What Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into revealing sensitive information — like passwords, credit card numbers, or personal details — or into clicking a link that installs malware on your device.

These emails are crafted to look like they're coming from trusted sources: your bank, Amazon, your email provider, even your employer. Modern phishing attempts can be highly convincing, so knowing the warning signs is essential.

Red Flag #1: Urgency and Fear Tactics

Phishing emails almost always try to create a sense of panic. Watch for phrases like:

  • "Your account will be suspended in 24 hours"
  • "Unusual activity detected — verify immediately"
  • "Your payment failed — update your details now"
  • "You've won a prize — claim before midnight"

Legitimate companies rarely pressure you with extreme urgency. When you feel rushed, slow down instead.

Red Flag #2: Mismatched or Suspicious Sender Address

Always check the actual email address, not just the display name. A phishing email might show the display name "PayPal Support" but the actual address could be something like support@paypa1-secure.net.

Look out for:

  • Misspelled company names (paypa1.com, amazon-support.net)
  • Extra words or hyphens in the domain (secure-amazon.com)
  • Random strings of characters before the @
  • Free email providers (Gmail, Yahoo) used for what should be corporate emails

Red Flag #3: Generic Greetings

Your bank knows your name. If a message starts with "Dear Customer," "Dear User," or "Hello Account Holder," that's a sign it wasn't sent by a real service you use.

Red Flag #4: Suspicious Links

Before clicking any link in an email, hover over it to see the actual URL it points to. The displayed text might say "Click here to verify your account" while the actual link goes somewhere completely different.

Warning signs in URLs:

  • The domain doesn't match the company (e.g., "amazon" appears in a subdomain like amazon.verify.malicious.com — the real domain here is malicious.com)
  • URLs that use IP addresses instead of domain names (e.g., http://192.168.1.1/login)
  • URLs with unusual extensions (.xyz, .top, .click)

Red Flag #5: Unexpected Attachments

Be extremely cautious with any unexpected email attachment, especially files ending in .exe, .zip, .docm, .xlsm, or even PDFs from unknown senders. These can contain malware that installs itself silently when opened.

If you weren't expecting a file, don't open it — even if it appears to come from someone you know (their account may have been compromised).

Red Flag #6: Poor Grammar and Spelling

While more sophisticated phishing attacks are well-written, many still contain unusual phrasing, awkward grammar, or obvious typos. A polished, professional company doesn't send emails full of errors.

What to Do If You're Not Sure

  1. Don't click any links or download attachments.
  2. Go directly to the company's official website by typing the URL yourself.
  3. Log in from there to check if there's actually a problem with your account.
  4. Contact the company's official support to verify the email if needed.
  5. Report the phishing email using your email client's "Report phishing" or "Report spam" feature.

What to Do If You Already Clicked

If you suspect you've fallen for a phishing attempt: change your password immediately, enable 2FA on the affected account, run a malware scan on your device, and notify your bank if any financial information may have been exposed. Acting quickly significantly limits the damage.