How to Spot a Phishing Email (and What to Do About It)

Most accounts don't get "hacked" by some genius breaking encryption. They get handed over — by a real person who typed their password into a fake login page after a convincing email. That's phishing, and it remains one of the most common ways people lose access to their email, money, and identity.

The good news: phishing follows patterns. Once you know what to look for, the same tricks start jumping out at you. This guide covers the real warning signs, the newer AI-era variants, and exactly what to do — whether you've spotted one or already clicked.

What phishing actually is

Phishing is a message designed to trick you into doing something harmful: typing your password into a fake page, opening a malware attachment, sending money, or revealing personal details. It usually impersonates someone you trust — your bank, a delivery company, a colleague, Microsoft, Google, or Apple.

It works because it targets emotion, not logic. A good phishing message creates urgency ("your account will be closed"), fear ("suspicious login detected"), or temptation ("you've received a refund") so you act before you think. The whole game is getting you to skip the two seconds of doubt that would give it away.

The warning signs that give it away

No single sign is proof on its own, but the more that stack up, the more suspicious you should be.

1. The sender address doesn't match. The display name says "PayPal," but the actual email is service@paypal-secure-team.com or a random Gmail address. Always check the real address, not just the name.
2. It manufactures urgency or threat. "Act within 24 hours or your account will be suspended." Legitimate companies rarely threaten you into instant action.
3. A generic greeting. "Dear Customer" or "Dear user" instead of your name can be a hint — though targeted attacks may use your real name, so this one cuts both ways.
4. Links that don't go where they claim. The text says account.microsoft.com, but hovering reveals a totally different address. This is the single biggest tell — more on checking links below.
5. Unexpected attachments. An invoice, "voicemail," or "shipping label" you weren't expecting, especially as a .zip, .html, or document asking you to "enable content."
6. It asks for credentials, codes, or payment. Real banks and platforms never email asking you to confirm your full password, a one-time code, or card details.
7. Off details — logos, tone, or wording. Slightly wrong branding or an odd tone. Note: classic "bad spelling and grammar" advice is now less reliable, because AI tools let scammers write clean, fluent messages. Don't treat good grammar as proof it's safe.

The one habit that catches most of them: check the link

Before you click anything, check where the link really goes:

• On a computer, hover your mouse over the link (don't click) and look at the address that appears at the bottom of the screen.
• On a phone, press and hold the link to preview the destination.
• Read it right-to-left. In microsoft.account-verify.ru, the real domain is account-verify.ru — not Microsoft. The brand name being in the link means nothing; what matters is the actual domain just before the first single slash.

When in doubt, don't click the link at all. Open a new tab and go to the website by typing its address yourself, or use the official app. You lose nothing by verifying independently.

Newer tricks worth knowing

Phishing has spread well beyond email:

• Smishing (SMS) and vishing (voice calls): fake "delivery failed" texts and phone calls pretending to be your bank's fraud department.
• QR-code phishing ("quishing"): a QR code in an email or poster that sends you to a fake login page — convenient because you can't easily see the URL first.
• AI-written and cloned messages: scammers now use AI to write flawless, personalized messages, and even to mimic a voice. Fluency is no longer a safety signal.
• MFA-fatigue attacks: if you use two-factor authentication, attackers who already have your password may spam you with approval prompts hoping you'll tap "approve" out of annoyance. Never approve a login you didn't start.

What to do when you spot a phishing email

1. Don't click, don't reply, don't open attachments.
2. Don't unsubscribe from an obvious scam — it just confirms your address is live.
3. Report it. Use your email app's "Report phishing" button; for impersonation of a company, forward it to their official abuse address. In the US, you can report scams to the FTC at reportfraud.ftc.gov.
4. Delete it.

If it's a workplace email, also alert your IT/security team — you may not be the only target. Building this kind of awareness is exactly what good cybersecurity basics are about.

What to do if you already clicked

Don't panic — act quickly:

• If you entered a password: change it immediately on the real site, and change it anywhere you reused it. This is far easier if you use a password manager with unique passwords.
• Turn on two-factor authentication (or better, passkeys) so a stolen password alone isn't enough.
• If you entered card or bank details: contact your bank, and watch for unfamiliar charges.
• If you opened an attachment: run a security scan and keep an eye out for unusual behavior.
• Watch your accounts for password-reset emails or logins you didn't make.

How to protect yourself going forward

You can't stop phishing emails from arriving, but you can make them harmless:

• Use unique passwords so one stolen login can't unlock everything.
• Turn on two-factor authentication or passkeys on every important account.
• Verify independently. If a message asks you to log in or pay, go to the site or app directly instead of using its link.
• Slow down on urgency. The feeling of "I must act now" is itself the warning sign.

FAQ

How can I tell if an email is really from my bank? Check the sender's actual address, look for personalization, and never trust urgent threats. The safest move is to ignore the email's links entirely and log in by going to the bank's official app or typing its website address yourself.

Is bad spelling still a reliable sign of phishing? Less than it used to be. AI writing tools let scammers produce clean, fluent messages, so good grammar no longer means an email is safe. Rely on sender address, link destinations, and suspicious requests instead.

What is the difference between phishing, smishing, and vishing? They're the same trick on different channels: phishing is by email, smishing is by SMS text message, and vishing is by voice phone call. All aim to trick you into revealing information or sending money.

Should I click a link to "unsubscribe" from a phishing email? No. Interacting with an obvious scam — including unsubscribing — can confirm your address is active and invite more. Just report and delete it.

What should I do first if I clicked a phishing link and entered my password? Immediately change that password on the legitimate site, change it anywhere else you reused it, and enable two-factor authentication. Then monitor the account for unauthorized activity.

The bottom line

Phishing works on urgency and trust, not technical wizardry — which means a calm, skeptical habit beats it most of the time. Check the sender, check where links really go, and verify anything important by visiting the site yourself. Back that up with unique passwords and two-factor authentication, and a phishing email becomes just another message you delete. For the bigger picture on staying safe, start with our guide to cybersecurity basics.