← All guides

How to spot a phishing email

May 29, 2026 · 2 min read

Phishing emails try to trick you into clicking a malicious link, opening a dangerous attachment, or handing over a password. Here is how to recognize them.

What is a phishing email?

A phishing email is a message that pretends to come from someone you trust - your bank, a delivery company, your employer, a well-known brand - to trick you into doing something risky: clicking a link, opening an attachment, or entering a password. The goal is almost always to steal money, credentials, or personal information.

The good news: most phishing emails share a handful of tells. Once you know them, they are hard to unsee.

7 signs an email might be phishing

  1. A sense of urgency or fear. "Your account will be closed in 24 hours." "Suspicious login detected - act now." Pressure is designed to stop you from thinking.
  2. A mismatched or look-alike sender address. The display name says "PayPal" but the real address is service@paypa1-security.com. Always check the actual address, not just the name.
  3. Generic greetings. "Dear customer" or "Dear user" instead of your name - though targeted attacks may use your name too.
  4. Links that do not go where they claim. Hover over a link (do not click) and check the real destination. https://amaz0n-account.help is not Amazon.
  5. Unexpected attachments. Invoices, "voicemails," or shipping documents you were not expecting - especially .zip, .html, or files asking you to "enable macros."
  6. Requests for sensitive information. Real companies do not email you to ask for your password, full card number, or one-time codes.
  7. Small errors. Odd grammar, slightly-off logos, or a tone that does not match the real company.

What to do with a suspicious email

  • Do not click links or open attachments. If you are unsure, go to the company's website directly by typing the address yourself.
  • Check the sender and the links before acting. You can paste a suspicious message into our Email Checker - it analyzes the links, urgency wording, and sender headers, and explains the risks in plain language.
  • Verify through another channel. Call the company using a number from their official site, not one in the email.
  • Report and delete. Report it to your email provider or IT team, then delete it.

If you already clicked

Do not panic, but act quickly: change the password for any account you may have exposed (and anywhere you reused it), turn on two-factor authentication, and watch for unusual activity. If you entered a password, check whether it has shown up in a breach with our Password Checker.

Phishing works by rushing you. Slowing down for ten seconds to check the sender and the links is the single most effective habit you can build.

Try it yourself

Open the Email Checker

June 1, 2026

What is typosquatting? Look-alike domain scams explained

A zero instead of an "o", an extra word, a different ending - look-alike domains are built to catch you when you're moving fast. Here is how they work.

Read the guide

June 1, 2026

HTTP security headers explained (HSTS, CSP, and more)

Invisible to visitors but vital to safety: security headers tell your browser to refuse insecure connections and block risky scripts. Here is what each one does.

Read the guide

May 30, 2026

Your password was in a data breach: what to do now

A breach notification is unsettling, but the fix is straightforward. Here is exactly what to do - and how to stop it from mattering next time.

Read the guide