How to Spot a Phishing Email

What is phishing?

Phishing gets its name from fishing: the attacker casts out bait, a believable message, and waits for someone to bite. The goal is almost always one of three things: your login credentials, a malicious file on your device, or a payment sent to the wrong place. Phishing is the most common form of social engineering.

Types of phishing

• Email phishing: mass messages impersonating a known brand or service.
• Spear phishing: a targeted message aimed at one person, using real details.
• Whaling and BEC: attacks aimed at executives or finance staff to approve large payments. BEC alone drove roughly $2.8 billion in reported losses in the FBI's 2024 report.
• Smishing: phishing by SMS, often fake delivery or bank texts.
• Vishing: phishing by phone call, often impersonating support.
• Quishing: phishing with a QR code that hides a malicious link.
• Clone phishing: a copy of a real message you received, with the link swapped for a malicious one.
• Adversary-in-the-middle: advanced phishing that relays your login in real time to steal the session and defeat MFA.

How to spot a phishing email

The single best habit is to read a message in order, from the top down, before you react to it. Head to toe, check as you go. Start at the subject, then the sender's name, then the real address, then any link, and only then the body. Phishing is written to pull your eyes straight to the body and the call to action, which is exactly why working downward catches it.

Head to toe, check as you go: subject, sender name, sender address, links, then body. Work down deliberately and you will catch the fakes the body is trying to rush you past.

• Subject: urgency or a threat, your account will be closed, a payment failed, act now.
• Sender name: a display name that looks right but does not match the actual address.
• Sender address and domain: a lookalike domain with an extra letter, a hyphen, or a different ending.
• Links: hover to see the real destination. If it does not match the text or the real brand, stop.
• Attachments: anything you did not expect, especially files that ask you to enable content.
• Body: requests for your password, a one-time code, a payment, gift cards, wire transfers, or cryptocurrency.

Old advice said to look for bad spelling. Do not rely on that. Modern phishing, often written with AI, is polished and grammatically clean.

How to verify a suspicious message safely

• Hover over links to see the real destination before clicking. On mobile, press and hold.
• Check the full sender address, not just the display name.
• Go direct: type the company's address into your browser yourself instead of clicking the link.
• Call back on a number you already trust, never the one in the message.
• Never enter your password on a page you reached by clicking a link in a message.

Phishing that beats multi-factor authentication

Multi-factor authentication is essential, but it is no longer a guarantee. Adversary-in-the-middle kits place the attacker between you and the real login page, so they capture your password and your one-time code, then steal the live session. This is why verifying the site before you log in still matters, even with MFA enabled.

What to do if you clicked or entered your password

• Change the password immediately, and on any other site where you reused it.
• Sign out all sessions and re-enable or strengthen MFA.
• Tell your IT or security team, or your bank, as fast as possible.
• Watch the affected accounts for unfamiliar activity.

Speed matters more than embarrassment. Reporting early limits the damage.

See phishing in the wild

• MFA Under Siege: how vishing and adversary-in-the-middle defeat modern authentication
• ClickFix: a paste-based lure that turns victims into their own attackers
• The Ghostwriter Playbook: a nation-state email campaign built to evade detection