How to Spot a Phishing Email Before It's Too Late

Phishing emails are the world's most common cyberattack. In 2024 alone, over 3.4 billion phishing emails were sent every single day. They look like they come from your bank, PayPal, Amazon, DHL, or even your employer — but one click can hand over your passwords, your money, or your identity.

What Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into revealing sensitive information — passwords, credit card numbers, OTPs — or into clicking a malicious link that installs malware on your device. The name comes from "fishing" — scammers cast a wide net and wait for someone to take the bait.

1. The Sender's Email Address Doesn't Match

This is the number one tell. Look at the actual email address, not just the display name. A scammer can name their account "PayPal Support" but their email might be support@paypal-secure-verify.com — not paypal.com.

• Hover over the sender name to reveal the real address
• Check for extra words, hyphens, or misspellings: paypa1.com, amazon-security.net
• Legitimate companies use their own domain — always

2. Generic Greetings

Real companies know your name. Phishing emails often use vague greetings like "Dear Customer", "Dear User", or "Dear Account Holder" because they're sent to millions of people at once and can't personalise each one.

3. Suspicious Links and Attachments

Before clicking any link in an email, hover over it to see the real URL at the bottom of your browser. If the text says "Click here to verify your account" but the link goes to secure-verify-login.ru — do not click it.

4. Urgency and Threats

Phishing emails create panic to stop you thinking clearly. Common tactics include:

• "Your account has been compromised — verify immediately"
• "Unusual activity detected — your account will be closed in 24 hours"
• "Your payment failed — update your billing details now"
• "You have an outstanding fine — pay within 48 hours to avoid legal action"

Take a breath. Real banks and services give you time and multiple ways to verify. They don't threaten you via email.

5. Requests for Personal or Financial Information

No legitimate company will ever ask you to provide your password, full card number, CVV, or OTP via email. If an email asks for any of these — it's a phishing attempt, no exceptions.

6. Poor Design or Branding

Look carefully at logos, fonts, and formatting. Phishing emails often use slightly off branding — wrong shade of colour, stretched logos, inconsistent fonts. Compare the email to real communications you've received from that company before.

What to Do If You've Already Clicked

1. Don't enter any information on the page the link opened
2. Close the tab immediately
3. Change your passwords — especially email and banking — from a different device
4. Enable two-factor authentication on all important accounts
5. Contact your bank if you entered any payment details
6. Run a malware scan on your device
7. Report the email — forward it to your email provider's spam/phishing report address

The Easiest Way to Stay Safe

When you receive an email from a company claiming something is wrong with your account — don't click the link in the email. Instead, open a new browser tab and go directly to the company's website by typing the address yourself. Log in there and check if anything is actually wrong.

That one habit will protect you from the vast majority of phishing attacks.