How to Spot a Phishing Email: 10 Warning Signs

1. The Sender Address Doesn't Match the Display Name

Email clients display a "friendly name" for the sender — but this name is completely arbitrary and can be set to anything by the sender. An attacker can set their display name to "PayPal Security" or "enemail Team" while sending from an entirely unrelated address like paypa1-security@hotmail.com or noreply@random-domain.xyz.

Always check the actual sending address, not just the display name. In most email clients you can click on or hover over the sender name to reveal the underlying address. If they don't match in a way that makes sense — treat the email as suspicious.

2. The Domain Has Subtle Variations

Even when attackers use a real-looking domain, they often can't use the actual domain — so they register something close. Common techniques include: replacing letters with similar-looking numbers (paypa1.com, arnazon.com), adding hyphens (pay-pal.com), adding words (paypal-security.com), using subdomains to bury the real domain at the end (paypal.com.phishing-site.ru), or using international characters that render identically to Latin letters but resolve to a different domain.

Read the domain carefully, from right to left. The real domain is the part immediately before the first single slash. security.paypal.com is legitimate. paypal.security-alert.com is not — the real domain there is security-alert.com.

3. Urgency and Fear

Phishing attacks depend on overriding your careful thinking with emotional reactivity. The most effective triggers are urgency and fear: "Your account will be closed in 24 hours." "Suspicious activity has been detected." "Your payment has failed." "Legal action will be taken unless you respond immediately."

These messages are designed to make you act before you think. Legitimate organisations do not set arbitrary 24-hour deadlines or threaten immediate account closure in cold emails. When an email creates a sense of panic, that panic is the attack. Slow down. Verify through a channel you initiated yourself — call the company directly, or navigate to their website via your own bookmark.

4. Generic Greetings

Legitimate services know your name. Your bank knows you as "Jane Smith." PayPal knows your name. Amazon addresses you by name in their emails. A phishing email sent to thousands of addresses simultaneously cannot know your name, so it defaults to "Dear Customer," "Dear User," "Dear Account Holder," or simply "Hello."

This isn't a perfect signal — some legitimate bulk emails are generic — but combined with other warning signs, a generic greeting is a meaningful indicator.

5. Requests for Credentials or Payment Outside the Normal Flow

No legitimate service will ask you to enter your password in response to an unsolicited email. No bank will ask you to "verify your account" by clicking a link and entering your full card number. No government agency will ask you to pay a fine via gift card or wire transfer via email.

If an email asks you to provide login credentials, payment details, or personal identification — particularly if it provides a link to do so — this is a strong indicator of phishing. The correct response is to ignore the link and go directly to the service's real website to check whether any action is actually needed.

6. Unexpected Attachments

Malicious email attachments remain one of the most common vectors for malware delivery. Be particularly sceptical of: .zip or .rar archives (which can hide executables), .exe or .msi files (direct executables), .docm or .xlsm files (Office documents with macros), and password-protected archives (designed to bypass antivirus scanning).

If you were not expecting an attachment, do not open it — even if the sender appears to be someone you know. Attackers frequently compromise real accounts and use them to send malicious attachments to the victim's contacts, because trusted-sender attacks have much higher success rates.

7. Links That Don't Match What They Display

Email HTML allows the displayed text of a link to be completely different from the URL it actually points to. An email can display the text https://paypal.com/verify while the underlying link actually goes to https://phishing-site.com/steal.

On desktop, hover your mouse over any link before clicking and check the URL shown in your browser's status bar. On mobile, hold down the link to preview the URL. If the real destination doesn't match what's displayed, don't click.

8. Poor Grammar and Odd Formatting

While AI-generated phishing has improved text quality significantly, many phishing emails still contain telltale signs: awkward phrasing, inconsistent capitalisation, mismatched fonts or formatting, or an overall visual design that looks slightly off compared to the real brand. Legitimate organisations typically have strict brand standards and proofreading processes.

Note that the absence of grammar errors no longer means an email is safe — AI tools have made it trivial to generate grammatically perfect phishing text in any language. But the presence of errors remains a useful warning sign.

9. Requests That Bypass Normal Channels

A particularly dangerous phishing variant involves requests designed to bypass your organisation's normal security checks. "Don't go through IT on this — I need it handled directly." "This is confidential, please don't discuss it with colleagues." "Wire the funds before the end of day, I'm in a meeting and can't take calls."

These social engineering elements are designed to prevent you from using the very verification mechanisms that would expose the attack. Any email that asks you to circumvent normal processes — especially for financial transactions or access credentials — should trigger immediate verification through an out-of-band channel.

10. The "Too Good to Be True" Offer

Alongside fear and urgency, greed is a powerful phishing trigger. Unexpected prize winnings, unclaimed inheritances from distant relatives, tax refunds you weren't expecting, cryptocurrency investment opportunities with guaranteed returns, or job offers with implausibly high salaries all follow the same pattern: something unexpected and attractive requires you to provide personal information or click a link to claim it.

If you didn't enter a competition, you didn't win it. If a distant relative left you money, the notification comes through proper legal channels, not a cold email. If something sounds too good to be true, it is.

What to Do If You Suspect a Phishing Email

The right response to a suspected phishing email is straightforward:

• Do not click any links or open any attachments
• Do not reply — replying confirms your address is active
• Report it — use your email client's "report phishing" function, or forward to your IT team if it's a work account
• Delete the email after reporting
• If you already clicked — change your password immediately, enable 2FA if not already active, and run a malware scan on your device

Why Encrypted Email Helps

End-to-end encrypted email with digital signatures provides a cryptographic layer of protection against phishing. When an enemail user sends a signed message, the recipient can cryptographically verify that the message genuinely came from that sender's key — it cannot have been spoofed or modified in transit. An attacker impersonating an enemail address would be unable to produce a valid signature.

This doesn't make you immune to phishing from non-encrypted senders, but it creates a trustworthy channel between users who are both on end-to-end encrypted platforms. Over time, as signed email becomes the norm, unsigned emails from supposedly known contacts become a meaningful warning sign in their own right.