If You Already Clicked (Step-by-Step)

Don't panic. Taking these steps immediately can prevent or limit damage.

1. Disconnect from the network

If you're on suspicious Wi-Fi or just clicked a link, switch to cellular data or disconnect entirely to stop potential malware from spreading or communicating with attackers.

2. Close the tab or app immediately

Don't enter any more information. Close the browser tab or app you opened from the phishing message. Don't try to "fix" anything on the fake site.

3. Change your password from a known-good device

Use a different device (your phone if you clicked on your computer, or vice versa) or wait until after running a security scan. Change the password for the account the phishing email targeted.

4. Enable two-factor authentication

Turn on 2FA for the affected account immediately. This adds a second barrier even if attackers have your password. Follow our complete 2FA setup guide.

5. Run a full antivirus and malware scan

Use your installed security software to scan your entire system. If you don't have one, download reputable antivirus software from the official website (not from a link someone sent).

6. Review recent account activity and revoke unknown sessions

Log into each account (email, banking, social media) and check for:

Revoke access to any sessions or devices you don't recognize.

7. Enable account alerts and review recovery options

Turn on notifications for login attempts, password changes, and suspicious activity. Update your recovery email and phone number to ensure you control account recovery.

8. Report the phishing message

Forward the phishing email to your email provider, IT department, or security team. Include original headers if possible.

9. Consider credit monitoring or fraud alerts

If you entered Social Security numbers, banking information, or other sensitive financial data, contact your bank and consider placing a fraud alert with credit bureaus.

How to Report Phishing

Within your email client

Most email providers have a "Report Phishing" or "Report Spam" button:

  1. Look for three dots (...) or "More" menu next to the message
  2. Select "Report phishing" or "Report as spam"
  3. This helps train filters to catch similar attacks

To your workplace

If you received the email at work:

  1. Forward to your IT or security team immediately
  2. Don't feel embarrassed—reporting helps protect everyone
  3. Follow your company's incident reporting procedures

To authorities

Report phishing to:

Quick Checklist (Print-Friendly)

DO DON'T
Hover over links to check real destinations Click links in unsolicited emails
Verify requests through official apps/websites Trust "urgent" deadlines in emails
Use unique passwords for every account Reuse the same password anywhere
Enable two-factor authentication Share passwords with others
Check sender's actual email domain Assume display names are accurate
Report suspicious emails immediately Open unexpected attachments
Keep software and browsers updated Enter personal data in email forms
Use a password manager Write passwords in notes apps
Contact companies through known channels Call phone numbers in suspicious emails
Trust your instincts when something feels off Ignore red flags because you're busy

Frequently Asked Questions

Can opening a phishing email without clicking anything infect my device?

Simply opening a modern email in updated email clients is generally safe. The danger comes from clicking links, downloading attachments, or enabling images/content from unknown senders. Keep your email client and device software updated for best protection.

How do I check if an email from "Microsoft" or "Apple" is legitimate?

Never click links in the email. Instead, open the company's official app or type their website directly into your browser. Log in and check for messages or alerts there. Legitimate companies send important notifications through their apps and account portals, not just email.

What's an email header and how do I check it?

Email headers show the technical routing information behind a message, including the real sending server. Most email clients have a "Show original" or "View headers" option in the message menu. Look for mismatches between the "From" display name and the actual sending domain in the headers.

Is it safe to click "unsubscribe" in suspicious emails?

No. Clicking unsubscribe in phishing emails confirms your address is active and may lead to fake sites. Only unsubscribe from legitimate companies whose emails you recognize. For suspicious messages, mark as spam or phishing instead.

What's the difference between spam and phishing?

Spam is unwanted bulk email (usually advertising) from real companies or individuals. Phishing is fraudulent email impersonating trusted entities to steal information or money. Spam is annoying; phishing is dangerous.

Take Action Now

You've learned to recognize phishing red flags and protect yourself. Start securing your accounts today:

Enable 2FA on Your Accounts → Generate Strong Password →