Tudug

How to Spot a Phishing Email

Phishing tricks people, not computers — and it almost always leaves the same fingerprints. Here is how to read them, and exactly what to do if a message slips through.

Mustafa Bilgic
Mustafa Bilgic · Editor, TudugUpdated 2026-06-13 · 11 min read · Sources cited

Phishing is the single most common way ordinary people get hacked. It does not rely on breaking encryption or finding clever software bugs — it relies on tricking you. A convincing email or text pretends to be your bank, a delivery company, your employer or a service you use, then nudges you into handing over a password, a card number or a one-time code. The good news is that almost every phishing attempt carries the same fingerprints, and once you can read them you will spot the fakes in seconds.

Key takeaways

  • Phishing tricks people, not computers — it works by manufacturing urgency, fear, authority or greed so you act before you think.
  • The classic tells: a look-alike sender domain, a generic greeting, spelling and grammar slips, a link that does not match when you hover it, and an unexpected request for a password, code or payment.
  • Spear-phishing and business email compromise are targeted versions that name you or your boss — verify money and credential requests through a second channel.
  • If you clicked and entered anything, change that password immediately, turn on two-factor authentication, and watch your accounts.
  • Report it: forward the email to your provider and to the authorities — reporting genuinely helps take scams down.
From:[email protected]Subject:URGENT: Your account will be suspended!Dear Customer,We detected unusal activity. Verify within24 hours or your acount will be closed.Verify Account Nowhttp://bit.ly/secure-verify-92x1. Look-alike domain (paypa1)2. Urgency & threats3. Spelling mistakes4. Generic greeting5. Shortened / masked link
Anatomy of a phishing email. Almost every fake repeats the same five tells — a look-alike domain, manufactured urgency, sloppy spelling, a generic greeting and a masked link.

What phishing is and why it works

Phishing is a form of social engineering: the attacker impersonates a trusted organisation to steal information or money. The classic version arrives by email, but the same trick now travels by text message, phone call, social media DM and even QR codes. The aim is always one of a small set of goals — get you to type your credentials into a fake login page, open a malicious attachment, approve a payment, or read out a verification code.

It works because it sidesteps your defences entirely. You can have a fully patched laptop, a strong password and antivirus running, and still hand the keys over voluntarily if the message is convincing enough. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes phishing as messages that look like they come from a person or organisation you trust, designed to get you to click a link, open an attachment, or share sensitive details. That trust is the whole attack.

The psychology: urgency, fear, authority, greed

Phishing is applied psychology. Scammers pull a small number of emotional levers because they reliably switch off careful thinking:

  • Urgency. “Your account will be suspended in 24 hours.” A countdown stops you from pausing to check. Real organisations rarely give you minutes to react.
  • Fear. “We detected a suspicious login” or “an unpaid invoice has gone to collections.” Alarm makes you click first and reason later.
  • Authority. A message that appears to come from your bank, the tax office, the police or your own CEO carries borrowed weight — we are trained to comply with authority.
  • Greed and curiosity. “You have a refund waiting”, “you won a prize”, or a parcel you do not remember ordering. The promise of something for nothing lowers your guard.

The tell within the tell: whenever a message makes you feel a sudden spike of emotion — panic, excitement, fear of getting in trouble — treat that feeling itself as a warning sign. Stop, breathe, and verify through a channel you trust before you touch anything in the message.

The tell-tale signs of a phishing email

No single sign is proof on its own, but phishing emails almost always stack several together. Run through this checklist before you act:

  • A look-alike sender domain. The display name says “PayPal”, but the real address is [email protected] or [email protected]. Attackers swap letters (a “1” for an “l”), add words, or use a totally unrelated domain. Always read the full address, not just the name.
  • A generic greeting. “Dear Customer” or “Dear user” instead of your name. A company you actually have an account with usually knows your name; the FTC flags generic greetings as a classic phishing sign.
  • Spelling and grammar mistakes. Odd phrasing, missing words and typos slip through because many phishing kits are written hastily or translated. A polished brand rarely sends sloppy email.
  • A link that does not match. Hover your mouse over a link (or long-press on a phone) and read the real destination before clicking. If the visible text says yourbank.com but the status bar shows bit.ly/xy or a strange domain, it is a trap.
  • Unexpected attachments. Invoices, “receipts”, shipping labels or ZIP files you did not expect can carry malware. Be especially wary of files that ask you to “enable macros”.
  • A request for credentials, codes or payment. Genuine organisations do not email or text you asking for your password, full card number, or a one-time verification code. Anyone asking for your 2FA code is trying to break into your account.
  • A problem with an account you do not have. A “security alert” from a bank you have never used is phishing by definition — the FTC lists this as a common ploy.

Never share a one-time code. The six-digit codes from your authenticator app or texts exist to prove it is really you. No legitimate support agent, bank or delivery firm will ever phone or message to ask for one. If someone does, they are an attacker — hang up.

Spear-phishing and business email compromise

Ordinary phishing is a net cast wide. Spear-phishing is a spear aimed at you: the attacker researches your name, role, employer and contacts (often from social media) and writes a message tailored to you. Because it references real details, it is far more convincing and far harder to spot.

Business email compromise (BEC) is the most expensive variant. A scammer impersonates a senior colleague, supplier or lawyer — sometimes after quietly taking over a real mailbox — and asks an employee to pay an invoice, change bank details for a supplier, or buy gift cards “urgently and confidentially”. There is no malware and no dodgy link, just a believable request for money. The FBI consistently ranks BEC among the costliest categories of cybercrime.

The golden rule for money and credentials: verify out of band. If an email asks you to move money, change payment details, or hand over a login, confirm it using a phone number or contact you already had — never the number or reply address in the message itself. A thirty-second call defeats most BEC attacks.

Smishing and vishing: phishing by text and phone

Phishing has spread well beyond the inbox.

Smishing (SMS phishing) arrives as a text: a missed-delivery notice with a link to “reschedule”, a fake bank fraud alert, or a “your toll/parking charge is overdue” message. Mobile screens hide the full URL, urgency feels natural in a text, and people tend to trust SMS more than email — which is exactly why it works.

Vishing (voice phishing) is the phone-call version. A caller claims to be your bank’s fraud team, a tax official or “technical support”, and talks you into reading out codes, installing remote-access software, or moving money to a “safe account”. Caller ID can be spoofed to show a real-looking number, so it proves nothing. Modern scams may even use AI-cloned voices of people you know.

The defence is identical across all of them: do not act on the contact you received. Hang up or close the message, then reach the organisation yourself using a number from the back of your card, the official app, or the company’s real website.

What to do if you clicked

Everyone slips eventually — the goal is to limit the damage quickly. If you clicked a link, entered details, or opened an attachment, act in this order:

Disconnect and scan if you opened an attachment

If you ran a file or were prompted to enable content, disconnect the device from Wi-Fi to stop anything spreading, then run a full malware scan with your security software (Microsoft Defender on Windows is built in). Do not log into anything else from that device until it is clean.

Change the exposed password immediately

If you typed a password into a fake page, change it on the real site right now — and change it anywhere else you reused it, because attackers will try it everywhere. A password manager makes this painless and our strong-passwords guide shows how to build a better one.

Turn on two-factor authentication

Enable 2FA on the affected account (and your email above all). Even if the attacker has your password, a second factor — ideally an authenticator app or security key — usually stops them getting in.

Watch for fraud and tighten your accounts

Monitor bank and card statements, and if financial details were exposed, contact your bank and consider a fraud alert or credit freeze. Review the recovery email and phone number on key accounts in case the attacker changed them. Our guide on protecting your privacy online covers locking accounts down further.

How to report phishing

Reporting takes a minute and genuinely helps — it feeds the blocklists that protect everyone else and helps authorities pursue the criminals.

  • Report it inside your email app. Gmail and Outlook both have a built-in “Report phishing” option in the message menu; using it trains your provider’s filters and removes similar messages.
  • Forward the email to the Anti-Phishing Working Group at [email protected], and forward suspicious text messages to SPAM (7726) on most U.S. carriers.
  • Report to the authorities. In the U.S., report scams to the FTC at ReportFraud.ftc.gov. If you have lost money to a scam, also report it to the FBI’s Internet Crime Complaint Center (IC3).
  • Tell the impersonated company. Most banks and big brands have a dedicated address (often phishing@<company>.com or an “abuse” page) so they can warn other customers and take the fake site down.

Reporting is most useful when you do not click. Forward the message, or use the app’s built-in reporting button, and then delete it. You do not need to interact with the links or attachments for the report to be valuable.

Frequently asked questions

How can I tell if an email is phishing?

Check the full sender address for look-alike tricks, watch for a generic greeting and spelling mistakes, hover over links to see where they really go, and be suspicious of any unexpected urgency or request for a password, code or payment. Phishing emails usually stack several of these signs together. When in doubt, contact the company directly using a number or website you already trust — never the contact details in the message.

What should I do if I clicked a phishing link?

Act fast. If you only clicked, close the page and run a malware scan. If you entered a password, change it immediately on the real site and anywhere you reused it, then turn on two-factor authentication. If you shared card or banking details, contact your bank and watch your statements. Reviewing your account’s recovery email and phone number is wise too, in case the attacker tried to change them.

Will a legitimate company ever ask for my password or a verification code?

No. Banks, retailers, delivery firms and tech-support lines never ask you to reveal your password or read out a one-time verification code. Those codes exist precisely to prove it is you — anyone requesting one is trying to break into your account. Treat any such request, by email, text or phone, as an attack.

What is the difference between phishing, smishing and vishing?

They are the same trick on different channels. Phishing is the email version, smishing arrives by SMS text message (often a fake delivery or bank alert), and vishing is a phone call from someone pretending to be your bank, the tax office or tech support. All three manufacture urgency and ask you to hand over information, money or access. The defence is the same: do not respond to the contact you received — reach the organisation yourself.

How do I report a phishing email?

Use the built-in “Report phishing” option in Gmail or Outlook, forward the email to [email protected], and forward scam texts to SPAM (7726). Report the scam to the FTC at ReportFraud.ftc.gov, and tell the company being impersonated so they can take the fake site down. You do not need to click any links in the message to report it.

What is spear-phishing?

Spear-phishing is a targeted attack written specifically for you, using real details such as your name, job, employer or recent activity — usually gathered from social media or a data breach. Because it references genuine information, it is much more convincing than mass phishing. Business email compromise, where a scammer impersonates your boss or a supplier to request a payment, is a costly form of it.

Sources & further reading

This guide is independently produced. We reference primary documentation from device makers and security authorities. Tudug is reader-supported and may earn from ads.

Security

How to Create Strong Passwords

Build passwords attackers can't crack &mdash; length, passphrases and the manager that does it for you.

Read more →
Security

Two-Factor Authentication Explained

The second layer that stops most account takeovers even when your password leaks.

Read more →
Security

Protect Your Privacy Online

Lock down the personal data scammers use to make phishing convincing.

Read more →