What Is a Phishing Email?
A phishing email is a fake message designed to look like it came from a trusted source — your bank, PayPal, Google, Amazon, or even your boss — but it was actually sent by a cybercriminal trying to steal your information or money.
The goal of a phishing attack is simple: trick you into clicking a fake link, entering your password, or downloading a malicious file. Phishing is responsible for over 90% of data breaches worldwide, which means learning to spot these emails is one of the most important cybersecurity skills you can develop.
9 Warning Signs an Email Is a Phishing Scam
1. The Sender Address Looks Off
The email might say it is from "PayPal Support," but look closely at the actual email address. Phishers often use addresses like support@paypal-secure-login.com or no-reply@paypa1.com (with a number 1 instead of the letter l). Always check the full email address, not just the display name.
2. There Is Urgent or Threatening Language
Phishing emails create panic on purpose. Common phrases include: "Your account has been suspended," "Verify immediately or lose access," or "Unauthorized login detected." Legitimate companies rarely communicate this way. If an email is pushing you to act fast without thinking, that is a red flag.
3. There Are Spelling and Grammar Mistakes
Many phishing emails originate from non-English-speaking cybercriminals and contain obvious grammatical errors, odd phrasing, or unusual capitalization. Professional companies review their communications carefully. Consistent errors are a strong warning sign.
4. Links Go to Strange Websites
Hover your mouse over any link in the email (do not click it) and look at the bottom of your browser window or screen to see the real destination. If the email claims to be from your bank but the link points to something like secure-login-bank.xyz, do not click it.
5. It Asks for Personal Information
Legitimate services will never ask you to confirm your password, Social Security number, credit card details, or bank account number via email. If an email requests this information, treat it as a scam regardless of how legitimate it looks.
6. The Greeting Is Generic
Emails that say "Dear Customer," "Dear User," or "Hello Friend" instead of your actual name are often mass phishing attempts. Companies that have your account information will address you by name.
7. There Is an Unexpected Attachment
Be extremely cautious with unexpected attachments, especially files ending in .zip, .exe, .docm, or .pdf. These can contain malware that installs automatically when opened. Only open attachments you were specifically expecting from a known contact.
8. The Email Offers Something Too Good to Be True
Unexpected prize notifications, inheritance windfalls, unclaimed packages, or refund offers you never requested are classic phishing bait. If it sounds too good to be true, it almost certainly is.
9. The Design Looks Slightly Off
Phishers copy the visual design of real companies but often miss details — logos look blurry, colors are slightly wrong, or the layout feels different from what you are used to seeing. Trust your instincts if something looks slightly wrong.
What to Do If You Receive a Suspicious Email
- Do not click any links. Hover over them first to check the real destination.
- Do not download any attachments unless you were expecting them.
- Do not reply to the email, even to say you know it is a scam.
- Report it using your email client report phishing button (Gmail and Outlook both have one).
- Delete it from your inbox and trash folder.
- If the email claims to be from a company you use, go directly to that company website by typing the address in your browser — never via the email link.
Real Example: A Fake Google Security Alert
You receive an email with the subject "Critical Security Alert — Action Required." The Google logo looks perfect, the colors match, and the email warns that someone in Russia logged into your Gmail account. There is a big red button that says "Secure My Account Now."
Before you click, check the sender address. Instead of @google.com, it reads: security-alert@google-accounts-login.net. The link in the button points to a fake login page designed to steal your Gmail password. This is phishing.
Beginner Checklist: How to Evaluate Any Email
- ☑ Check the full sender email address, not just the display name
- ☑ Hover over all links before clicking
- ☑ Look for urgency or threatening language
- ☑ Check for spelling mistakes or odd phrasing
- ☑ Never enter your password from an email link — go directly to the site
- ☑ When in doubt, delete it
Frequently Asked Questions
Can I get hacked just by opening a phishing email?
In most cases, simply opening a phishing email in a modern email client like Gmail or Outlook is safe. The danger comes from clicking links, downloading attachments, or entering your credentials on a fake website.
What should I do if I already clicked a phishing link?
Do not panic. Immediately close the page without entering any information. Change the password for any account the link claimed to be from. Run a malware scan on your device. Enable two-factor authentication on important accounts.
Is phishing only done via email?
No. Phishing also happens via text message (called smishing), phone calls (vishing), and fake social media messages. The tactics are the same — urgency, impersonation, and a request for your information or money.