In our last guide, What is Phishing?, we explained how hackers use deceptive messages to trick you into giving up your sensitive information. Now, it’s time to move from theory to practice.
How do you identify these malicious emails in your own inbox?
The good news is that most phishing attacks aren’t as clever as they seem. They often contain tell-tale signs and common red flags. This guide will teach you the seven most important things to look for.
The Ultimate Checklist: 7 Phishing Red Flags
Train yourself to look for these signs before you ever click a link or download an attachment.
1. A Mismatched or Suspicious Sender Address
This is the fastest giveaway. Attackers can fake the sender’s name, but they can’t always fake the email address. Hover your mouse over the sender’s name to reveal the full address. A real email from Microsoft won’t come from secure-alert123@hotmail.com. Look for misspellings as well (e.g., support@paypaI.com with a capital “i” instead of an “L”).
2. A Sense of Urgency or Threats
Phishing emails try to make you panic so you act without thinking. They use phrases designed to trigger an emotional response:
- “Immediate Action Required!”
- “Your Account Will Be Closed in 24 Hours!”
- “Suspicious Activity Detected on Your Account!” Legitimate companies rarely create this kind of pressure.
3. Generic Greetings
A real email from your bank, a service you subscribe to, or your workplace will almost always use your name. A generic greeting like “Dear Valued Customer,” “Hello User,” or “Dear Account Holder” is highly suspicious.
4. Poor Spelling and Grammar
While anyone can make a small typo, an email filled with obvious grammatical errors or awkward phrasing is a massive red flag. Large corporations have professional communication teams who proofread their messages.
5. Links That Don’t Match (The Hover Test)
This is the single most effective test. Hover your mouse over any link before you click it. A small box will pop up showing the link’s true destination. If the link text says Click here to log into your bank, but the preview link shows a strange, unrelated URL, you have spotted a phish.
6. Unexpected Attachments
Be extremely cautious of any email with an attachment you weren’t expecting, even if it seems to be from someone you know. Never open attachments that end in .exe, .zip, or are invoices for products you never purchased.
7. Requests for Personal Information
This is the golden rule: Legitimate organizations will never ask you to provide your password, full credit card number, or other highly sensitive data via email. There is no legitimate reason for them to do so.
Real-World Phishing Attack Examples
- The Fake Invoice Scam: You get an email with an invoice for an expensive item from Amazon or Apple. Panicked that you were wrongly charged, you click the link to “View or Cancel Order,” which leads to a fake login page.
- The “Problem with Your Account” Scam: An email from “Netflix” or “PayPal” claims there’s an issue with your payment. It provides a convenient link to update your details, which directs you to a fraudulent site to steal your credit card information.
- The Shipping Notification Scam: A message from “FedEx” or “DHL” says they have a package for you, but you need to click a link to schedule the delivery or pay a small customs fee. The link is malicious.
Conclusion: Trust Your Gut and Verify
You are your own best defense against phishing. The core lesson is to cultivate a habit of healthy skepticism. If an email, text, or phone call feels wrong, it probably is.
When in doubt, never click the link. Instead, open a new browser window and go directly to the official website yourself to check for any real alerts in your account.
Ready to get your hands dirty? Subscribe to CyberTerminal to stay updated!
Join the CyberTerminal Community
Become an insider. Get exclusive tips and our best cybersecurity content first.
