What Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into revealing sensitive information — passwords, credit card numbers, or personal details — or into clicking a link that installs malicious software on your device. Attackers disguise these emails to look like they come from banks, tech companies, government agencies, or even your own colleagues.

Phishing remains one of the most effective attack vectors because it targets human psychology rather than technical vulnerabilities. The good news: once you know what to look for, these emails become much easier to identify.

Red Flag #1: Urgency and Fear Tactics

Phishing emails almost always try to pressure you into acting quickly before you can think critically. Watch for language like:

  • "Your account will be suspended in 24 hours"
  • "Unusual sign-in activity detected — verify now"
  • "Your payment failed — update your information immediately"
  • "You have a pending refund — claim it today"

Legitimate organizations rarely demand immediate action through email, and they never threaten account closure without prior notice.

Red Flag #2: Suspicious Sender Address

The display name might say "PayPal Support" but always check the actual email address. Common tricks include:

  • Lookalike domains: support@paypa1.com (note the "1" instead of "l")
  • Extra words: security@paypal-help-center.com
  • Completely unrelated domains: noreply@randomsite.net claiming to be from your bank

Hover over the sender name in your email client to reveal the real address before trusting any message.

Red Flag #3: Mismatched or Suspicious Links

Before clicking any link in an email, hover your mouse over it and look at where it actually points (shown in the status bar at the bottom of your browser or email client). Ask yourself:

  • Does the URL match the company's real website?
  • Is it an HTTP link rather than HTTPS?
  • Does it use a URL shortener to hide the destination?
  • Does it include random strings of characters?

When in doubt, go directly to the company's website by typing the address yourself rather than clicking any link.

Red Flag #4: Generic Greetings

Legitimate companies that have your account information will usually address you by name. Be suspicious of emails that start with:

  • "Dear Customer"
  • "Dear User"
  • "To Whom It May Concern"
  • "Dear Account Holder"

Red Flag #5: Poor Grammar and Spelling

While sophisticated phishing campaigns have improved dramatically in writing quality, many still contain telltale errors: awkward phrasing, inconsistent capitalization, or words that are technically correct but don't quite fit the context. Major companies have editorial standards — they don't send mass communications filled with typos.

Red Flag #6: Unexpected Attachments

Be extremely cautious about email attachments you weren't expecting, especially files ending in .exe, .zip, .doc, .xls, or .pdf. Even PDFs can contain malicious scripts. If a colleague appears to send you an unexpected attachment, verify with them through a separate channel before opening it.

What to Do If You Suspect a Phishing Email

  1. Don't click any links or download attachments.
  2. Report the email using your email client's "Report Phishing" or "Mark as Spam" option.
  3. If it claims to be from a company you use, contact that company directly through their official website.
  4. Delete the email from your inbox and trash folder.
  5. If you accidentally clicked a link, change your passwords immediately and run a malware scan.

The Golden Rule

When something feels off about an email — even slightly — trust that instinct. It costs nothing to verify through a separate channel. It can cost everything to click the wrong link.