I nearly got caught by one last tax season. (If you're not sure what phishing is, start with our beginner's guide to phishing.) An email that looked like it came from myGov, right colour scheme, official-looking footer, even a reference number. It said my tax return had been processed and I needed to "verify my bank details" to receive my refund. The link went to mygov-refund-au.com, which is very much not a real government domain. The scary part? I only noticed because I happened to check the sender address on a whim. If I hadn't, I'd have been typing my banking credentials into a stranger's form.
These fraudulent messages are designed to steal your passwords, credit card numbers, or personal information by impersonating companies and people you trust. And they're getting alarmingly good at it.
In this guide, I'll show you the eight most reliable warning signs that an email is a phishing attempt, walk through real-world examples, and give you a free tool to analyse suspicious emails.
The 8 Warning Signs of a Phishing Email
1. The Sender's Email Address Doesn't Match
This is the single most reliable indicator. The display name might say "Apple Support" or "PayPal Security Team," but the actual email address tells the real story. Always click on or hover over the sender name to see the full email address. Legitimate emails from Apple come from @apple.com, from PayPal come from @paypal.com, and from your bank come from their official domain.
Display: "PayPal", Actual: service@paypa1-verify.com
Display: "Amazon Orders", Actual: orders@amzn-delivery-update.tk
2. Urgent or Threatening Language
Phishing emails almost always try to create panic. They want you to react emotionally before you have time to think logically. Common urgency phrases include "Your account will be suspended in 24 hours," "Unusual sign-in activity detected," "Immediate action required," and "Your payment was declined." Legitimate companies may notify you about issues, but they won't threaten you with account deletion or legal action via email. I cannot stress this enough, the moment an email makes you feel panicked or rushed, that is precisely when you need to slow down and scrutinise it, because urgency is the single most effective weapon in a phisher's arsenal and they know that a calm, unhurried person almost never falls for these tricks.
3. Generic Greetings
If a company you have an account with sends you an email, they usually know your name. Phishing emails often use generic greetings like "Dear Customer," "Dear User," "Dear Account Holder," or simply "Hello" because the scammer is sending the same email to thousands of people. While some legitimate marketing emails use generic greetings, important security or account alerts from companies you do business with will typically address you by name.
4. Suspicious Links
Before clicking any link in an email, hover over it (on desktop) or long-press it (on mobile) to see where it actually goes. The link text might say "www.paypal.com/verify" but the actual URL could be something completely different. Look for misspelled domain names, unusual domain endings, and IP addresses instead of domain names.
5. Requests for Sensitive Information
No legitimate company will ask you to send your password, Social Security number, credit card number, or PIN via email. Ever. If an email asks you to "confirm" or "verify" sensitive information by replying or clicking a link, it's a phishing attempt. Real companies already have your information and wouldn't need you to send it over email.
6. Unexpected Attachments
Phishing emails frequently include attachments disguised as invoices, receipts, shipping labels, or documents. These files can contain malware that infects your device when opened. Be especially cautious with .exe, .zip, .docm, .xlsm, and .js file types. Even PDFs can contain malicious links. If you're not expecting an attachment, don't open it, contact the supposed sender through a different channel to verify.
7. Spelling and Grammar Errors
While modern phishing emails have improved significantly (especially with AI writing tools), many still contain subtle errors that legitimate corporate communications wouldn't have. Watch for awkward phrasing, inconsistent formatting, mismatched fonts within the same email, and slightly "off" language that doesn't match how the company normally communicates.
Note that AI-generated phishing emails are becoming increasingly polished, so don't rely on grammar alone, always check the other warning signs too.
8. Failed Email Authentication
This is more technical but very reliable. Legitimate companies use email authentication protocols, SPF, DKIM, and DMARC, to prove their emails are genuine. When these checks fail, it means the email wasn't actually sent by the claimed sender. Most email clients show authentication results if you look at the full email headers, or you can upload the email to a tool like ScanTotal's Email Analyzer which checks these automatically.
Real-World Phishing Email Examples
Here's what a typical phishing email looks like versus a legitimate one.
Subject: Your Apple ID Has Been Locked!
Dear Customer,
We detected unusual activity on your Apple ID. Your account has been temporarily locked for security reasons. If you don't verify your identity within 24 hours, your account will be permanently deleted.
[Verify Now] → links to apple-id-secure.xyz
Subject: Your Apple ID was used to sign in
Hi John,
Your Apple ID (john@email.com) was used to sign in to iCloud on a MacBook Pro. If this was you, no action is needed. If you didn't sign in, go to appleid.apple.com to update your security settings.
[No threatening deadline, links to apple.com]
Notice the differences: the phishing email uses a fake domain, generic greeting, threatening language, and an urgent deadline. The legitimate email uses the real Apple domain, addresses you by name, provides specific details, and doesn't threaten account deletion.
What to Do If You Suspect a Phishing Email
Don't click any links or download attachments. If you need to check your account, open your browser and go directly to the company's website by typing the address yourself.
Check the sender's email address. Look at the actual email address, not just the display name.
Report it. Most email providers have a "Report phishing" button. Use it, it helps protect other users.
Delete it. Once reported, delete the email to avoid accidentally clicking something later.
If you already clicked a link: close the page immediately, change your passwords, enable two-factor authentication on all important accounts, and monitor your bank statements for unusual activity.
How to Analyse a Suspicious Email
If you want a thorough analysis, you can save the email as a .eml file and upload it to ScanTotal's Email Analyzer. The tool checks the sender's email authentication (SPF, DKIM, DMARC), analyses the sender's domain for trust indicators, scans for suspicious links and attachments, and provides a threat assessment with detailed findings.
To save an email as .eml: in Gmail, open the email, click the three dots menu, and select "Download message." In Outlook, drag the email to your desktop. In Apple Mail, drag the email to your desktop or use File > Save As.
What I Tell Everyone Who Asks
Check the sender's actual email address, not the display name, the real address. That one habit catches the vast majority of phishing attempts before you even finish reading the email. If it's not from the company's official domain, it's fake. When in doubt, ignore the email entirely and go directly to the website by typing the address yourself. I do this every single time I get a "security alert" from any bank or service, and it's never once been a real problem that I missed by not clicking the link. Not once. The five seconds you spend checking beats the five days you'd spend recovering from identity theft.