How to Spot a Phishing Email: The Red Flags That Saved My Accounts

How to Spot a Phishing Email: The Red Flags That Saved My Accounts

The email arrived on a Tuesday morning and looked completely legitimate. It was from what appeared to be my web hosting company, using their exact logo, color scheme, and email template. The message warned that my domain was about to be suspended due to an unusual security flag on my account and that I needed to verify my identity within 24 hours to prevent suspension.

The urgency was well-calibrated — not so extreme that it felt ridiculous, but enough to make me want to act before my site went down. I almost clicked the verification link.

What stopped me was a single habit I'd built after reading about phishing: before clicking any link in an urgent email about an account, I open a new browser tab and navigate directly to the service's website. When I logged into my actual hosting account, there was no security issue. The email was a credential harvest attempt.

That near-miss changed how I read every email. Phishing is responsible for over 80% of security incidents according to Verizon's annual Data Breach Investigations Report. Understanding exactly what to look for makes the difference between being a statistic and recognizing attacks before they succeed.

The Phishing Attack Landscape

Phishing has evolved significantly beyond the obvious "Nigerian prince" emails that defined early internet scams. Modern phishing is technically sophisticated, psychologically refined, and distributed across every communication channel.

Phishing Type Comparison Table

Each type exploits the unique properties of its channel. SMS messages feel more personal and urgent than emails. Phone calls use real-time social pressure. QR codes appear in physical contexts that feel inherently trustworthy. The underlying psychological mechanics are identical.

The Universal Phishing Red Flags

These red flags appear across almost every phishing attack type. Learning them builds a reliable detection reflex.

Phishing Red Flags Checklist Table

Analyzing a Real Phishing Email

Let me walk through the specific attack that almost caught me, annotating the techniques used. Recognizing these patterns in the abstract is less powerful than seeing them applied.

Subject line: URGENT: Account Security Verification Required — Action Needed by [date + 24 hours]

The subject line uses the single most reliable phishing technique: manufactured urgency with a specific deadline. The deadline is always just long enough to feel real but short enough to prevent careful consideration.

Display name: [My hosting company name] Security Team

The display name can be set to anything. Many email clients show only the display name by default, hiding the actual sender address. Always click or hover to see the real sender email. In this case, the actual sender was a free email address with a randomly generated username.

Greeting: Dear Valued Customer,

I'd been a customer for three years. They had my name. Any email from my actual hosting company would use it. "Dear Valued Customer" immediately signals a mass-sent template rather than a communication about my specific account.

Body: References a "suspicious login attempt from an unrecognized location" — vague enough to apply to anyone, specific enough to sound personalized.

Call to action: A button labeled "Verify My Account" linking to a domain that misspelled the company name by one character.

Bottom of email: Copied legal boilerplate and footer from legitimate emails, making it visually identical to real communications.

Every element serves a purpose. Strip them away and what's left is: "We need your password, and we need it right now." Framed that way, no one complies. Dressed up with urgency, authority, and visual legitimacy, a meaningful percentage do.

Spear Phishing: Targeted Attacks

Standard phishing is a numbers game. Spear phishing inverts the equation — one highly researched email sent to one specific target.

Attackers build target profiles from public sources: LinkedIn for job title, employer, and colleague names; social media for personal interests and recent activities; company websites for organizational structure; press releases for recent projects. This research takes hours but yields emails that reference real colleagues, real projects, and real organizational context.

A typical business spear phish might read: "Hey [Name], I was reviewing the vendor proposals you mentioned in Tuesday's standup. Can you confirm the wire transfer details for the [real project name] before end of day? [CFO's real name] needs it cleared before the deadline."

This message contains nothing technically suspicious — no misspelled domains, no generic salutations, no obvious urgency theater. It simply asks a plausible business question using real context.

Defense against spear phishing:

• Verify unexpected requests through a separate channel (call the person, don't reply to the email)
• Any request involving financial transfers requires voice confirmation, regardless of how legitimate the email appears
• Train yourself to pause on any request that asks you to do something unusual, even if the message looks entirely normal

I was targeted by a spear phishing attempt at a previous employer. The attacker had correctly identified my manager's name, my project, and even referenced a client we were working with — all from LinkedIn and the company website. The tell was that my manager was in the office twenty feet away. I walked over and asked. He hadn't sent anything.

Smishing: Phishing via SMS

Text message phishing (smishing) has exploded in volume because mobile users are often more trusting of texts than emails, and mobile screens make it harder to inspect links.

Common smishing scenarios:

• Package delivery notifications with tracking link (often impersonating UPS, FedEx, Royal Mail)
• Bank security alerts ("Unusual activity detected on your account")
• Government agency messages (IRS, HMRC, Social Security Administration)
• Toll/parking violations requiring immediate payment

The same red flags apply: urgency, unexpected contact, requests to click a link or call a number. The critical habit for SMS: never tap links in text messages about accounts or payments. Navigate directly to the service's website or app instead.

Vishing: Voice Call Phishing

Voice phishing exploits real-time social pressure that email cannot replicate. An attacker on a phone call can respond to your objections, provide plausible answers to your questions, and escalate urgency in ways static text cannot.

AI voice cloning has made vishing significantly more dangerous. Attackers can now synthesize a convincing voice clone of someone you know using 30 seconds of audio from social media or voicemail. Calls appearing to be from your CEO, your family member, or your colleague asking for urgent action are now technically feasible at scale.

Defense against vishing:

• Establish a code word with family members for use in emergency requests (especially financial ones)
• Any unexpected call requesting payment, credentials, or remote access should be ended and the number called back using a number you look up independently, not one provided by the caller
• Legitimate organizations never require immediate payment or threat of arrest over the phone

Building Phishing-Resistant Habits

Recognizing red flags intellectually is different from having trained reflexes that engage before you click. Building these habits takes deliberate practice.

The Pre-Click Checklist

Before clicking any link in any message about an account:

1. Who actually sent this? Check the full email address, not just the display name
2. Was this expected? Did I do anything that would trigger this message?
3. Does the link destination match what it claims? Hover before clicking
4. Is there urgency being manufactured? Slow down specifically when you feel rushed
5. Does this request anything I wouldn't do proactively? Credentials, payment, personal data
6. Can I verify this through a separate channel? Navigate directly or call the person

This checklist becomes automatic within weeks of consciously applying it. I now run through these checks in seconds without deliberately thinking about them.

Reporting and Responding to Phishing

If you receive a phishing email:

• Report it to your email provider (Gmail: "Report phishing"; Outlook: "Report" dropdown)
• If it impersonates a real company, forward it to their abuse email (abuse@[domain].com)
• In the US, forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org
• Report SMS phishing to your carrier by forwarding the text to 7726 (SPAM)

If you want to check whether a link is malicious without clicking it: copy the URL and paste it into VirusTotal or Google Safe Browsing for analysis.

FAQ

What is phishing and why is it so effective?

Phishing is a social engineering attack that tricks victims into revealing credentials, clicking malicious links, or transferring money by impersonating a trusted entity. It's effective because it exploits human psychology rather than technical vulnerabilities — urgency, authority, fear, and helpfulness are all leveraged to bypass critical thinking.

How do I check if an email is really from who it claims to be?

Look at the actual sender email address, not just the display name. Display names can be set to anything. Hover over the sender address to see the full email. Check that the domain matches exactly. For critical messages, navigate directly to the website rather than clicking any link in the email.

I clicked a phishing link. What should I do immediately?

If you clicked but didn't enter any information: run a malware scan immediately and monitor your accounts. If you entered credentials: change that password immediately on a different device, enable 2FA if not already active, and check for unauthorized logins. If financial information was entered: contact your bank immediately.

What is spear phishing and how is it different from regular phishing?

Regular phishing is mass-blast — the same generic email sent to millions of addresses. Spear phishing is targeted: the attacker researches a specific individual, references real details to create a message that appears legitimate. Business Email Compromise is a spear phishing variant targeting financial transfers.

Can phishing attacks happen on platforms other than email?

Yes — phishing has spread to every digital channel. SMS phishing (smishing) sends malicious links via text message. Voice phishing (vishing) uses phone calls. Social media phishing sends malicious messages through DMs. QR code phishing embeds malicious URLs in QR codes.

Phishing is the most common attack vector precisely because it works — even on security-conscious people. The defense is not technical sophistication but trained habits: checking sender addresses, navigating directly rather than clicking links, and verifying unexpected requests through separate channels.

Pair phishing awareness with the two-factor authentication methods that contain the damage when credentials are compromised, and the password manager practices that prevent reused credentials from cascading across accounts. Our cybersecurity basics guide covers the full threat landscape, explore our tech career resources for security career paths, and find structured phishing training at our courses page.