How to Spot Phishing Emails: 12 Red Flags

Why Phishing Emails Still Fool Smart People

Phishing is the most common entry point for data breaches worldwide — not because people are careless, but because attackers have become sophisticated enough to fool even cautious professionals. The Verizon 2025 Data Breach Investigations Report (DBIR) found that phishing and pretexting together account for more than 70% of social engineering incidents globally.

Attackers don't rely on technical exploits alone — they exploit psychology. Urgency, authority, and fear override rational thinking faster than most people realize. A fake email from "your bank" warning of suspicious activity triggers an emotional response that bypasses the careful scrutiny you'd normally apply. That's the design, and it works reliably across demographics and industries.

The good news: phishing emails almost always leave detectable traces. Once you know what to look for, spotting them becomes instinctive. This guide walks through 12 concrete red flags, explains the psychology attackers exploit, and gives you a practical checklist you can use today. For deeper background on the history and mechanics of these attacks, our primer on what phishing is covers the full evolution of the threat.

The 12 Red Flags That Expose a Phishing Email

1. The Sender Address Doesn't Match the Display Name

Every email client shows a friendly display name — but the actual sending address is often hidden behind it. A phishing email might display "PayPal Support" while the real sending address is support@paypa1-billing.ru. Always hover over or click the sender name to reveal the full address. Legitimate organizations send from their own domain, consistently.

2. The Domain Has Subtle Misspellings or Extra Characters

Attackers register lookalike domains such as arnazon.com, micros0ft.com, or paypa1.com. These pass a quick glance but fail on close inspection. Check every character in the domain — especially letters that resemble numbers (0 vs. O, 1 vs. l) or inserted hyphens like bank-of-america-secure.com. Even one character off means the email is fraudulent, and that single character is intentional.

3. Unexpected Urgency or Threat Language

"Your account will be suspended in 24 hours." "Immediate action required." Urgency is a manipulation tactic designed to bypass rational thinking. Legitimate companies rarely threaten account termination via a single email with a tight deadline. If an email makes your pulse quicken, slow down — that physiological reaction is exactly what attackers are engineering, and recognizing it as a manipulation technique is your first line of defense.

4. Generic Greetings Instead of Your Name

Bulk phishing campaigns pull email addresses without associated names, leading to openers like "Dear Customer," "Dear User," or "Hello Account Holder." If a company you have an account with doesn't use your name in outbound emails, treat that as a warning sign. Note that spear phishing — targeted attacks — do use your name, so this indicator doesn't catch every campaign, but it reliably identifies mass-distribution phishing.

5. Requests for Credentials, Payment, or Personal Data

No bank, IRS office, or technology provider will ask you to confirm your password, Social Security number, or credit card details via email. If an email asks you to "verify" sensitive information by clicking a link, it is phishing. The IRS explicitly states it initiates taxpayer contact by postal mail, not email — a fact worth knowing during tax season when impersonation attacks spike significantly. Learn more about protecting sensitive data during filing season on our identity theft prevention for tax professionals page.

6. Links That Don't Go Where They Claim

Hover over any link — without clicking — and compare the URL shown in your browser's status bar to the link text. Attackers use URL shorteners, redirects through legitimate services, or long confusing URLs to obscure the real destination. A link labeled "Chase Online Banking" pointing to secure-chase-verify.com/login is a phishing link. When in doubt, navigate directly to the site by typing the address yourself rather than interacting with anything inside the email.

7. Attachments You Didn't Expect

Phishing emails frequently carry malicious attachments disguised as invoices, shipping labels, résumés, or shared documents. High-risk file types include .exe, .zip, .iso, .docm, .xlsm (macro-enabled Office files), and .lnk shortcut files. Even PDFs can embed malicious JavaScript. If you weren't expecting a file from that sender, verify the request through a separate channel — a phone call or a new email you compose yourself — before opening anything.

8. Poor Grammar, Spelling, or Formatting

While AI-generated phishing has improved grammatical quality significantly in 2025–2026, many campaigns still contain awkward phrasing, inconsistent capitalization, or formatting that doesn't match the brand they're impersonating. Mismatched fonts, broken images, or HTML layouts that appear off-center are signs the email was assembled hastily or generated by a low-quality tool. Compare the email's visual style against a known-good email from the same organization in your inbox — the contrast is often immediate.

9. The Email Came to an Unexpected Address

If a phishing email arrives at an address you only use for a specific purpose — say, your gaming account email receiving a "bank alert" — that mismatch alone flags it as suspicious. Attackers purchase harvested email lists that don't include context about the accounts associated with each address, creating obvious incongruities that are easy to spot once you're looking.

10. Lookalike Logos and Branding That's Slightly Off

Phishing kits copy logos, color schemes, and footers from real company websites, but subtle errors appear: slightly wrong shades, low-resolution images, outdated branding, or footer links that go nowhere. Pull up a previous legitimate email from the same sender and compare the visual style side by side. Differences that seem minor are often the result of rushed construction — attackers don't update every asset when building a kit.

11. The "From" Domain Doesn't Match the Footer Domain

Look at the email footer — privacy policy link, unsubscribe link, and company address. If those links point to the real organization's domain but the sender address is from a different domain, the email is fraudulent. Attackers often copy legitimate footers wholesale without updating the sending infrastructure, creating this easy-to-spot mismatch between where the email appears to come from and where the footer links actually go.

12. You Have No Relationship With the Sender

An invoice from a vendor you've never purchased from. A shipping notification for an order you didn't place. A password reset for an account you don't own. Unsolicited emails that presuppose a relationship you don't have are a reliable indicator of phishing or advance-fee fraud. Delete and report them rather than engaging — even clicking "unsubscribe" confirms to the attacker that your address is active and monitored.

What To Do When You Suspect a Phishing Email

Knowing how to spot phishing emails is half the battle — responding correctly is the other half. Whether you're dealing with a suspicious message at home or in a work context, a consistent response process prevents the mistakes people make when acting on instinct in the moment.

The single most important rule: don't interact with the email at all until you've verified it through an independent channel. Don't click links, don't open attachments, and don't reply — even to ask whether the email is legitimate. Replying confirms your address is active and engaged, which makes it more valuable to attackers, not less.

For business environments, your organization likely has a dedicated reporting process. Most enterprise email platforms — Microsoft 365 and Google Workspace — include a built-in "Report Phishing" button that forwards the message to your IT security team and the platform's threat intelligence service simultaneously. For personal email, forward suspected IRS impersonation messages to phishing@irs.gov, and other financial scams to the FBI Internet Crime Complaint Center (IC3). You can also forward phishing emails to reportphishing@apwg.org, which feeds threat intelligence to security vendors globally.

Spear Phishing and Business Email Compromise: The Harder Cases

Standard phishing sends the same bait to millions of addresses. Spear phishing is fundamentally different — attackers research specific individuals, pulling data from LinkedIn profiles, company websites, and prior data breaches to craft an email that references your name, your manager, your current project, or your clients. The message feels legitimate because it contains accurate details about your professional life that a stranger shouldn't know.

Business Email Compromise (BEC) goes further still. According to the FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, BEC scams caused over $2.9 billion in losses in the U.S. alone — more than any other cybercrime category. These attacks typically impersonate executives requesting wire transfers or gift card purchases, or compromise a real employee's email account to make requests look entirely legitimate. A wire transfer authorized by what appears to be your CEO's actual, unaltered email account is nearly impossible to flag from the email alone.

The defenses for spear phishing and BEC follow the same principles as general phishing detection, but require more vigilance at the moment of action. Any financial request arriving by email — regardless of who appears to be asking — should be verified by phone using a number you already have on file before any funds move. This is especially true for requests that arrive outside normal business hours, include urgency language, or ask you to keep the transaction confidential. Those three characteristics together are nearly always a BEC indicator.

Protecting your broader digital footprint directly reduces your exposure as a spear phishing target. Attackers harvest personal data from social media, public records, and data broker databases to build targeting profiles before sending a single message. Our guide on social engineering tactics and defenses covers the specific data sources attackers use and what you can do to reduce your public exposure before you're targeted.

Technical Signals Advanced Users Should Check

Beyond visual inspection, email clients and webmail platforms give you access to authentication data that reveals whether an email passed the domain verification checks that legitimate senders configure. These checks don't require deep technical expertise — just knowing where to look and what the results mean.

Email headers are the raw metadata attached to every email, invisible in the standard reading view. Most email clients let you access them through a "Show Original," "View Source," or "View Raw Message" option. Inside the headers, look for three authentication results:

• SPF (Sender Policy Framework): Confirms the sending server is authorized to send email for the claimed domain. A result of spf=fail or spf=softfail means the email came from an unauthorized server — a strong phishing indicator.
• DKIM (DomainKeys Identified Mail): A cryptographic signature that verifies the email content wasn't modified in transit. A dkim=fail result means the signature doesn't match, which is a red flag regardless of how legitimate the email looks.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Checks whether the "From" domain aligns with the SPF and DKIM results. A dmarc=fail result means the sender domain was likely spoofed.

Also check the Return-Path header, which shows the address that will receive bounce notifications. If the Return-Path domain differs from the From domain, the email is using separate infrastructure — a common pattern in phishing campaigns where attackers send from one domain while displaying another. For a deeper look at how attackers exploit authentication gaps as an initial access technique, our article on the MITRE ATT&CK framework covers phishing (T1566) with specific sub-techniques for spear phishing via links and attachments.

Building Long-Term Phishing Resistance

Recognizing phishing red flags is a trainable skill, not an innate ability. Security awareness training programs that simulate phishing campaigns — sending realistic fake phishing emails and providing immediate feedback when someone clicks — reduce click rates on real phishing emails by 65–70% within twelve months, according to the KnowBe4 2025 Phishing by Industry Benchmarking Report. The key is repeated, realistic exposure with immediate correction, not a one-time training module employees complete and forget.

Beyond training, several technical controls reduce your exposure at the system level:

• Multi-factor authentication (MFA): Even if attackers steal your password through a phishing page, MFA blocks account takeover in most cases. Use an authenticator app rather than SMS where possible — SMS codes can be intercepted through SIM-swapping attacks. Enabling MFA is one of the highest-return security investments available to individuals and small organizations alike.
• Password manager: A quality personal cybersecurity toolset includes a password manager that autofills credentials only on the exact domain they were saved for. It won't fill in your bank password on a lookalike phishing site — providing a silent protective layer that catches mistakes even when you don't notice the URL discrepancy yourself.
• Email filtering: Enterprise platforms like Microsoft 365 Defender and Google Workspace include anti-phishing heuristics that catch many campaigns before they reach your inbox. Verify these are enabled and properly configured — default settings are rarely optimal and often require tuning by your IT team.
• DNS-layer filtering: Solutions like Cisco Umbrella or Cloudflare Gateway block connections to known malicious domains at the DNS level, preventing phishing links from loading even if clicked. This is especially valuable for households or small offices with multiple devices and varying levels of user awareness.

For organizations handling sensitive data — tax practices, healthcare offices, financial services firms — security awareness training should be a recurring program with measurable outcomes, not a one-time compliance checkbox. The difference between firms that run simulated phishing campaigns quarterly and those that don't shows up clearly in their breach statistics and cyber insurance premiums.

What Happens If You Click a Phishing Link

Clicking a phishing link doesn't automatically mean you've been compromised — but the window for damage is short, and how you respond in the first few minutes matters. The most common outcomes after clicking include:

• Credential harvesting: You're taken to a fake login page that captures whatever you type. If you entered credentials, change that password immediately across every site where you reuse it — and enable MFA if you haven't already. Assume the credentials are in attacker hands from the moment you clicked submit.
• Drive-by malware download: Some phishing links exploit browser vulnerabilities to silently install malware — including keyloggers, Remote Access Trojans (RATs), or ransomware — without any further interaction from you. Keeping your browser and operating system fully updated closes many of these vulnerabilities before attackers can use them.
• Reconnaissance pixel: The click confirms your email address is active and that you engage with incoming messages, adding you to higher-value targeting lists for future spear phishing attempts. Even clicks that don't result in immediate compromise have long-term consequences.

If you clicked and entered data, follow this recovery sequence without delay: disconnect the device from the internet to stop any active malware from communicating with attacker infrastructure, then change passwords from a separate clean device. Enable MFA on all affected accounts immediately. Alert your IT team or managed security provider if you're in a business context — they need to assess whether the device is compromised before it reconnects to the network. Monitor financial and credit accounts closely for at least 90 days after the incident. The financial security monitoring tools we recommend provide ongoing alerts for account activity changes that could indicate fraud in progress. If your home network connects multiple devices, hardening the network itself limits how far a compromised device can spread. Our guide on how to choose a VPN covers network-layer protections that reduce the blast radius of a compromised endpoint.