FREE REAL-TIME VERIFICATION · GLOBAL SEARCH · OFFICIAL OPEN DATA SOURCES
How to Spot a Phishing Email
Ten red flags that give away a phishing email in seconds — even the polished, AI-written ones that slip past spam filters.
Key Takeaways
- Always check the sender domain — not just the display name.
- Hover over every link to see the real destination before clicking.
- Urgency, threats and 'verify now' language are deliberate pressure tactics.
- Unexpected attachments — especially .zip, .html and macro-enabled docs — are high risk.
- Spelling is no longer a reliable signal; AI-written phishing reads cleanly.
1. Inspect the sender's full email address
Display names are trivially spoofed. Tap or click the sender to reveal the real address and confirm the domain matches the brand exactly. 'paypa1.com', 'paypal-secure.com' and 'paypal.support-team.com' are all phishing.
2. Hover before you click any link
On desktop, hover and read the URL in the status bar. On mobile, long-press to preview. Real corporate links never go to free hosts like .top, .xyz, or shortened URLs (bit.ly, t.co) when they are asking you to log in.
3. Watch for urgency and threats
'Your account will be suspended in 24 hours', 'unusual sign-in detected, verify now' and 'final notice' are designed to stop you thinking. Real companies give you time and a way to verify from your normal app or website.
4. Be suspicious of attachments you didn't ask for
Unexpected invoices, shipping notices, voicemails or HR documents are common phishing payloads. .html, .zip, .iso, .lnk and macro-enabled Office files (.docm, .xlsm) deserve the highest scrutiny.
5. Check the greeting and signature
'Dear Customer' or 'Dear Account Holder' from a company that has your name is a red flag. Sign-offs without a real person's name, title and direct phone are another.
6. Look at the reply-to header
Sophisticated phishing spoofs the From header but routes replies to an attacker mailbox. Most mail clients show 'Reply-To' when you hit reply — if it doesn't match the sender, do not respond.
7. Verify out of band before acting
If the email asks for money, credentials or document uploads, close it and contact the company through a number or app you already trust — never through the contact details in the email itself.
8. Run the link through Scam AI
Paste the URL into Scam AI to check Google Safe Browsing, WHOIS domain age, OpenSanctions and global fraud reports in seconds — without ever loading the page.
Run a free check now
Scam AI cross-references regulator blacklists, business registries, WHOIS history and global fraud reports — in real time, free, no signup.
Verify a WebsiteFrequently Asked Questions
- What is the single biggest sign of a phishing email?
- A mismatch between the visible sender name and the actual email address domain. 'PayPal Support <security@paypa1-billing.com>' is phishing — the brand name is in the display name but the domain is not paypal.com.
- Is it safe to open a phishing email?
- Opening the email itself is generally safe on modern mail clients. The danger is clicking links, downloading attachments, replying with information, or loading remote images that confirm your address is active.
- How can I check a suspicious link without clicking it?
- Hover over the link on desktop to see the real URL, or long-press on mobile. Paste it into Scam AI to run a Google Safe Browsing, WHOIS and OpenSanctions check before visiting.
- What should I do if I already clicked a phishing link?
- Do not enter credentials. Disconnect from Wi-Fi, run a malware scan, change passwords for the impersonated account from a different device, enable 2FA, and report the email to your IT team or to reportphishing@apwg.org.
- Are AI-generated phishing emails harder to spot?
- Yes. Modern phishing rarely has spelling mistakes. Focus on sender domain, link destination, urgency tactics and unexpected attachments rather than grammar.