How to Spot a Phishing Email

Nizam Ud Deen1 week agoLast Updated: June 6, 2026

0 5 7 minutes read

This guide identifies a phishing email before any link is clicked or credential is entered, so a fraudulent message is recognized and reported rather than acted on. The result is the ability to read a message against a fixed checklist of warning signs and to respond safely when a message fails the check. A phishing email impersonates a trusted sender to trick the reader into revealing credentials, sending payment, or opening malware, and it almost always carries several detectable signs at once.

The guide presents seven warning signs as a checklist: a mismatched sender address, a generic greeting, urgent or threatening language, suspicious links, unexpected attachments, requests for credentials or payment, and grammar or branding errors. Each sign names exactly what to inspect.

A phishing email differs from ordinary spam because it aims to steal rather than merely advertise. Read every message against the full checklist, because a convincing phishing email may pass one test while failing another.

Table of Contents

What You Need to Spot a Phishing Email

Spotting a phishing email requires the checks and habits below before any link is clicked. Apply each one to every unexpected message that requests action.

The full sender email address. The address behind the display name reveals whether the sender domain matches the real organization.
A link preview by hovering. Hovering over a link shows the real destination URL before any click.
The email header details. The header shows the true sending server and whether the domain passed authentication checks.
A separate verification channel. A saved phone number or bookmarked site confirms a request without using the email itself.
A report option in the email client. The report phishing button sends the message to the provider and removes it.

Check for a Mismatched or Spoofed Sender Address

Checking the sender address reveals whether the message truly comes from the organization it claims. A phishing email often shows a trusted display name over a domain that does not match.

Expand the sender field to see the full email address behind the display name.
Compare the domain after the @ symbol with the official domain of the organization.
Watch for look-alike domains that swap or add characters, such as a zero for an O or an extra word.
Treat a free webmail address claiming to be a bank or company as a strong warning sign.
Open the email header to confirm the sending server and the authentication result when the address looks borderline.

A spoofed sender is the foundation of most phishing, because the whole message depends on looking like a trusted source. The wider mechanics of this deception are covered in the overview of what phishing is.

Watch for a Generic Greeting

Watching for a generic greeting flags a message sent to many recipients rather than to one named account holder. A real organization usually addresses the account holder by name.

Treat Dear Customer as a warning sign. A generic greeting suggests a bulk message rather than one tied to a real account.
Note a missing name on an account message. A bank or service that holds the real name rarely omits it on a genuine alert.
Watch for the email address used as the name. A greeting that inserts the email address signals an automated bulk send.
Weigh the greeting with other signs. A generic greeting alone is weak evidence but strengthens a case built with other warning signs.

Identify Urgent or Threatening Language

Identifying urgent or threatening language reveals the pressure tactic phishing uses to force a fast reaction. Urgency aims to stop the reader from checking the message carefully.

Notice account suspension threats. A claim that an account closes within hours pressures an immediate, unverified click.
Notice fake security alerts. A warning of a breach that demands a password reset through the email link is a common tactic.
Notice unexpected reward or refund claims. A surprise prize or refund that requests details is designed to trigger a quick response.
Pause on any deadline. A genuine organization allows time and offers a way to verify outside the email itself.

Inspect Suspicious Links Before Clicking

Inspecting a link before clicking reveals the real destination, which often differs from the text shown. Hovering over a link displays the true URL in the status bar or a tooltip.

Hover the cursor over the link without clicking and read the URL that appears.
Compare the domain in the real URL with the official domain of the organization.
Watch for a different domain hidden behind familiar link text or a shortened URL.
Check for a misspelled or extra-word domain that imitates the real one.
Open the site by typing the known address directly instead of clicking the link.

The visible link text can show one address while the real URL points to another. Typing the known address directly avoids the link entirely and defeats this technique.

Be Wary of Unexpected Attachments

Treating an unexpected attachment with caution prevents malware from running on the device. Phishing emails deliver malicious files disguised as invoices, receipts, or documents.

Distrust attachments from unknown senders. An unexpected file from an unfamiliar address is a common malware delivery method.
Watch for risky file types. An .exe, .scr, or macro-enabled Office file can run code when opened.
Question an attachment that asks to enable content. A document prompting macros to be enabled often hides malicious code.
Verify before opening. Confirm an unexpected attachment with the sender through a separate channel before opening it.

An opened malicious attachment can install malware that steals data or locks files. Removing such an infection is covered in the guide to remove malware from a PC.

Question Requests for Credentials or Payment

Questioning any request for credentials or payment stops the core goal of most phishing. A legitimate organization does not ask for a password or payment details through an email link.

Never enter a password from an email link. A login page reached through an email link can be a fake built to capture credentials.
Refuse requests for full card or bank details. A genuine institution does not collect full payment details by email.
Distrust requests for one-time codes. A message asking for a verification code aims to defeat two-factor authentication.
Reject pressure to bypass normal channels. A request to pay or share details outside the usual process is a strong fraud signal.

Credentials entered on a fake page hand an attacker direct account access. A second login step limits the damage, as covered in the guide to set up two-factor authentication.

Spot Grammar and Branding Errors

Spotting grammar and branding errors reveals a message that did not come from the organization it imitates. Professional senders proofread and use consistent branding.

Notice spelling and grammar mistakes. Frequent errors in an official-looking message suggest a fraudulent source.
Compare the logo and formatting. A stretched logo, wrong colors, or off layout signals an imitation of the real brand.
Check the signature and contact details. A missing or inconsistent signature block differs from genuine correspondence.
Read the tone against past messages. A tone that differs from the organization’s usual style is a warning sign.

What to Do With a Suspected Phishing Email

Responding correctly to a suspected phishing email removes the threat and warns the provider. The safe response avoids the links and verifies any real request separately.

Do not click any link, open any attachment, or reply to the message.
Use the report phishing option in the email client to send the message to the provider.
Verify any real-seeming request by contacting the organization through a known phone number or a bookmarked site.
Delete the message after reporting it.
Change the password and review two-factor authentication if a link was already clicked or details entered.

Reporting a phishing email helps the provider block similar messages to other users. The broader habits that reduce exposure appear in the overview of online safety for beginners.

Common Mistakes to Avoid

Trusting the display name alone. The display name is easily faked; the full sender address behind it must be checked.
Clicking a link to verify a claim. A link must be inspected by hovering, and the site reached by typing the known address instead.
Entering a password from an email link. A login page reached through an email can be a fake built to capture credentials.
Opening an unexpected attachment. An attached file can run malware, so it must be verified with the sender first.
Acting on urgency without checking. Urgent deadlines are a pressure tactic; a genuine request allows time to verify.

Key Takeaways

Check the full sender address. A mismatched or look-alike domain behind a trusted display name is a primary warning sign.
Hover before clicking any link. The real URL often differs from the text, so typing the known address is safer.
Treat urgency as a tactic. Threats and deadlines pressure a fast, unverified reaction that phishing depends on.
Never enter credentials from an email link. A genuine organization does not request passwords or payment through email.
Report, verify, and delete. Report the message, confirm any real request through a known channel, and delete it.

What is the first sign of a phishing email?

The sender address is the first sign to check. A trusted display name often hides a mismatched or look-alike domain. The domain after the @ symbol must match the real organization.

How do I check if a link in an email is safe?

Hover the cursor over the link without clicking and read the real URL that appears. Compare its domain with the official one. Open the site by typing the known address instead of clicking.

Should I open an attachment from a suspicious email?

No. An unexpected attachment can run malware, especially .exe, .scr, or macro-enabled files. Verify the attachment with the sender through a separate channel before opening it.

What should I do if I clicked a phishing link?

Change the password for the affected account immediately and review two-factor authentication. Run a malware scan if a file was downloaded, and watch the account for unauthorized activity.

Why do phishing emails create a sense of urgency?

Urgency stops the reader from checking the message carefully. Threats of account closure or fake security alerts pressure a fast, unverified click. A genuine request allows time to verify.

How do I report a phishing email?

Use the report phishing option in the email client, which sends the message to the provider and removes it. Then verify any real request through a known channel and delete the message.

Last Thoughts on Spotting a Phishing Email

A phishing email is spotted by reading it against a fixed checklist: a mismatched sender address, a generic greeting, urgent language, suspicious links, unexpected attachments, requests for credentials or payment, and grammar or branding errors. A convincing message may pass one test while failing another, so the full checklist matters, and the safe response is to report, verify separately, and delete. The mechanics behind this deception are covered in the overview of what phishing is.

Adding a second login step that limits the damage of a stolen password is covered in the guide to set up two-factor authentication, and the wider habits that reduce exposure appear in the overview of online safety for beginners. The collected security guides sit on the PC tutorials hub.