Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Personal Cybersecurity36 min readDeep Dive

How to Spot Phishing Emails: 12 Red Flags

Spot phishing emails with 12 red flags, attacker psychology, email authentication checks, and a step-by-step plan if you've already clicked. Start here.

How to Spot Phishing Emails: 12 Red Flags — how to spot phishing emails

Why Phishing Emails Still Fool Smart People

Phishing remains the most common entry point for data breaches worldwide — not because people are careless, but because attackers have grown sophisticated enough to fool even experienced professionals. Knowing how to spot phishing emails starts with understanding that these attacks are engineered to trigger emotional responses, not logical ones.

The Verizon 2026 Data Breach Investigations Report (DBIR) found that phishing and pretexting together account for more than 70% of social engineering incidents globally, and attackers send over 3 billion of these emails every day. A fake message from "your bank" warning of suspicious activity triggers an emotional response that bypasses the careful scrutiny you'd normally apply — and attackers know exactly how to engineer that reaction.

For deeper background on the mechanics and history of these attacks, our guide to what phishing is covers the full evolution of the threat. This article walks through 12 concrete red flags that help you recognize a phishing attempt before you click, explains the psychology attackers exploit, covers the main attack variants you'll encounter, and includes a practical checklist you can use immediately — plus what to do if you've already clicked something suspicious.

Phishing By The Numbers

3B+
Phishing Emails Sent Daily

Attackers cast a wide net — volume is the strategy

70%+
Of Social Engineering Is Phishing

Verizon 2026 DBIR — phishing and pretexting lead all attack vectors

$2.9B
BEC Losses in 2025

FBI IC3 2025 Annual Report — Business Email Compromise tops all cybercrime categories by dollar loss

The Four Main Types of Phishing Attacks

Not all phishing attacks look alike. Understanding the main variants helps you apply the right scrutiny to different types of incoming messages — and explains why some attacks are far more dangerous than others.

Standard phishing sends identical bait to millions of addresses simultaneously, impersonating banks, delivery services, government agencies, and popular platforms like Amazon or Microsoft. The sheer volume means attackers succeed even with a low conversion rate — they only need a fraction of recipients to click.

Spear phishing targets specific individuals. Attackers research their targets using LinkedIn profiles, company websites, and data exposed in prior breaches to craft messages that reference your name, your manager, your current project, or your clients. Despite representing fewer than 0.1% of phishing emails by volume, spear phishing is responsible for approximately 66% of successful breaches — a disproportionate impact driven by precision targeting.

Whaling is spear phishing directed specifically at C-suite executives and board members. Because executives have broad financial authority and access to sensitive systems, successful whaling attacks often yield higher-value outcomes. These attacks frequently impersonate attorneys, auditors, or other executives, and often arrive during busy travel periods when normal verification routines are disrupted.

Clone phishing takes a legitimate email you've previously received — a shipping confirmation, a software update notice, a newsletter — and replicates it almost exactly, replacing the original links or attachments with malicious versions. The cloned message is sent from a spoofed address that closely mimics the original sender. Because the format and content look authentic, clone phishing is particularly effective against recipients who rely on visual recognition to assess legitimacy.

In 2026, AI-generated content and deepfakes have made all four variants harder to detect on surface signals alone. Attackers now produce phishing emails with no grammatical errors, written in the exact style of an organization's communications. Deepfake audio and video clips impersonating executives have been used in targeted attacks to authorize wire transfers. This shift makes learning how to spot phishing emails more dependent on structural verification — authentication headers, domain checks, and behavioral patterns — than on writing quality.

Our resource on phishing scams covers additional attack patterns and how to report incidents to the right authorities.

The Psychology Behind Successful Phishing

Understanding why phishing works helps you recognize it faster. Attackers exploit specific psychological triggers that bypass logical thinking, and recognizing these triggers in real time is a trainable skill.

  • Urgency: Time pressure forces quick decisions without careful evaluation. "Your account will be locked in 24 hours" is designed to make you act before you think.
  • Authority: Messages from apparent bosses, banks, or government agencies trigger compliance. We're conditioned to respond quickly to authority figures, which attackers exploit by impersonating executives, the IRS, or law enforcement.
  • Fear: Threats of account suspension, financial loss, or legal consequences create panic responses that shut down analytical thinking.
  • Social proof: Phrases like "Other customers have reported this activity" or "Your order was placed by someone on your account" imply legitimacy through apparent shared experience.

These techniques work because they trigger physiological stress responses. When fear or urgency activates, the brain's threat-detection systems deprioritize the careful analysis needed to evaluate a message. Recognizing this response when it happens — that quickening pulse, the impulse to click immediately — is your first defensive signal. Slow down any time an email makes you feel that way.

AI-enhanced phishing amplifies all four triggers simultaneously. Attackers can now automate personalized messages at scale, inserting your name, company, and recent activity pulled from public sources. The result is an email that feels tailored and urgent at once — the two most effective manipulation levers combined in a single message.

Red Flags 1–6: What to Check First

1. The Sender Address Doesn't Match the Display Name

Every email client shows a friendly display name — but the actual sending address is often hidden behind it. A phishing email might display "PayPal Support" while the real sending address is support@paypa1-billing.ru. Always hover over or click the sender name to reveal the full address. Legitimate organizations send from their own domain, consistently.

2. The Domain Has Subtle Misspellings or Extra Characters

Attackers register lookalike domains such as arnazon.com, micros0ft.com, or paypa1.com. These pass a quick glance but fail on close inspection. Check every character in the domain — especially letters that resemble numbers (0 vs. O, 1 vs. l) or inserted hyphens like bank-of-america-secure.com. Even one character off means the email is fraudulent.

3. Unexpected Urgency or Threat Language

"Your account will be suspended in 24 hours." "Immediate action required." Urgency is a manipulation tactic designed to bypass rational thinking. Legitimate companies rarely threaten account termination via a single email with a tight deadline. If an email makes your pulse quicken, that physiological reaction is exactly what attackers are engineering — it's your signal to slow down, not speed up.

4. Generic Greetings Instead of Your Name

Bulk phishing campaigns pull email addresses without associated names, producing openers like "Dear Customer," "Dear User," or "Hello Account Holder." If a company you have an account with doesn't use your name, treat that as a warning sign. Note that spear phishing and whaling attacks do use your real name — and sometimes your title, department, or manager's name — so this indicator alone doesn't catch every campaign.

5. Requests for Credentials, Payment, or Personal Data

No bank, IRS office, or technology provider will ask you to confirm your password, Social Security number, or credit card details via email. If an email asks you to "verify" sensitive information by clicking a link, it is phishing. The IRS explicitly states it initiates taxpayer contact by postal mail, not email — a key fact during tax season when IRS impersonation attacks spike. For guidance on protecting your financial accounts, see our financial security monitoring resources.

6. Links That Don't Go Where They Claim

Hover over any link — without clicking — and compare the URL shown in your browser's status bar to the link text. Attackers use URL shorteners, redirects through legitimate services, or long confusing URLs to obscure the real destination. A link labeled "Chase Online Banking" pointing to secure-chase-verify.com/login is a phishing link. When in doubt, navigate directly to the site by typing the address yourself — never follow the link in the email.

Phishing Email Red Flags Checklist

  • Sender display name doesn't match the actual email address domain
  • Domain has subtle misspellings, added characters, or lookalike letters (0 vs O, 1 vs l)
  • Email creates urgency, threatens account suspension, or demands immediate action
  • Opens with a generic greeting like 'Dear Customer' instead of your name
  • Asks you to confirm a password, payment details, or personal data via a link
  • Hover-over URL destination doesn't match the displayed link text
  • Contains an unexpected attachment — especially .exe, .zip, .docm, or .xlsm files
  • Visual branding looks slightly off compared to known emails from that sender
  • Footer links or unsubscribe URL point to a different domain than the sender
  • You have no existing relationship with the sender or the organization it claims to represent

Red Flags 7–12: Deeper Signals to Inspect

7. Attachments You Didn't Expect

Phishing emails frequently carry malicious attachments disguised as invoices, shipping labels, résumés, or shared documents. High-risk file types include .exe, .zip, .iso, .docm, .xlsm (macro-enabled Office files), and .lnk shortcut files. Even PDFs can embed malicious JavaScript. If you weren't expecting a file from that sender, verify the request through a separate channel before opening anything — and never enable macros in Office documents unless you've independently confirmed the file is legitimate.

8. Poor Grammar, Spelling, or Formatting

While AI-generated phishing has dramatically improved grammatical quality in 2026, many campaigns still contain awkward phrasing, inconsistent capitalization, or formatting that doesn't match the brand they're impersonating. Mismatched fonts, broken images, or HTML layouts that appear off-center are signs the email was assembled hastily. Compare the email's visual style against a known-good message from the same sender in your inbox. AI may have corrected the typos, but branding inconsistencies are harder to automate away.

9. The Email Arrived at an Unexpected Address

If a phishing email arrives at an address you only use for a specific purpose — your gaming account email receiving a "bank alert," for example — that mismatch alone flags it as suspicious. Attackers purchase harvested email lists without context about the accounts associated with each address, creating obvious incongruities that are easy to catch once you're paying attention.

10. Lookalike Logos and Branding That's Slightly Off

Phishing kits copy logos, color schemes, and footers from real company websites, but subtle errors appear: slightly wrong shades, low-resolution images, outdated branding, or footer links that go nowhere. Pull up a previous legitimate email from the same sender and compare the visual style side by side. Differences that seem minor are often the result of rushed kit construction — attackers prioritize speed over precision.

11. The "From" Domain Doesn't Match the Footer Domain

Look at the email footer — privacy policy link, unsubscribe link, and company address. If those links point to the real organization's domain but the sender address is from a different domain, the email is fraudulent. Attackers often copy legitimate footers wholesale without updating the sending infrastructure, creating this easy-to-spot mismatch. Any gap between the sending domain and the footer domain is a reliable indicator of spoofing.

12. You Have No Relationship With the Sender

An invoice from a vendor you've never purchased from. A shipping notification for an order you didn't place. A password reset for an account you don't own. Unsolicited emails that presuppose a relationship you don't have are a reliable indicator of phishing or advance-fee fraud. Delete and report them rather than engaging with the content — even replying to confirm the error signals that your address is active and valuable to attackers.

If You Already Clicked: Act Immediately

Clicking a phishing link doesn't always mean you've been fully compromised — but the window to limit damage is short. If you've clicked a suspicious link or entered credentials on an unfamiliar page, follow the steps below right away. Speed matters: credential theft and account access often happen within minutes of a successful phishing click.

What to Do If You Clicked a Phishing Link

1

Stop and Don't Enter Anything More

Close the page immediately without entering additional information. If you're on a corporate network, disconnect from Wi-Fi or unplug the ethernet cable to limit the potential for lateral spread.

2

Change Your Passwords Immediately

Change the password for any account the phishing page may have captured. Start with email and banking, then any account that shares the same password. Use a unique password for each account going forward.

3

Enable Multi-Factor Authentication

Turn on MFA for every affected account. Even if attackers have your password, MFA blocks the majority of account takeover attempts. Use an authenticator app rather than SMS codes where possible.

4

Notify Your IT or Security Team

If this happened on a work device or corporate account, alert your IT department or security team immediately. Early notification allows faster containment — don't wait to see if something happens.

5

Report the Phishing Email

Report the email to your provider using the built-in 'Report Phishing' option in Gmail, Outlook, or Apple Mail. Also forward it to the Anti-Phishing Working Group at reportphishing@apwg.org and to the FTC at reportfraud.ftc.gov.

6

Monitor Accounts for 30 Days

Watch your financial accounts, email sent folder, and connected services for unauthorized activity over the next month. If personal financial data was exposed, consider placing a credit freeze with the major bureaus.

Spear Phishing, Whaling, and Business Email Compromise: The Harder Cases

Standard phishing sends the same bait to millions of addresses. Targeted attacks are fundamentally different — and significantly more dangerous. Attackers who use spear phishing research specific individuals, pulling data from LinkedIn profiles, company websites, and prior data breaches to craft emails that reference your name, your manager, your current project, or your clients. The message feels legitimate because it contains accurate details that a stranger shouldn't know.

Real-world losses illustrate the scale of the threat. In 2019, Evaldas Rimasauskas pleaded guilty in U.S. federal court to stealing over $100 million from Facebook and Google through a multi-year scheme that impersonated a legitimate hardware vendor. Sherwin-Williams, engine parts manufacturer Miba, and RyanAir reportedly suffered significant losses from targeted email campaigns involving malware-laden messages — demonstrating that even large organizations with dedicated security teams can be compromised through well-crafted phishing. For a look at how targeted attacks unfold at the highest level, see our analysis of high-profile personal email breaches.

Business Email Compromise (BEC) takes targeted phishing further still. According to the FBI Internet Crime Complaint Center (IC3) 2025 Annual Report, BEC scams caused over $2.9 billion in losses in the U.S. alone — more than any other cybercrime category. These attacks typically impersonate executives requesting wire transfers or gift card purchases, or compromise a real employee's email account to make requests appear entirely legitimate.

Any financial request arriving by email — regardless of who appears to be asking — should be verified by phone using a number you already have on file before any funds move. This applies especially to requests that arrive outside normal business hours, include urgency language, or ask you to keep the transaction confidential. If a targeted attack has already resulted in a compromise, our guide to what to do after a data breach outlines the steps to contain damage and notify the right parties.

The Takeaway on Targeted Attacks

Spear phishing represents fewer than 0.1% of all phishing emails but accounts for approximately 66% of successful breaches. Knowing how to spot phishing emails that reference your real name, job title, or active projects requires verifying unusual requests through a separate communication channel — not just scrutinizing the email itself. When in doubt, pick up the phone.

Technical Signals: Reading Email Authentication Headers

Beyond visual inspection, email clients and webmail platforms give you access to authentication data that reveals whether an email passed the domain verification checks that legitimate senders configure. Most email clients let you access headers through a "Show Original," "View Source," or "View Raw Message" option. Inside the headers, three authentication results tell you whether an email is what it claims to be:

  • SPF (Sender Policy Framework): Confirms the sending server is authorized to send email for the claimed domain. A result of spf=fail or spf=softfail means the email came from an unauthorized server — a strong phishing indicator.
  • DKIM (DomainKeys Identified Mail): A cryptographic signature that verifies the email content wasn't modified in transit. A dkim=fail result means the signature doesn't match and the message may have been forged or tampered with.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Checks whether the "From" domain aligns with the SPF and DKIM results. A dmarc=fail result means the sender domain was likely spoofed.

Also check the Return-Path header, which shows the address that will receive bounce notifications. If the Return-Path domain differs from the From domain, the email is using separate sending infrastructure — a common pattern in phishing campaigns. These technical checks provide a ground-truth signal that is harder to fake than display names or logos, and they're available to anyone willing to look at the raw message headers.

Building Long-Term Phishing Resistance

Knowing how to spot phishing emails is a trainable skill, not an innate ability. Security awareness programs that simulate phishing campaigns — sending realistic fake emails and providing immediate feedback when someone clicks — reduce click rates on real phishing emails by 65–70% within twelve months, according to the KnowBe4 2026 Phishing by Industry Benchmarking Report. The key is repeated, realistic exposure with immediate correction, not a one-time annual module that employees forget within weeks.

Several technical controls also reduce your exposure meaningfully. Multi-factor authentication (MFA) blocks account takeover in most cases even when attackers steal your password through a phishing page — use an authenticator app rather than SMS codes where possible. Our personal cybersecurity overview covers MFA setup and tool recommendations for individuals and families.

A quality password manager autofills credentials only on the exact domain they were saved for — it won't fill in your bank password on a lookalike phishing site, which makes it one of the most effective passive defenses available. Our guide to the best password managers covers options for individuals and small teams. Enterprise platforms like Microsoft 365 Defender and Google Workspace include anti-phishing heuristics that catch many campaigns before they reach your inbox, while DNS-layer filtering solutions like Cisco Umbrella or Cloudflare Gateway block connections to known malicious domains at the network level — preventing phishing links from loading even if clicked.

For teams working remotely, targeted phishing campaigns represent an elevated risk because normal in-person verification habits break down. Our guide to remote work security for small teams covers additional controls worth layering in. The tools and habits that protect against phishing also build resilience against the downstream consequences — account takeover, data theft, and ransomware deployments that frequently begin with a single clicked link.

Get Your Free Personal Security Review

Our experts will evaluate your current phishing exposure, email security settings, and account protection — then provide a clear, actionable plan.

Frequently Asked Questions

Spear phishing emails that include your name, job title, or other personal details are harder to identify using surface signals alone. Focus on structural verification instead: check the full sending domain (not just the display name), hover over all links to confirm the destination URL, and verify any unusual request — a wire transfer, a password reset, a file download — through a phone call using a number you already have on file. Accurate personal details don't make an email legitimate; they make it targeted.

Act immediately: stop entering information on the page, change the passwords for any account that may have been captured (prioritize email and banking), and enable multi-factor authentication on affected accounts. Report the email to your provider using the built-in reporting feature and forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If this occurred on a work device, notify your IT or security team right away — the sooner they know, the better they can contain any damage.

No. Spam is unsolicited bulk email — usually advertising or promotional content — that's annoying but typically not malicious. Phishing is a targeted social engineering attack designed to steal credentials, financial information, or access to accounts. A spam email tries to sell you something; a phishing email impersonates a trusted organization to trick you into handing over sensitive information or clicking a malicious link. The distinction matters because phishing requires immediate action while spam generally doesn't.

Yes. If an attacker compromises someone else's email account — a colleague, a vendor, or a family member — they can send phishing messages from that person's real address. This technique, known as account takeover or Business Email Compromise (BEC), makes the message appear entirely legitimate in your inbox. If someone you know sends an unusual request involving money, credentials, or clicking a link, verify the request through a separate channel — call them directly rather than replying to the email.

Most email clients have a built-in 'Report Phishing' option — use it in Gmail, Outlook, or Apple Mail to flag the message to your provider's security team. You can also forward phishing emails to reportphishing@apwg.org (Anti-Phishing Working Group) and phishing-report@us-cert.gov (CISA). For IRS impersonation specifically, forward to phishing@irs.gov. Report financial fraud to the FTC at reportfraud.ftc.gov and to the FBI's Internet Crime Complaint Center at ic3.gov. Reporting helps protect other potential targets by getting malicious domains blocked faster.

Standard phishing is a volume game — broad, generic messages sent to millions of people hoping a small percentage click. Spear phishing is precision-targeted: attackers research a specific person and craft a message using real details about their job, their contacts, or their active projects. Despite representing fewer than 0.1% of all phishing emails, spear phishing accounts for approximately 66% of successful breaches because the personalization defeats the simple pattern-matching most people use to flag suspicious messages. Independently verifying unusual requests through a separate communication channel is the most reliable defense.

No tool provides complete protection. Enterprise email security platforms like Microsoft 365 Defender, Proofpoint, and Google Workspace catch a large portion of known phishing campaigns through heuristics and threat intelligence — but zero-day phishing pages, highly personalized spear phishing, and AI-generated content increasingly evade automated detection. Layering technical controls (email filtering, DNS blocking, MFA, password manager) with regular phishing simulation training gives you the strongest combined defense. Human awareness remains the last line that automated tools alone cannot replace.

In Gmail, click the three-dot menu on any email and select 'Show Original' — you'll see authentication results near the top of the raw headers. Look for lines containing spf=pass/fail, dkim=pass/fail, and dmarc=pass/fail. In Outlook, open the message, go to File → Properties, and review the Internet Headers section. Any 'fail' result for SPF, DKIM, or DMARC means the email didn't pass standard sender verification — treat it as suspect. A 'pass' result doesn't guarantee legitimacy (attackers can pass these checks using their own registered domains), but a failure is a reliable red flag worth acting on.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Worried about your digital security?

Get a personalized review of your online exposure and protection options.

Free 15-minute cybersecurity consultation — no obligation

Identity protection, device security, and privacy tools to safeguard your personal digital life.