How to Spot Phishing Emails: 12 Red Flags

Why Phishing Emails Still Fool Smart People

Phishing remains the most common entry point for data breaches worldwide — not because people are careless, but because attackers have become sophisticated enough to fool even cautious professionals. The Verizon 2026 Data Breach Investigations Report (DBIR) found that phishing and pretexting together account for more than 70% of social engineering incidents globally.

Learning how to spot phishing emails effectively requires understanding that attackers don't rely on technical exploits alone — they exploit psychology. Urgency, authority, and fear override rational thinking faster than most people realize. A fake email from "your bank" warning of suspicious activity triggers an emotional response that bypasses the careful scrutiny you'd normally apply.

The good news: phishing emails almost always leave detectable traces. Once you know what to look for, spotting them becomes instinctive. This guide walks through 12 concrete red flags, explains the psychology attackers exploit, and gives you a practical checklist you can use today. For deeper background on the history and mechanics of these attacks, our primer on what phishing is covers the full evolution of the threat.

The Psychology Behind Successful Phishing

Understanding why phishing works helps you recognize it faster. Attackers exploit specific psychological triggers that bypass logical thinking:

• Urgency: Time pressure forces quick decisions without careful evaluation
• Authority: Messages from apparent bosses, banks, or government agencies trigger compliance
• Fear: Threats of account suspension or financial loss create panic responses
• Social proof: "Other customers have reported..." implies legitimacy through consensus

These techniques work because they trigger fight-or-flight responses that shut down the prefrontal cortex — the brain region responsible for logical analysis. Recognizing this physiological reaction when reading an email is your first line of defense and a key skill when learning how to spot phishing emails in any context.

The 12 Red Flags That Expose a Phishing Email

1. The Sender Address Doesn't Match the Display Name

Every email client shows a friendly display name — but the actual sending address is often hidden behind it. A phishing email might display "PayPal Support" while the real sending address is support@paypa1-billing.ru. Always hover over or click the sender name to reveal the full address. Legitimate organizations send from their own domain, consistently.

2. The Domain Has Subtle Misspellings or Extra Characters

Attackers register lookalike domains such as arnazon.com, micros0ft.com, or paypa1.com. These pass a quick glance but fail on close inspection. Check every character in the domain — especially letters that resemble numbers (0 vs. O, 1 vs. l) or inserted hyphens like bank-of-america-secure.com. Even one character off means the email is fraudulent.

3. Unexpected Urgency or Threat Language

"Your account will be suspended in 24 hours." "Immediate action required." Urgency is a manipulation tactic designed to bypass rational thinking. Legitimate companies rarely threaten account termination via a single email with a tight deadline. If an email makes your pulse quicken, slow down — that physiological reaction is exactly what attackers are engineering.

4. Generic Greetings Instead of Your Name

Bulk phishing campaigns pull email addresses without associated names, leading to openers like "Dear Customer," "Dear User," or "Hello Account Holder." If a company you have an account with doesn't use your name in outbound emails, treat that as a warning sign. Note that spear phishing — targeted attacks — do use your name, so this indicator doesn't catch every campaign.

5. Requests for Credentials, Payment, or Personal Data

No bank, IRS office, or technology provider will ask you to confirm your password, Social Security number, or credit card details via email. If an email asks you to "verify" sensitive information by clicking a link, it is phishing. The IRS explicitly states it initiates taxpayer contact by postal mail, not email — a fact worth knowing during tax season when impersonation attacks spike significantly.

6. Links That Don't Go Where They Claim

Hover over any link — without clicking — and compare the URL shown in your browser's status bar to the link text. Attackers use URL shorteners, redirects through legitimate services, or long confusing URLs to obscure the real destination. A link labeled "Chase Online Banking" pointing to secure-chase-verify.com/login is a phishing link. When in doubt, navigate directly to the site by typing the address yourself.

7. Attachments You Didn't Expect

Phishing emails frequently carry malicious attachments disguised as invoices, shipping labels, résumés, or shared documents. High-risk file types include .exe, .zip, .iso, .docm, .xlsm (macro-enabled Office files), and .lnk shortcut files. Even PDFs can embed malicious JavaScript. If you weren't expecting a file from that sender, verify the request through a separate channel before opening anything.

8. Poor Grammar, Spelling, or Formatting

While AI-generated phishing has improved grammatical quality significantly in 2026, many campaigns still contain awkward phrasing, inconsistent capitalization, or formatting that doesn't match the brand they're impersonating. Mismatched fonts, broken images, or HTML layouts that appear off-center are signs the email was assembled hastily. Compare the email's visual style against a known-good email from the same organization in your inbox.

9. The Email Came to an Unexpected Address

If a phishing email arrives at an address you only use for a specific purpose — say, your gaming account email receiving a "bank alert" — that mismatch alone flags it as suspicious. Attackers purchase harvested email lists that don't include context about the accounts associated with each address, creating obvious incongruities that are easy to spot once you're looking.

10. Lookalike Logos and Branding That's Slightly Off

Phishing kits copy logos, color schemes, and footers from real company websites, but subtle errors appear: slightly wrong shades, low-resolution images, outdated branding, or footer links that go nowhere. Pull up a previous legitimate email from the same sender and compare the visual style side by side. Differences that seem minor are often the result of rushed construction.

11. The "From" Domain Doesn't Match the Footer Domain

Look at the email footer — privacy policy link, unsubscribe link, and company address. If those links point to the real organization's domain but the sender address is from a different domain, the email is fraudulent. Attackers often copy legitimate footers wholesale without updating the sending infrastructure, creating this easy-to-spot mismatch.

12. You Have No Relationship With the Sender

An invoice from a vendor you've never purchased from. A shipping notification for an order you didn't place. A password reset for an account you don't own. Unsolicited emails that presuppose a relationship you don't have are a reliable indicator of phishing or advance-fee fraud. Delete and report them rather than engaging.

Spear Phishing and Business Email Compromise: The Harder Cases

Standard phishing sends the same bait to millions of addresses. Spear phishing is fundamentally different — attackers research specific individuals, pulling data from LinkedIn profiles, company websites, and prior data breaches to craft an email that references your name, your manager, your current project, or your clients. The message feels legitimate because it contains accurate details about your professional life that a stranger shouldn't know.

Business Email Compromise (BEC) goes further still. According to the FBI Internet Crime Complaint Center (IC3) 2025 Annual Report, BEC scams caused over $2.9 billion in losses in the U.S. alone — more than any other cybercrime category. These attacks typically impersonate executives requesting wire transfers or gift card purchases, or compromise a real employee's email account to make requests look entirely legitimate.

Any financial request arriving by email — regardless of who appears to be asking — should be verified by phone using a number you already have on file before any funds move. This is especially true for requests that arrive outside normal business hours, include urgency language, or ask you to keep the transaction confidential.

Technical Signals Advanced Users Should Check

Beyond visual inspection, email clients and webmail platforms give you access to authentication data that reveals whether an email passed the domain verification checks that legitimate senders configure. Most email clients let you access headers through a "Show Original," "View Source," or "View Raw Message" option.

Inside the headers, look for three authentication results:

• SPF (Sender Policy Framework): Confirms the sending server is authorized to send email for the claimed domain. A result of spf=fail or spf=softfail means the email came from an unauthorized server
• DKIM (DomainKeys Identified Mail): A cryptographic signature that verifies the email content wasn't modified in transit. A dkim=fail result means the signature doesn't match
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Checks whether the "From" domain aligns with the SPF and DKIM results. A dmarc=fail result means the sender domain was likely spoofed

Also check the Return-Path header, which shows the address that will receive bounce notifications. If the Return-Path domain differs from the From domain, the email is using separate infrastructure — a common pattern in phishing campaigns.

Building Long-Term Phishing Resistance

Recognizing phishing red flags is a trainable skill, not an innate ability. Security awareness training programs that simulate phishing campaigns — sending realistic fake phishing emails and providing immediate feedback when someone clicks — reduce click rates on real phishing emails by 65–70% within twelve months, according to the KnowBe4 2026 Phishing by Industry Benchmarking Report.

The key is repeated, realistic exposure with immediate correction, not a one-time training module. Beyond training, several technical controls reduce your exposure:

• Multi-factor authentication (MFA): Even if attackers steal your password through a phishing page, MFA blocks account takeover in most cases. Use an authenticator app rather than SMS where possible — SMS codes can be intercepted through SIM-swapping attacks
• Password manager: A quality password manager autofills credentials only on the exact domain they were saved for. It won't fill in your bank password on a lookalike phishing site
• Email filtering: Enterprise platforms like Microsoft 365 Defender and Google Workspace include anti-phishing heuristics that catch many campaigns before they reach your inbox
• DNS-layer filtering: Solutions like Cisco Umbrella or Cloudflare Gateway block connections to known malicious domains at the DNS level, preventing phishing links from loading even if clicked

For organizations handling sensitive data — tax practices, healthcare offices, financial services firms — identity theft prevention measures should be a recurring program with measurable outcomes, not a one-time compliance checkbox.

What Happens If You Click a Phishing Link

Clicking a phishing link doesn't automatically mean you've been compromised — but the window for damage is short, and how you respond in the first few minutes matters. The most common outcomes after clicking include:

• Credential harvesting: You're taken to a fake login page that captures whatever you type. If you entered credentials, change that password immediately across every site where you reuse it — and enable MFA if you haven't already
• Drive-by malware download: Some phishing links exploit browser vulnerabilities to silently install malware — including keyloggers, Remote Access Trojans (RATs), or ransomware — without any further interaction from you
• Reconnaissance pixel: The click confirms your email address is active and that you engage with incoming messages, adding you to higher-value targeting lists for future spear phishing attempts

If you clicked and entered data, follow this recovery sequence without delay: disconnect the device from the internet to stop any active malware, then change passwords from a separate clean device. Enable MFA on all affected accounts immediately. Alert your IT team if you're in a business context.

Monitor financial and credit accounts closely for at least 90 days after the incident. The financial security monitoring tools we recommend provide ongoing alerts for account activity changes that could indicate fraud in progress. If your home network connects multiple devices, consider implementing network-layer protections that reduce the blast radius of a compromised endpoint.