How to Spot Phishing Emails: 15 Red Flags You Must Know

Phishing is responsible for 90% of data breaches. Here's how to never get fooled again.

📅 Updated: July 2026 ⏱ 10 min read ✍ ScamSense Security Team

Phishing emails are responsible for more than 90% of all corporate data breaches and billions of dollars in consumer losses every single year. They arrive in your inbox every day, disguised as communications from your bank, your employer, a delivery service, or a government agency. In 2026, AI-generated phishing messages are more convincing than ever — but they still leave detectable traces. This guide gives you the 15 definitive red flags that reveal a phishing email, no matter how sophisticated the attack.

3.4B Phishing emails sent every day
90% Of breaches start with phishing
98% Of phishing victims targeted on mobile

1. What Is a Phishing Email?

A phishing email is a deceptive message crafted by an attacker to impersonate a trusted entity — a bank, an online retailer, a government department, or a familiar brand — with the goal of tricking you into revealing sensitive information, clicking a malicious link, or downloading malware.

The term "phishing" is a play on "fishing" — the attacker casts a wide net of deceptive messages and waits for victims to take the bait. Mass phishing campaigns send identical emails to millions of addresses with minimal personalisation, while more sophisticated variants target specific individuals with tailored messages.

Modern phishing attacks have evolved far beyond the obvious Nigerian prince emails of the early internet. Today's phishing messages can be graphically indistinguishable from genuine communications, use real customer names pulled from data breaches, and employ HTTPS certificates to make fake websites look secure. Understanding what to look for is your primary line of defence.

2. The Anatomy of a Phishing Attack

Every phishing attack follows a predictable structure, even when the surface details change. Understanding this structure helps you recognise phishing attempts that look completely different from examples you've seen before.

The Hook: An attention-grabbing subject line creates urgency or curiosity. "Your account has been compromised," "Unusual sign-in detected," "Your package is waiting," or "You've received a payment" are classic examples. The subject line is designed to compel an immediate open.

The Identity: The email impersonates a trusted entity. The sender's display name shows your bank's name or a known brand. The email body carries their logo, colour scheme, and formatting. This impersonation creates initial trust before you examine the details.

The Scenario: A plausible crisis is described — your account will be suspended, a payment failed, your password needs reset, or a prize is waiting to be claimed. The scenario creates urgency and gives you a reason to act.

The Call to Action: A prominent button or link instructs you to "Verify Now," "Confirm Your Details," "Click Here to Secure Your Account," or "Claim Your Reward." This link leads to a fake website built to harvest your credentials or payment details.

The Harvest: The fake website captures everything you enter — username, password, card numbers, OTPs — and sends it directly to the attacker, often without any visible indication that something has gone wrong.

3. 15 Red Flags to Spot Phishing Emails

Train yourself to check for these red flags in every email that requests any action on your part. A single flag may not confirm a phishing attack, but multiple flags in the same email is a near-certain indicator of fraud.

  • 🚩
    1. Sender domain mismatch — The display name shows "PayPal" but the actual email address is paypal-support@customerdomain.net. Always click on the sender name to reveal the full email address and confirm it matches the organisation's official domain exactly.
  • 🚩
    2. Urgent or threatening language — Phrases like "Immediate action required," "Your account will be closed in 24 hours," or "Legal action pending" are designed to create panic. Legitimate organisations do not threaten customers with immediate consequences in email without prior notice.
  • 🚩
    3. Generic greeting — "Dear Customer," "Dear Account Holder," or "Dear User" instead of your actual name suggests the email was generated in bulk without personalisation. Your bank and regular service providers always address you by name.
  • 🚩
    4. Suspicious links that don't match when hovered — Hover over any link before clicking. The URL that appears in your browser's status bar may look completely different from the anchor text. Mismatched URLs are a definitive sign of phishing.
  • 🚩
    5. Unexpected attachment demands — Phishing emails often attach malicious files disguised as invoices, delivery notes, or documents requiring your "signature." Legitimate organisations rarely send unsolicited attachments, especially executable files or macro-enabled Office documents.
  • 🚩
    6. Grammatical errors and unusual phrasing — While AI tools have improved phishing quality, many attacks still contain subtle errors: inconsistent capitalisation, awkward sentence construction, or vocabulary that sounds slightly off for the supposed sender.
  • 🚩
    7. Prize or lottery claims — "You have been selected to receive $5,000" or "You've won an iPhone 16." If you didn't enter a competition, you cannot have won one. Prize emails are invariably designed to collect personal information or processing "fees."
  • 🚩
    8. Account suspension threats — Emails claiming your account has been suspended and you must verify within hours to restore access follow a classic phishing pattern. Verify by logging into your account directly through your browser — not through the email link.
  • 🚩
    9. Unsolicited password reset requests — If you receive a password reset email you didn't trigger, do not click the link. Navigate to the service's official website and log in, then change your password from within your account settings.
  • 🚩
    10. Spoofed logos and branding — Phishing emails copy real branding but often use slightly off colours, blurry logos, or different font weights. Right-click logos to check their actual source URL — genuine company images load from their own domains.
  • 🚩
    11. Mismatched URL domain or subdomain — A link to "secure.paypal.com.verificationcenter.ru" does NOT lead to PayPal. The actual domain is the last part before the path: verificationcenter.ru is the true domain here. Attackers use subdomains to make URLs look legitimate at a glance.
  • 🚩
    12. Countdown timers and fake deadlines — "This offer expires in 2 hours" or "Your session will terminate at midnight" are pressure tactics with no legitimate basis. Real service issues do not operate on arbitrary countdown clocks.
  • 🚩
    13. CEO or executive impersonation (BEC) — Business Email Compromise attacks impersonate executives requesting urgent wire transfers or gift card purchases from employees. The "CEO email" often has a near-identical but subtly different address or uses a personal email account.
  • 🚩
    14. Tax authority impersonation — Emails claiming to be from the IRS, HMRC, or Indian Income Tax department threatening penalties or offering refunds are almost always phishing. Tax authorities communicate through official mail, not unsolicited emails.
  • 🚩
    15. Gift card payment requests — Any email asking you to purchase gift cards as payment — for taxes, tech support, fines, or subscriptions — is a scam without exception. No legitimate organisation accepts gift cards as a form of payment.

4. Advanced Spear Phishing Tactics

While mass phishing casts a wide net, spear phishing targets specific individuals with highly personalised attacks. The attacker researches the target extensively — often using LinkedIn, company websites, social media, and previously breached data — before crafting an email that references real personal details.

A spear phishing email might address you by your full name, reference your employer, mention a real project you're working on, or appear to come from a colleague whose email address has been spoofed. This personalisation bypasses the "generic greeting" and "poor grammar" red flags that catch most mass phishing.

Whale phishing is a subcategory targeting high-value individuals — executives, finance directors, and IT administrators. These attacks invest significant preparation time because the potential payoff (access to corporate systems, large financial transfers, or sensitive intellectual property) justifies the effort.

Business Email Compromise (BEC) is the most financially damaging form of spear phishing. The FBI reported over $2.9 billion in BEC losses in the US alone in 2023. BEC attacks compromise or impersonate executive email accounts to authorise fraudulent wire transfers, and they require no malware — just convincing impersonation.

New Threat: QR Code Phishing (Quishing)

Phishing emails increasingly replace clickable links with QR codes. Because email security filters scan for malicious URLs but often cannot interpret QR code images, quishing bypasses many corporate email defences. When you scan a QR code from an email, your smartphone's security protections are typically weaker than your desktop. Never scan QR codes sent in unsolicited emails without independently verifying their legitimacy.

5. Real-World Phishing Examples

Example 1 — Netflix Account Suspension

Subject: "Action Required: Your Netflix subscription has been suspended." Sender: netflix-billing@subscriptionupdate-netflix.com. Body: Professional Netflix branding, your name included (pulled from a data breach), a link to "Update Payment" leading to netflix-billing-update.com — a pixel-perfect clone of the real Netflix payment page. Credentials and card details are harvested the moment you enter them.

Example 2 — HMRC Tax Refund

Subject: "You have a pending tax refund of £432.50." Sender: noreply@hmrc-taxrefund.co.uk. The email instructs you to "claim your refund" through a link that goes to a form collecting your National Insurance number, bank sort code, account number, and card details — everything needed for identity theft and bank fraud.

Example 3 — Microsoft 365 Credential Harvest

Employees receive an email appearing to be from Microsoft IT: "Your password expires in 24 hours. Click here to update your credentials and avoid service interruption." The link goes to a Microsoft-branded login page hosted on a compromised server. When the employee enters their corporate credentials, the attacker gains access to the entire Microsoft 365 environment, including email, SharePoint, and OneDrive.

6. How to Verify Suspicious Emails

When you receive an email that triggers even one of the 15 red flags above, use these verification steps before taking any action suggested by the email.

Step 1 — Check the full sender address. Click on the sender's display name to reveal the complete email address. Cross-reference this against the organisation's official website. A mismatch is definitive evidence of impersonation.

Step 2 — Hover all links before clicking. On desktop, hover over any link and check the URL shown in the browser status bar. On mobile, long-press links to preview the URL. The URL should match the organisation's official domain exactly.

Step 3 — Navigate to the service independently. Instead of clicking the email link, open a new browser tab and type the organisation's official web address manually. Log in and check whether the issue described in the email actually exists in your account.

Step 4 — Call the organisation directly. Use the contact number from the organisation's official website (not any number provided in the email) to verify whether they actually sent the message.

Step 5 — Use an email header analyser. Advanced users can inspect the full email headers to trace the actual sending server. Any discrepancy between the claimed sender and the actual sending infrastructure confirms a phishing attack.

Pro Tip: Use ScamSense for Instant Screening

Screenshot or paste suspicious email content into ScamSense for an immediate AI-powered analysis. ScamSense identifies phishing patterns, checks embedded URLs, and explains exactly what it found suspicious in plain English — helping you make the right decision in seconds.

7. What To Do If You Clicked a Phishing Link

Clicking a phishing link does not automatically mean you have been compromised — but you must act quickly to minimise any damage.

  1. 1
    Disconnect from the internet immediately. If you clicked on mobile, turn off Wi-Fi and mobile data. On a computer, unplug the ethernet cable or disable Wi-Fi. This can prevent malware from communicating back to attackers.
  2. 2
    Do not enter any information on the page you were taken to. If the page opened and you haven't entered anything, close it immediately. If you already entered credentials or payment details, proceed urgently to the next steps.
  3. 3
    Change passwords on all affected accounts immediately. Start with your email account (which often provides access to every other account through password reset), then banking, social media, and any other services you use the same password for.
  4. 4
    Contact your bank if you entered financial information. Call the fraud line number on the back of your card — not any number from the email. Ask them to freeze your account, reverse any unauthorised transactions, and issue a new card.
  5. 5
    Run a security scan on your device. Use reputable antivirus software to scan for malware that may have been installed when you clicked. Some phishing links trigger silent malware downloads that operate in the background.
  6. 6
    Report the phishing email. Forward the email to your email provider's phishing report address, the organisation being impersonated, and your national fraud reporting authority. Your report helps protect others from the same attack.

8. Protecting Your Organisation

Phishing attacks on organisations carry dramatically higher stakes than personal attacks. A single successful phishing email can compromise an entire corporate network, expose customer data, and result in multi-million-dollar losses. Organisational protection requires both technical controls and human training.

Technical controls: Deploy email authentication protocols including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) on your domain. These prevent attackers from successfully spoofing your domain in outbound phishing attacks and help email providers identify incoming spoofed messages. Use email filtering solutions that scan for known phishing patterns, malicious URLs, and suspicious attachments before they reach employee inboxes.

Human training: Regular phishing simulation exercises — where your security team sends controlled fake phishing emails to employees — are the most effective way to build organisational awareness. Employees who fail simulations receive immediate training rather than disciplinary action. Organisations that run quarterly phishing simulations reduce click rates from around 33% to under 5% within 12 months.

Financial controls: Implement multi-person approval for all wire transfers over a threshold amount. Require verbal confirmation via a known phone number (not one provided in email) before processing any change to payment instructions. These controls defeat BEC attacks even when the initial phishing attempt succeeds.

Your 5-Point Phishing Protection Plan

  • Enable two-factor authentication on every account that supports it
  • Never click email links — always navigate to websites directly
  • Verify unexpected requests through official phone numbers, not email contact details
  • Use a password manager so each account has a unique password
  • Scan suspicious emails with ScamSense before responding or clicking

Key Takeaways

  • Phishing accounts for 90% of data breaches — it is the most common and successful cyberattack method
  • Always check the full sender email address, not just the display name
  • Hover over links before clicking and verify they lead where claimed
  • Legitimate organisations never ask for passwords, PINs, or OTPs by email
  • Spear phishing and quishing are evading traditional detection — awareness is your best defence
  • If you clicked a phishing link, act immediately: disconnect, change passwords, contact your bank

9. Frequently Asked Questions

What is a phishing email?
A phishing email is a fraudulent message designed to trick recipients into revealing sensitive information such as passwords, credit card numbers, or bank account details. Attackers impersonate trusted organisations — banks, tech companies, government agencies — and create urgency to pressure victims into clicking malicious links or downloading harmful attachments.
How can I tell if an email is really from my bank?
Check the sender's full email address and confirm it matches the bank's official domain exactly. Never click links in the email — instead navigate to your bank's website by typing the address in your browser. Call the number on the back of your bank card if in doubt. Legitimate banks never ask for your PIN or password via email.
What should I do if I clicked a phishing link?
Disconnect from the internet immediately, change your passwords on all accounts you may have entered details for, contact your bank to flag potential fraud, run a security scan on your device, and report the phishing email to your email provider and national fraud authority.
Can phishing emails look exactly like real emails?
Yes. Advanced phishing attacks copy the exact branding, logos, and formatting of legitimate organisations with near-perfect accuracy. AI-generated phishing emails are now grammatically flawless and highly personalised. The safest approach is to verify every request independently through official channels, regardless of how legitimate an email looks.
What is spear phishing?
Spear phishing is a targeted form of phishing where the attacker researches a specific individual and crafts a personalised email that references real details about them — their name, employer, role, or recent activities. This personalisation makes spear phishing far more convincing than mass phishing campaigns and significantly harder to detect.
Is phishing only done through email?
No. While email phishing is the most common form, attackers also use SMS (smishing), phone calls (vishing), social media messages, QR codes (quishing), and fake websites to conduct phishing attacks. The principles for detection are similar across all channels: look for urgency, identity impersonation, and requests for sensitive information.
What is a homograph attack in phishing?
A homograph attack uses characters from different alphabets that look identical to standard letters to create URLs that appear to match legitimate domains but actually lead to malicious sites. Always check URLs carefully and use URL verification tools when uncertain about a link's authenticity.
How does two-factor authentication protect against phishing?
Two-factor authentication adds a second verification step so that even if a phisher captures your password, they cannot access your account without your second factor. However, advanced phishing attacks can intercept 2FA codes in real time using adversary-in-the-middle proxies, so 2FA is an important layer but not a complete defence.
What is quishing (QR code phishing)?
Quishing is a phishing technique that uses QR codes to hide malicious URLs. Because the URL is encoded in the QR image, traditional email security filters often fail to detect it. Never scan QR codes from unsolicited emails — always verify the source before scanning.
How do I report a phishing email?
Forward phishing emails to your email provider's abuse address, your national fraud authority (in India: cybercrime.gov.in; US: reportfraud.ftc.gov; UK: report@phishing.gov.uk), and the organisation being impersonated. Your report helps authorities take down malicious infrastructure and protect others from the same attack.

Never Fall for Phishing Again

ScamSense analyses suspicious emails, messages, and links instantly. Paste the content or share a screenshot — get a risk score in seconds.

Download ScamSense — Free