Phishing emails are responsible for more than 90% of all corporate data breaches and billions of dollars in consumer losses every single year. They arrive in your inbox every day, disguised as communications from your bank, your employer, a delivery service, or a government agency. In 2026, AI-generated phishing messages are more convincing than ever — but they still leave detectable traces. This guide gives you the 15 definitive red flags that reveal a phishing email, no matter how sophisticated the attack.
1. What Is a Phishing Email?
A phishing email is a deceptive message crafted by an attacker to impersonate a trusted entity — a bank, an online retailer, a government department, or a familiar brand — with the goal of tricking you into revealing sensitive information, clicking a malicious link, or downloading malware.
The term "phishing" is a play on "fishing" — the attacker casts a wide net of deceptive messages and waits for victims to take the bait. Mass phishing campaigns send identical emails to millions of addresses with minimal personalisation, while more sophisticated variants target specific individuals with tailored messages.
Modern phishing attacks have evolved far beyond the obvious Nigerian prince emails of the early internet. Today's phishing messages can be graphically indistinguishable from genuine communications, use real customer names pulled from data breaches, and employ HTTPS certificates to make fake websites look secure. Understanding what to look for is your primary line of defence.
2. The Anatomy of a Phishing Attack
Every phishing attack follows a predictable structure, even when the surface details change. Understanding this structure helps you recognise phishing attempts that look completely different from examples you've seen before.
The Hook: An attention-grabbing subject line creates urgency or curiosity. "Your account has been compromised," "Unusual sign-in detected," "Your package is waiting," or "You've received a payment" are classic examples. The subject line is designed to compel an immediate open.
The Identity: The email impersonates a trusted entity. The sender's display name shows your bank's name or a known brand. The email body carries their logo, colour scheme, and formatting. This impersonation creates initial trust before you examine the details.
The Scenario: A plausible crisis is described — your account will be suspended, a payment failed, your password needs reset, or a prize is waiting to be claimed. The scenario creates urgency and gives you a reason to act.
The Call to Action: A prominent button or link instructs you to "Verify Now," "Confirm Your Details," "Click Here to Secure Your Account," or "Claim Your Reward." This link leads to a fake website built to harvest your credentials or payment details.
The Harvest: The fake website captures everything you enter — username, password, card numbers, OTPs — and sends it directly to the attacker, often without any visible indication that something has gone wrong.
3. 15 Red Flags to Spot Phishing Emails
Train yourself to check for these red flags in every email that requests any action on your part. A single flag may not confirm a phishing attack, but multiple flags in the same email is a near-certain indicator of fraud.
-
🚩
1. Sender domain mismatch — The display name shows "PayPal" but the actual email address is paypal-support@customerdomain.net. Always click on the sender name to reveal the full email address and confirm it matches the organisation's official domain exactly.
-
🚩
2. Urgent or threatening language — Phrases like "Immediate action required," "Your account will be closed in 24 hours," or "Legal action pending" are designed to create panic. Legitimate organisations do not threaten customers with immediate consequences in email without prior notice.
-
🚩
3. Generic greeting — "Dear Customer," "Dear Account Holder," or "Dear User" instead of your actual name suggests the email was generated in bulk without personalisation. Your bank and regular service providers always address you by name.
-
🚩
4. Suspicious links that don't match when hovered — Hover over any link before clicking. The URL that appears in your browser's status bar may look completely different from the anchor text. Mismatched URLs are a definitive sign of phishing.
-
🚩
5. Unexpected attachment demands — Phishing emails often attach malicious files disguised as invoices, delivery notes, or documents requiring your "signature." Legitimate organisations rarely send unsolicited attachments, especially executable files or macro-enabled Office documents.
-
🚩
6. Grammatical errors and unusual phrasing — While AI tools have improved phishing quality, many attacks still contain subtle errors: inconsistent capitalisation, awkward sentence construction, or vocabulary that sounds slightly off for the supposed sender.
-
🚩
7. Prize or lottery claims — "You have been selected to receive $5,000" or "You've won an iPhone 16." If you didn't enter a competition, you cannot have won one. Prize emails are invariably designed to collect personal information or processing "fees."
-
🚩
8. Account suspension threats — Emails claiming your account has been suspended and you must verify within hours to restore access follow a classic phishing pattern. Verify by logging into your account directly through your browser — not through the email link.
-
🚩
9. Unsolicited password reset requests — If you receive a password reset email you didn't trigger, do not click the link. Navigate to the service's official website and log in, then change your password from within your account settings.
-
🚩
10. Spoofed logos and branding — Phishing emails copy real branding but often use slightly off colours, blurry logos, or different font weights. Right-click logos to check their actual source URL — genuine company images load from their own domains.
-
🚩
11. Mismatched URL domain or subdomain — A link to "secure.paypal.com.verificationcenter.ru" does NOT lead to PayPal. The actual domain is the last part before the path: verificationcenter.ru is the true domain here. Attackers use subdomains to make URLs look legitimate at a glance.
-
🚩
12. Countdown timers and fake deadlines — "This offer expires in 2 hours" or "Your session will terminate at midnight" are pressure tactics with no legitimate basis. Real service issues do not operate on arbitrary countdown clocks.
-
🚩
13. CEO or executive impersonation (BEC) — Business Email Compromise attacks impersonate executives requesting urgent wire transfers or gift card purchases from employees. The "CEO email" often has a near-identical but subtly different address or uses a personal email account.
-
🚩
14. Tax authority impersonation — Emails claiming to be from the IRS, HMRC, or Indian Income Tax department threatening penalties or offering refunds are almost always phishing. Tax authorities communicate through official mail, not unsolicited emails.
-
🚩
15. Gift card payment requests — Any email asking you to purchase gift cards as payment — for taxes, tech support, fines, or subscriptions — is a scam without exception. No legitimate organisation accepts gift cards as a form of payment.
4. Advanced Spear Phishing Tactics
While mass phishing casts a wide net, spear phishing targets specific individuals with highly personalised attacks. The attacker researches the target extensively — often using LinkedIn, company websites, social media, and previously breached data — before crafting an email that references real personal details.
A spear phishing email might address you by your full name, reference your employer, mention a real project you're working on, or appear to come from a colleague whose email address has been spoofed. This personalisation bypasses the "generic greeting" and "poor grammar" red flags that catch most mass phishing.
Whale phishing is a subcategory targeting high-value individuals — executives, finance directors, and IT administrators. These attacks invest significant preparation time because the potential payoff (access to corporate systems, large financial transfers, or sensitive intellectual property) justifies the effort.
Business Email Compromise (BEC) is the most financially damaging form of spear phishing. The FBI reported over $2.9 billion in BEC losses in the US alone in 2023. BEC attacks compromise or impersonate executive email accounts to authorise fraudulent wire transfers, and they require no malware — just convincing impersonation.
New Threat: QR Code Phishing (Quishing)
Phishing emails increasingly replace clickable links with QR codes. Because email security filters scan for malicious URLs but often cannot interpret QR code images, quishing bypasses many corporate email defences. When you scan a QR code from an email, your smartphone's security protections are typically weaker than your desktop. Never scan QR codes sent in unsolicited emails without independently verifying their legitimacy.
5. Real-World Phishing Examples
Example 1 — Netflix Account Suspension
Subject: "Action Required: Your Netflix subscription has been suspended." Sender: netflix-billing@subscriptionupdate-netflix.com. Body: Professional Netflix branding, your name included (pulled from a data breach), a link to "Update Payment" leading to netflix-billing-update.com — a pixel-perfect clone of the real Netflix payment page. Credentials and card details are harvested the moment you enter them.
Example 2 — HMRC Tax Refund
Subject: "You have a pending tax refund of £432.50." Sender: noreply@hmrc-taxrefund.co.uk. The email instructs you to "claim your refund" through a link that goes to a form collecting your National Insurance number, bank sort code, account number, and card details — everything needed for identity theft and bank fraud.
Example 3 — Microsoft 365 Credential Harvest
Employees receive an email appearing to be from Microsoft IT: "Your password expires in 24 hours. Click here to update your credentials and avoid service interruption." The link goes to a Microsoft-branded login page hosted on a compromised server. When the employee enters their corporate credentials, the attacker gains access to the entire Microsoft 365 environment, including email, SharePoint, and OneDrive.
6. How to Verify Suspicious Emails
When you receive an email that triggers even one of the 15 red flags above, use these verification steps before taking any action suggested by the email.
Step 1 — Check the full sender address. Click on the sender's display name to reveal the complete email address. Cross-reference this against the organisation's official website. A mismatch is definitive evidence of impersonation.
Step 2 — Hover all links before clicking. On desktop, hover over any link and check the URL shown in the browser status bar. On mobile, long-press links to preview the URL. The URL should match the organisation's official domain exactly.
Step 3 — Navigate to the service independently. Instead of clicking the email link, open a new browser tab and type the organisation's official web address manually. Log in and check whether the issue described in the email actually exists in your account.
Step 4 — Call the organisation directly. Use the contact number from the organisation's official website (not any number provided in the email) to verify whether they actually sent the message.
Step 5 — Use an email header analyser. Advanced users can inspect the full email headers to trace the actual sending server. Any discrepancy between the claimed sender and the actual sending infrastructure confirms a phishing attack.
Pro Tip: Use ScamSense for Instant Screening
Screenshot or paste suspicious email content into ScamSense for an immediate AI-powered analysis. ScamSense identifies phishing patterns, checks embedded URLs, and explains exactly what it found suspicious in plain English — helping you make the right decision in seconds.
7. What To Do If You Clicked a Phishing Link
Clicking a phishing link does not automatically mean you have been compromised — but you must act quickly to minimise any damage.
-
1
Disconnect from the internet immediately. If you clicked on mobile, turn off Wi-Fi and mobile data. On a computer, unplug the ethernet cable or disable Wi-Fi. This can prevent malware from communicating back to attackers.
-
2
Do not enter any information on the page you were taken to. If the page opened and you haven't entered anything, close it immediately. If you already entered credentials or payment details, proceed urgently to the next steps.
-
3
Change passwords on all affected accounts immediately. Start with your email account (which often provides access to every other account through password reset), then banking, social media, and any other services you use the same password for.
-
4
Contact your bank if you entered financial information. Call the fraud line number on the back of your card — not any number from the email. Ask them to freeze your account, reverse any unauthorised transactions, and issue a new card.
-
5
Run a security scan on your device. Use reputable antivirus software to scan for malware that may have been installed when you clicked. Some phishing links trigger silent malware downloads that operate in the background.
-
6
Report the phishing email. Forward the email to your email provider's phishing report address, the organisation being impersonated, and your national fraud reporting authority. Your report helps protect others from the same attack.
8. Protecting Your Organisation
Phishing attacks on organisations carry dramatically higher stakes than personal attacks. A single successful phishing email can compromise an entire corporate network, expose customer data, and result in multi-million-dollar losses. Organisational protection requires both technical controls and human training.
Technical controls: Deploy email authentication protocols including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) on your domain. These prevent attackers from successfully spoofing your domain in outbound phishing attacks and help email providers identify incoming spoofed messages. Use email filtering solutions that scan for known phishing patterns, malicious URLs, and suspicious attachments before they reach employee inboxes.
Human training: Regular phishing simulation exercises — where your security team sends controlled fake phishing emails to employees — are the most effective way to build organisational awareness. Employees who fail simulations receive immediate training rather than disciplinary action. Organisations that run quarterly phishing simulations reduce click rates from around 33% to under 5% within 12 months.
Financial controls: Implement multi-person approval for all wire transfers over a threshold amount. Require verbal confirmation via a known phone number (not one provided in email) before processing any change to payment instructions. These controls defeat BEC attacks even when the initial phishing attempt succeeds.
Your 5-Point Phishing Protection Plan
- Enable two-factor authentication on every account that supports it
- Never click email links — always navigate to websites directly
- Verify unexpected requests through official phone numbers, not email contact details
- Use a password manager so each account has a unique password
- Scan suspicious emails with ScamSense before responding or clicking
Key Takeaways
- Phishing accounts for 90% of data breaches — it is the most common and successful cyberattack method
- Always check the full sender email address, not just the display name
- Hover over links before clicking and verify they lead where claimed
- Legitimate organisations never ask for passwords, PINs, or OTPs by email
- Spear phishing and quishing are evading traditional detection — awareness is your best defence
- If you clicked a phishing link, act immediately: disconnect, change passwords, contact your bank
9. Frequently Asked Questions
What is a phishing email?
How can I tell if an email is really from my bank?
What should I do if I clicked a phishing link?
Can phishing emails look exactly like real emails?
What is spear phishing?
Is phishing only done through email?
What is a homograph attack in phishing?
How does two-factor authentication protect against phishing?
What is quishing (QR code phishing)?
How do I report a phishing email?
Never Fall for Phishing Again
ScamSense analyses suspicious emails, messages, and links instantly. Paste the content or share a screenshot — get a risk score in seconds.
Download ScamSense — Free