January 16, 20264 min read

How to Spot and Avoid Phishing Emails

Phishing emails steal passwords and install malware. Learn what to look for and

Phishing works because emails lie convincingly. The "urgent" message from your bank. The "security alert" from Google. The "invoice" from a vendor you've never heard of. They look real enough that smart people click them.

According to Verizon's 2023 Data Breach Investigations Report, 36% of data breaches involved phishing. It's the most common way attackers get in. Not through sophisticated hacking—through convincing you to hand over your password or download malware.

Here's how to spot them before clicking.

Red Flags to Watch For

1. Urgent Language and Pressure

"Your account will be closed in 24 hours." "Immediate action required." "Verify now or lose access." Phishing emails manufacture urgency to bypass your critical thinking. Real companies don't threaten to delete your account via email.

If an email pressures you to act immediately, pause. That pressure is the red flag.

2. Suspicious Sender Addresses

The display name says "Apple Support" but the email address is *no-reply@apple-security-team.info*. Not *@apple.com*. The real domain is after the @ symbol. Attackers register look-alike domains: amaz0n.com, paypa1.com, micros0ft.com.

Always check the actual email address, not just the display name.

3. Generic Greetings

"Dear Customer" or "Dear User" instead of your actual name. Legitimate companies you have accounts with know your name. Mass phishing campaigns don't.

Exception: Newsletters and marketing emails often use generic greetings. Context matters.

4. Suspicious Links

Hover over links before clicking (don't click, just hover). Your email client or browser shows the real URL in the bottom corner. The link text says "paypal.com" but hovering reveals "paypaI.com" (capital i instead of lowercase L).

Better: don't click email links for sensitive accounts. Go directly to the site by typing the URL yourself or using a bookmark.

5. Unexpected Attachments

"Invoice.pdf.exe" or "Document.zip" from someone you weren't expecting. Attachments spread malware. If you weren't expecting a file, don't open it—even if it looks like it's from someone you know. Their account might be compromised.

The Scale of Phishing

In 2023, 36% of data breaches involved phishing. The median time from phishing email delivery to first click was less than 60 seconds. — Verizon Data Breach Investigations Report

How to Verify Suspicious Emails

When you're unsure if an email is legitimate:

  1. Don't click any links in the email
  2. Open a new browser window
  3. Type the company's URL directly (e.g., paypal.com, bankofamerica.com)
  4. Log in normally and check your account status

If the email claimed you have a problem, you'll see it when you log in directly. If your account looks normal, the email was fake.

For work emails: call the person who supposedly sent it using a number you already have. "Hey, did you just send me an invoice?" Takes 30 seconds, prevents ransomware.

Types of Phishing Attacks

Credential Theft

Email links to a fake login page that looks identical to the real one. You enter your username and password. The attackers capture it, then either redirect you to the real site (so you don't notice) or show a generic error.

Defense: use a password manager. It autofills passwords only on legitimate domains. Type paypal.com manually, it fills in your password. Land on paypaI.com from a phishing link, it won't.

Malware Delivery

"You have a package waiting." "Invoice attached." "Document requires your signature." Attachment contains ransomware, spyware, or a trojan. Opening it infects your computer.

Defense: don't open unexpected attachments. If you need the file, contact the sender through a different channel to verify they sent it.

Business Email Compromise

Attacker impersonates your CEO or vendor. "I need you to wire $50,000 to this new account ASAP." Targets finance departments and anyone with payment authority.

Defense: Verify all payment requests through a second channel. Call the person. Check with your manager. Never send money based solely on an email.

What to Do If You Click

Clicked a phishing link? Here's damage control:

  1. Change your password immediately (on the real site, not through the phishing link)
  2. Enable 2FA if you haven't already
  3. Check for unauthorized transactions or changes to your account
  4. Scan your computer for malware
  5. Report the phishing email to your IT department if it's work-related

If you downloaded and opened an attachment, disconnect from the internet immediately and run a full antivirus scan. Consider wiping and reinstalling if you handle sensitive data.

Build the Habit

Train yourself to pause before clicking. Ask:

  • Was I expecting this email?
  • Is the sender address legitimate?
  • Does it create false urgency?
  • Can I verify this through another channel?

Five seconds of skepticism beats hours of cleanup after clicking the wrong link.

*Stay sharp.*

Put This Into Practice

Verify Before You ClickRecognize and Report Scam Calls and TextsUse a Password Manager Daily