How to Spot a Phishing Email: A Practical Field Guide

The mental image most people have of a hacker is someone hunched over a keyboard, breaking through firewalls in a dark room. The reality is far more mundane and far more effective: most break-ins start with a polite email asking you to do something. Phishing doesn't pick the lock. It knocks on the door, wearing a convincing uniform, and waits for you to open it.

That's the thing worth internalising. Phishing is a confidence trick first and a technical exercise a distant second. The attacker's real tools are urgency, authority, and your own helpful instincts. Once you understand that, the defence stops being about technical expertise and becomes a set of habits anyone can build. This is a field guide to the red flags — what to look for, in the order you'll usually notice it.

The two emotions every phishing email tries to trigger#

Almost every phishing message is engineered to provoke one of two feelings: fear or eagerness. Fear sounds like your account has been suspended, unusual sign-in detected, your payment failed and your service ends today. Eagerness sounds like you've won, here's your refund, the invoice you were waiting for is attached.

Both work by short-circuiting the pause where you'd normally think. A scammer doesn't want you to reflect — they want you anxious or excited enough to click before the rational part of your brain catches up. So the single most useful habit you can build is noticing the feeling itself. When an email makes your stomach drop or your eyes light up, treat that reaction as the alarm. Slow down precisely when the message is pushing you to speed up.

If a message insists you must act right now or face some immediate consequence, that urgency is not a coincidence. It's the attack. Legitimate organisations give you time. Scammers can't afford to.

The red flags, in the order you'll spot them#

You don't need to catch every sign — catching one is usually enough to junk the message. Work down the email roughly in this order.

Look at the actual sender address, not the display name#

The name shown at the top of an email is just a label, and anyone can type anything there. An email can say "PayPal Security" while the real address behind it is paypa1-secure@mail-update.ru. On a phone this is partly hidden, so tap the sender name to expand the full address before you trust anything.

Watch for near-misses: a real domain with one letter swapped (micros0ft.com), a brand name shoved into a subdomain of somewhere unrelated (apple.com.account-verify.info — the real domain there is account-verify.info, not Apple), or a free webmail address claiming to be a bank.

Hover over links before you click them#

The text of a link can say one thing while the link points somewhere else entirely. On a computer, hover your mouse over any link and read the real destination that appears at the bottom of the screen. On a phone, press and hold the link to preview where it goes.

If the visible text says your bank's name but the address underneath is a string of random characters or an unfamiliar domain, that's your answer. When in doubt, don't click at all — open a new browser tab and type the company's address in yourself. It takes ten extra seconds and bypasses the trap entirely.

Notice generic or oddly formal greetings#

A company you actually have an account with usually knows your name. "Dear Valued Customer" or "Dear user" is a sign the sender is blasting the same message to thousands of addresses and has no idea who you are. It's not proof on its own — some real newsletters do it too — but combined with anything else on this list, it's telling.

Be suspicious of unexpected attachments#

An invoice you weren't expecting, a "delivery notice" as a file, a document you're told to "enable editing" to view — attachments are a classic delivery method for malware. Be especially wary of file types like .zip, .html, or anything that asks you to enable macros or content after opening. If you didn't ask for a file and don't recognise the context, don't open it.

Watch the writing itself#

Obvious spelling and grammar mistakes are a well-known giveaway, though scammers have got better and the polished ones now read fine. More reliable is tone that's slightly off — a bank that suddenly sounds threatening, a colleague writing in a stiff, formulaic way they never normally use, a request that doesn't quite match how that organisation usually talks to you.

Treat any request for your password as a hard stop#

This is the brightest line of all. No legitimate company will ever email you asking for your password, your full card number, or your two-factor codes. Ever. Any message that does is phishing, full stop, regardless of how convincing the rest of it looks. The same goes for a login page reached through an email link that asks you to "confirm your details."

A 20-second checklist before you act#

When something feels off, run through this quickly:

• Am I being rushed or threatened? Manufactured urgency is the most common tell.
• Does the real sender address match who they claim to be? Expand it and check.
• Where does the link actually go? Hover or long-press before clicking.
• Was I expecting this? An unexpected attachment or login request earns extra suspicion.
• Is it asking for credentials? If yes, it's phishing. Stop.

If a message trips even one of these, the safe move is the same: don't click, don't reply, don't open. Go to the company's website directly, or phone them using a number from their official site — never a number printed in the suspicious email itself.

What to do if you already clicked#

Everyone slips eventually, often on a tired afternoon when a message lands at just the wrong moment. If you clicked a link or, worse, typed your details into a fake page, don't panic — act in order.

1. Change the password on that account immediately, from a device you trust. If you reused that password anywhere else, change it there too. A password manager makes this far less painful and stops one leaked password from spreading.
2. Turn on two-factor authentication if it isn't already on. Even if the attacker now has your password, a second factor can stop them getting in. Our plain-English guide to 2FA and passkeys walks through which kind to choose.
3. If you entered payment details, contact your bank or card provider and tell them. They can watch for fraud or reissue the card.
4. If it happened on a work account, tell your IT or security team right away. They'd far rather hear about it early than discover it later, and reporting it quickly is the responsible move, not an embarrassing one.

Staying sceptical without becoming paranoid#

The goal here isn't to treat your inbox as a minefield where every message is an attack. Most email is perfectly ordinary, and living in constant suspicion is its own kind of exhausting. The aim is narrower and more achievable: build a small reflex that fires when a message tries to rush you, scare you, or extract something from you.

That reflex — pause, check the sender, check the link, never hand over a password — costs you a few seconds on the rare emails that warrant it and nothing at all on the ones that don't. Phishing relies on people not taking those few seconds. Taking them is, quietly, most of the defence.