How to Spot a Phishing Email

Even the best spam filter will let one slip through eventually. Here's how to catch the rest yourself in about five seconds.

The red flags

• Urgency. "Your account will be suspended in 24 hours." Real companies don't pressure you with countdowns.
• Mismatched sender. The display name says "Bank of America" but the actual address is something like bofa.security@randomdomain.tk. Click the sender to expand and check.
• Generic greeting. "Dear Customer" instead of your actual name — especially from a company that knows your name.
• Unexpected attachments, especially .zip files, .docm macros, or anything ending in .exe, .scr, .iso.
• Links that don't match the displayed text. The text says amazon.com but hovering shows amaz0n-secure.ru.
• Requests for sensitive info via email. Banks, the IRS, Microsoft, and Amazon will never ask for your password, SSN, or full card number in email. Ever.
• "Confirm your account" messages from services you didn't recently sign up for.

Hover before you click

On a desktop browser, hover over any link without clicking — the actual destination URL appears in the bottom-left corner. If it doesn't match where the link claims to go, don't click.

On phones, this is harder. Long-press the link instead (most apps will show a preview).

When in doubt, go around the email

If you get an "important account notice" from a company, don't click the email link. Open a new browser tab and type the company's address yourself. If there really is something for you to do, it'll be in your account when you log in.

If you already clicked

1. Don't enter any information if the page is asking for credentials.
2. If you did enter your password, change it immediately on the real site — and on any other site where you used the same password (this is why password managers help).
3. Run a full antivirus scan. Windows Defender is fine for this.
4. If it was a work account or a financial account, call us. Faster to handle a small problem than a big one.

Reporting

Forward suspected phishing to reportphishing@apwg.org (the Anti-Phishing Working Group). For brand-impersonation phishing, most major companies have a specific address — e.g., phishing@paypal.com, spoof@amazon.com.

spam filter in the cloud