Phishing — sending fake emails designed to trick you into handing over credentials or clicking malicious links — is responsible for more successful attacks than any piece of malware. It works because it targets people, not software, and people are easier to exploit than a patched operating system.

The good news: phishing emails have tells. Once you know what to look for, most of them are recognisable before you do anything dangerous.

The core technique

A phishing email impersonates someone you trust — your bank, PayPal, Amazon, Microsoft, a colleague — and creates a reason to act quickly. The urgency is deliberate: panic stops you thinking clearly.

Common scenarios:

  • “Your account has been suspended — verify now”
  • “Unusual sign-in detected — confirm your identity”
  • “Your payment failed — update your details”
  • “Invoice attached — please review”
  • “Your parcel could not be delivered — reschedule here”

The action always points somewhere they control, where they’ll capture your credentials or install something on your device.

Check the sender address carefully

The display name — the bit that shows as “PayPal” or “Microsoft Support” — can be set to anything. What matters is the actual email address.

Hover over or tap the sender name to reveal the real address. Look for:

  • Wrong domain: support@paypa1.com, amazon-security@gmail.com, noreply@microsoft-alerts.net — real companies use their own domain
  • Subtle misspellings: paypa1.com (number 1 instead of L), arnazon.com, g00gle.com
  • Legitimate-looking but wrong: billing@apple.com.support-portal.net — the actual domain here is support-portal.net, not apple.com
  • Random strings: xK7mP@accounts-secure.info — no legitimate company sends from addresses like this

If the email address doesn’t match the organisation it claims to be from, stop.

Hover over any link in the email (on desktop) without clicking. The real destination appears in your browser’s status bar or as a tooltip.

Alternatively: right-click any link and copy it, then paste it somewhere (like a notes app) to read the actual URL before going there.

Red flags in URLs:

  • Domain doesn’t match the claimed sender (amazon-security.com instead of amazon.co.uk)
  • IP address instead of a domain name (http://192.168.1.234/login)
  • Excessive subdomains used to bury the real domain (secure.verify.amazon.co.uk.malicious-site.com)
  • URL shorteners (bit.ly/...) hiding the real destination

When in doubt: don’t click the link at all. Open a new browser tab and navigate to the site directly by typing the address yourself. If there really is an issue with your account, you’ll see it when you log in normally.

Watch for pressure and urgency

Legitimate organisations don’t:

  • Demand you act within 24 hours or your account will be permanently deleted
  • Ask you to verify your identity by reply email
  • Request your password or full card number via email
  • Threaten consequences for not clicking immediately

Urgency is a social engineering technique to stop you pausing to think. If an email creates a strong feeling of “I need to do this right now,” that’s precisely the moment to slow down instead.

Look at the quality of the email

Modern phishing emails are often well-crafted — poor spelling and grammar used to be a reliable tell, but that’s less true now. Still worth checking:

  • Generic greetings: “Dear Customer”, “Dear User”, “Hello” — your bank knows your name
  • Inconsistent formatting: mismatched fonts, odd spacing, images that don’t load
  • Low-resolution logos: copied and scaled, rather than from the real brand assets
  • Plain text where HTML is expected: a bank statement summary that’s just a wall of text is unusual

None of these alone confirms a phishing attempt, but combined with other tells they build a picture.

Attachments

Be suspicious of any unexpected attachment, especially:

  • .exe, .zip, .rar, .iso files — directly executable or may contain malware
  • Office files (.docx, .xlsx) asking you to “Enable Macros” or “Enable Editing” — this is a classic technique for running malicious code
  • PDF files are lower risk but not zero — they can contain malicious JavaScript

The rule: if you weren’t expecting an attachment, verify with the sender through a different channel (phone, separate email) before opening it.

When you’re not sure

If you receive an email that might be legitimate but you’re not certain:

  1. Don’t click any links or open attachments
  2. Go directly to the company’s website by typing the address in your browser
  3. Log in and check whether there’s actually an issue with your account
  4. If you think it’s a real concern, call the company on a number from their official website — not from the email

Most banks and major services have a way to report suspicious emails. Forwarding phishing attempts to report@phishing.gov.uk (UK) or the actual company’s security team helps get the infrastructure taken down.

The realistic threat

Most phishing emails are spray-and-pray — sent to millions of addresses hoping a small percentage will click. You won’t be specifically targeted unless you’re high-value.

That means the tell-tale signs above catch the vast majority of real phishing you’ll encounter. The goal isn’t to become paranoid about every email — it’s to build the habit of a quick check before you click anything that’s asking you to log in or take action.

The check takes five seconds. The consequences of missing it can last years.