How to Spot and Avoid Phishing Emails and Scams
The Problem
Phishing is the most common way ordinary people get hacked—not clever code, just a convincing email or text that tricks you into typing your password on a fake page or clicking a poisoned link. The good news: almost every phishing attempt leaves the same fingerprints. Once you know what to look for, you can spot them in seconds.
What Is Phishing, Exactly?
Phishing is a message—email, text, or even a phone call—pretending to be someone you trust (your bank, Microsoft, Amazon, a delivery company) to get you to hand over login details, card numbers, or one-time codes. The message usually wants you to act fast so you don't stop to think.
Step 1: Check Who Actually Sent It
The display name is easy to fake; the real email address is not.
- Tap or hover over the sender's name to reveal the full address.
- Look at the part after the @ sign. A real PayPal email comes from
@paypal.com, not@paypal-secure-login.comor@paypa1.com(note the number "1"). - Be suspicious of free domains (
@gmail.com,@outlook.com) claiming to be a big company. Your bank does not email you from a personal Gmail account.
Step 2: Watch for Urgency and Threats
Scammers create panic so you skip your normal caution. Classic red-flag lines include:
- "Your account will be suspended in 24 hours."
- "Unusual login detected—verify immediately."
- "Your payment failed. Update your details now."
- "You've won a prize—claim before it expires."
A real company gives you time and never threatens to delete your account over one email.
Step 3: Inspect Links Before You Click
This is the single most useful habit you can build.
- On a computer: hover your mouse over the link (don't click). The real destination appears at the bottom of the screen.
- On a phone: press and hold the link to preview the address.
- Read the domain carefully.
amazon.comis real;amazon.com.account-verify.ruis not—the real brand is buried in a longer, foreign address.
If anything looks off, don't click. Open a new browser tab and type the company's address yourself instead.
Step 4: Never Enter Passwords From an Email Link
Even a perfect-looking login page can be fake. The safe rule: never sign in by clicking an email link. Go directly to the website or open the official app and log in there. If there's a genuine alert waiting, you'll see it once you're signed in.
Step 5: Treat Attachments With Suspicion
Unexpected attachments—especially .zip, .exe, or files asking you to "enable content"—are a common way malware spreads. If you weren't expecting a file, don't open it. When in doubt, contact the sender through a number or address you already trust, not the one in the email.
Common Scam Types to Recognize
- Fake delivery texts: "Your parcel is held—pay a small fee." Couriers don't collect fees by random text link.
- Tech support scams: a pop-up or call claiming "your PC is infected." Real companies never cold-call about viruses. If you've hit one of these, see remove fake antivirus scareware.
- Boss/CEO scams: an urgent message "from your manager" asking for gift cards or a wire transfer.
- Account verification: a perfect copy of a Microsoft or Google login page asking you to "confirm" your password.
What to Do If You Already Clicked
- Don't panic, but act quickly. If you entered a password, change it immediately—from a device you trust.
- Turn on two-factor authentication so a stolen password alone isn't enough to get in.
- If you typed card details, call your bank and freeze the card.
- Run a malware scan if you downloaded anything—see remove a virus or malware.
Your Three-Second Safety Check
Before reacting to any message, ask:
- Who really sent this? (Check the address, not the name.)
- Are they rushing me? (Urgency is a warning sign.)
- Where does this link actually go? (Hover or long-press first.)
If any answer feels wrong, slow down. A genuine company will never punish you for taking a moment to verify—but a scammer is counting on you not to.
Related guides
How to Spot Scam Text Messages (Smishing)
Fake delivery, bank, and prize texts are everywhere. Learn how to recognize scam text messages—called smishing—and what to do when one arrives.
How to Recover a Hacked Email Account
Locked out or seeing strange activity in your inbox? Step-by-step actions to recover a hacked email account and lock attackers out for good.
How to Avoid Tech-Support Scam Calls and Pop-Ups
That 'Microsoft' call or scary virus pop-up is a scam. Learn how fake tech-support tricks work and exactly what to do when one targets you.
How to Avoid Online Shopping and Payment Scams
Fake stores, too-good-to-be-true deals, and payment tricks cost shoppers billions. Learn the warning signs and how to buy online safely.
How to Protect Your Privacy on Social Media
Your social profiles reveal more than you think. Practical privacy settings and habits to keep your personal info away from strangers and scammers.