How to Spot Phishing Emails & Scams: A Complete Guide

Phishing is the most common form of cybercrime, responsible for over 90% of data breaches. Attackers disguise themselves as trusted entities — banks, tech companies, government agencies, or even colleagues — to trick you into revealing passwords, credit card numbers, or personal information. This guide teaches you to recognize phishing attempts and protect yourself effectively.

What Is Phishing?

Phishing is a social engineering attack where criminals send fraudulent messages designed to look like legitimate communications. The goal is to make you click a malicious link, download malware, or enter sensitive information on a fake website. The term "phishing" comes from "fishing" — attackers cast a wide net hoping someone will take the bait.

Phishing attacks have grown increasingly sophisticated. Modern phishing emails can be nearly indistinguishable from genuine communications, using stolen branding, real employee names, and even personalized details harvested from social media or previous breaches.

Types of Phishing Attacks

Email Phishing

The most common type. Attackers send mass emails impersonating well-known companies like banks, Amazon, Microsoft, or shipping services. These emails typically create urgency: "Your account will be suspended," "Unusual login detected," or "Your package couldn't be delivered."

Spear Phishing

Targeted attacks aimed at specific individuals or organizations. Attackers research their victims using LinkedIn, social media, and company websites to craft highly personalized messages. A spear phishing email might reference your actual job title, recent projects, or colleagues by name.

Smishing (SMS Phishing)

Phishing via text messages. Common examples include fake delivery notifications, bank alerts, or tax refund messages containing malicious links. Smishing is growing rapidly because people tend to trust text messages more than emails.

Vishing (Voice Phishing)

Phone-based phishing where callers impersonate tech support, government agencies (IRS, Social Security), or bank fraud departments. They create panic to pressure you into sharing information or making payments. With AI voice cloning, attackers can even mimic the voices of people you know.

Clone Phishing

Attackers copy a legitimate email you've previously received, replace the links or attachments with malicious versions, and resend it. Since the email looks identical to one you've already trusted, it's extremely effective.

Red Flags: How to Identify Phishing

Check the Sender's Email Address

This is the most reliable indicator. Hover over or tap the sender's name to reveal the actual email address. Phishing emails often come from addresses that look similar to real ones but contain subtle differences:

• support@amaz0n.com — zero instead of "o"
• security@paypal-support.net — wrong domain entirely
• noreply@apple.com.suspicious-domain.com — the real domain is after the last dot
• billing@microsft.com — missing letter

Urgency and Fear Tactics

Phishing messages almost always create artificial urgency. Legitimate companies rarely threaten immediate account closure or demand instant action. Watch for phrases like:

• "Your account will be permanently deleted in 24 hours"
• "Immediate action required to avoid legal consequences"
• "Suspicious activity detected — verify your identity NOW"
• "You have an unpaid invoice — click here to avoid penalties"

Suspicious Links

Before clicking any link, hover over it (on desktop) or long-press it (on mobile) to see the actual URL. Check for:

• Misspelled domains — "g00gle.com" or "faceb00k.com"
• Extra subdomains — "login.paypal.com.evil-site.com" (the real domain is evil-site.com)
• HTTP instead of HTTPS — legitimate login pages always use HTTPS
• Shortened URLs — bit.ly or tinyurl links hide the true destination

Use our URL Safety Checker to verify suspicious links before clicking them.

Grammar and Spelling Errors

While AI has made phishing emails more polished, many still contain grammar mistakes, awkward phrasing, or inconsistent formatting. Legitimate companies have professional copywriters and proofreaders — a message riddled with errors is a strong warning sign.

Unexpected Attachments

Be extremely cautious with email attachments you weren't expecting, especially:

• .exe, .scr, .bat files — executable files that can install malware
• .zip or .rar archives — may contain hidden malware
• Office documents with macros — "Enable macros" prompts are a major red flag
• PDF files from unknown senders — can contain embedded malicious scripts

Requests for Sensitive Information

No legitimate company will ever ask you to send passwords, Social Security numbers, credit card details, or PINs via email. If a message asks for this information, it's phishing — period.

Real-World Phishing Examples

The Fake Bank Alert

You receive an email from "Your Bank Security Team" warning that suspicious transactions were detected on your account. The email includes a link to "verify your identity." The link leads to a perfect replica of your bank's login page — but it's hosted on a completely different domain. When you enter your credentials, the attackers capture them instantly.

The CEO Fraud

An employee receives an urgent email appearing to come from their CEO: "I need you to wire $50,000 to this account immediately for a confidential acquisition. Don't discuss this with anyone." The email address looks legitimate at first glance but has a subtle domain variation. This "business email compromise" costs organizations billions annually.

The Package Delivery Scam

A text message claims: "Your FedEx package couldn't be delivered. Schedule redelivery: [suspicious link]." The link leads to a page requesting your credit card number for a small "redelivery fee." In reality, no package exists — the attackers want your payment details.

How to Protect Yourself

1. Verify independently — if you receive a suspicious message from your bank, don't click the link. Instead, open your browser, type the bank's URL directly, and check your account
2. Enable two-factor authentication — even if attackers steal your password, 2FA prevents access (see our Password Security Guide)
3. Keep software updated — security patches fix vulnerabilities that phishing attacks exploit
4. Use email filtering — enable spam filters and report phishing emails to your email provider
5. Educate yourself continuously — phishing techniques evolve constantly; stay informed about new tactics
6. Use a password manager — it won't auto-fill your credentials on fake websites, acting as an extra safeguard
7. Check URLs before entering information — use our URL Checker tool for any link you're unsure about

What to Do If You've Been Phished

1. Change your password immediately for the affected account and any accounts using the same password
2. Enable 2FA on all important accounts
3. Contact your bank if financial information was shared — they can freeze your cards and monitor for fraud
4. Run a full antivirus scan if you downloaded any files or clicked suspicious links
5. Report the phishing attempt to your email provider and to reportphishing@apwg.org
6. Monitor your accounts closely for the next several months for any unauthorized activity

Stay Vigilant Online

Phishing attacks prey on trust and urgency. By slowing down, verifying senders, and never clicking links impulsively, you can avoid the vast majority of attacks. Combine these habits with strong passwords, 2FA, and our URL Safety Checker for comprehensive protection against online threats.