Phishing is responsible for more than 90% of cyber attacks that begin with a person — not a machine — making a mistake. The good news: nearly every phishing email contains the same handful of tells. Once you know them, you can clear your inbox safely in seconds.
The 10-second visual check
Before you read a single word of the email body, scan these four places:
- The sender's full address — not just the friendly name. Tap or hover on it.
- The greeting — generic ("Dear Customer") or oddly personal?
- Any links — hover (don't click). Does the URL match the brand?
- The emotional temperature — fear, urgency, reward, secrecy?
If two or more feel off, treat the email as hostile until proven otherwise.
Red flag 1: A lookalike sender address
Scammers register domains that look almost identical to real ones. support@paypa1.com uses a "1" instead of an "l". service@apple-id-security.com isn't Apple at all. Always read the part after the @ symbol, character by character.
Quick rule
If the domain doesn't exactly match the company's main website, it isn't from that company.
Red flag 2: Manufactured urgency
"Your account will be suspended in 24 hours." "Action required immediately." "Final notice." Real companies don't operate this way. Urgency is a manipulation tactic designed to override your judgment. When you feel pressured, slow down — that feeling itself is the warning.
Red flag 3: Links that don't go where they say
On desktop, hover over a link to see the real destination at the bottom of your browser. On phone, press and hold. If the visible text says chase.com but the URL is chase-secure-login.xyz, you've caught a phish.
Red flag 4: Unusual requests
No legitimate organization will ever email you and ask for:
- Your full password
- A one-time verification code from a text message
- Payment in gift cards, cryptocurrency, or wire transfer
- Remote access to your computer
Red flag 5: Attachments you didn't expect
A surprise invoice. A "delivery notice" with a .zip file. A document that wants you to "enable editing" or "enable macros." These are classic malware delivery methods. If you weren't expecting it, don't open it.
Red flag 6: Slightly-off writing
Modern AI has made scam emails grammatically cleaner, but tone is still hard to fake. Watch for: unusual capitalization, formal phrases mixed with casual ones, oddly translated idioms, and "Sincerely, The Team" sign-offs from companies that never sign that way.
If you're unsure, use the back channel
Never reply to a suspicious email to "confirm" if it's real. Instead, open a fresh browser tab and visit the company's website by typing the address yourself, or call a number printed on a card or statement you already trust. If the request is real, you can complete it there.
The ShieldsON shortcut
If you have the ShieldsON app, forward the message to your advisor. You'll get a verdict in seconds — and so will the trusted person in your safety circle, in case it's part of a wider attack on your family.
What to do if you already clicked
- Don't panic — and don't enter any more information.
- Disconnect from Wi-Fi if you downloaded anything.
- Change the password of any account you may have exposed (start with email and banking).
- Turn on two-factor authentication everywhere it's offered.
- Tell someone. Speed matters; embarrassment doesn't.
Was this helpful? Try the free ShieldsON app — it puts an AI advisor and a trusted person one tap away when something looks fishy.