user@s3-3:~/s3-3/tools/how-to-spot-phishing-emails $ cat index.md
S3-3 Tech Guides & Tools
~/tools/how-to-spot-phishing-emails
How-to · Jul 2026

How to Spot a Phishing Email Before You Click

Phishing emails have gotten better. The misspelled "Dear Customer, your acount has been suspend" messages still exist, but the ones that actually catch people now often use correct grammar, real company logos, and a sender name that looks legitimate at a glance. What hasn't changed is that phishing still relies on the same handful of mechanics — a fake sender, a manipulated link, and pressure to act fast. Learning to check those three things takes about fifteen seconds per email and catches the overwhelming majority of attempts.

Check the Actual Sender Address, Not the Display Name

Email clients show a display name by default — "PayPal Support," "Amazon Security," "Your Bank" — and that name is trivial for anyone to set to whatever they want. The address behind it is what matters. Tap or click on the sender name to reveal the full email address. A message claiming to be from PayPal but sent from [email protected] or a string of random characters at a generic domain is not from PayPal, regardless of what logo is in the body.

Watch specifically for look-alike domains: micros0ft.com (zero instead of o), paypa1.com (numeral one instead of l), or a real company name tacked onto an unrelated domain like apple.com.verify-login.net — the part right before the final .com/.net is the actual domain, and everything before that is just a subdomain the attacker controls.

Hover Before You Click — Don't Trust the Blue Text

A link's visible text and its actual destination can be completely different; that's normal HTML, not even a trick specific to phishing. On desktop, hover your mouse over a link without clicking and look at the status bar (usually bottom-left of the window) to see the real URL. On mobile, press and hold the link to preview the destination before deciding to tap it fully.

If the visible text says "Sign in to your account" but the hover preview shows a domain that has nothing to do with the company the email claims to be from, that's the whole scam laid bare in one glance.

Urgency and Threats Are the Oldest Trick, and Still the Most Effective

  • "Your account will be suspended in 24 hours" — pressure to skip careful reading and click immediately.
  • "Unusual sign-in activity detected" — plays on fear of being hacked to get you to "verify" credentials on a fake page that steals them.
  • "You've won" / unexpected refund or invoice — curiosity or confusion baited into a click.
  • A message that arrives at an odd hour claiming to be from your boss or a coworker asking for gift cards or a wire transfer — this targets workplaces specifically and relies on the recipient not wanting to seem unhelpful.

Legitimate companies rarely threaten immediate account closure over email, and they never ask you to "confirm your password" by clicking a link and typing it into a form that arrived via email. If in doubt, don't click anything in the message — open a new browser tab and go to the company's site directly, or call a phone number you already know is real, not one listed in the suspicious email.

Attachments deserve the same suspicion as links: An unexpected invoice, shipping label, or "resume" attachment from an unknown sender — especially a .zip, .exe, or a Word/Excel file that prompts you to "enable macros" — is one of the most common malware delivery methods still in active use. If you weren't expecting a file, don't open it, even if the sender name looks familiar; email addresses get spoofed constantly.

What to Do When You Catch One

Most email providers have a built-in "Report phishing" option — in Gmail it's the three-dot menu on an open message, in Outlook it's the Report button in the ribbon. Reporting helps the provider's spam filters learn faster, which reduces how many similar messages reach you and other users. After reporting, delete the message rather than leaving it in your inbox where a distracted moment later could still lead to a click.

If you already clicked a link and entered credentials before realizing something was wrong, change that password immediately from the real site (typed directly into the address bar, not via any link from the email), and change it anywhere else you reused the same password — which is exactly the scenario a password manager and unique passwords per site are meant to prevent. Turning on two-factor authentication on the affected account means a stolen password alone usually isn't enough for the attacker to get in.

Verifying Whether Your Email Has Been Part of a Known Breach

Separate from any single phishing attempt, it's worth periodically checking whether your email address has turned up in a known data breach, since breached credentials are exactly what phishing campaigns are often built from in the first place. Our guide on checking if your email was breached walks through the free tools for that. For official, government-backed guidance on recognizing and reporting phishing specifically, the U.S. Cybersecurity and Infrastructure Security Agency maintains current advice at cisa.gov.