How to Spot and Avoid Phishing Emails and Scams

The Problem

Phishing is the most common way ordinary people get hacked—not clever code, just a convincing email or text that tricks you into typing your password on a fake page or clicking a poisoned link. The good news: almost every phishing attempt leaves the same fingerprints. Once you know what to look for, you can spot them in seconds.

What Is Phishing, Exactly?

Phishing is a message—email, text, or even a phone call—pretending to be someone you trust (your bank, Microsoft, Amazon, a delivery company) to get you to hand over login details, card numbers, or one-time codes. The message usually wants you to act fast so you don't stop to think.

Step 1: Check Who Actually Sent It

The display name is easy to fake; the real email address is not.

1. Tap or hover over the sender's name to reveal the full address.
2. Look at the part after the @ sign. A real PayPal email comes from @paypal.com, not @paypal-secure-login.com or @paypa1.com (note the number "1").
3. Be suspicious of free domains (@gmail.com, @outlook.com) claiming to be a big company. Your bank does not email you from a personal Gmail account.

Step 2: Watch for Urgency and Threats

Scammers create panic so you skip your normal caution. Classic red-flag lines include:

• "Your account will be suspended in 24 hours."
• "Unusual login detected—verify immediately."
• "Your payment failed. Update your details now."
• "You've won a prize—claim before it expires."

A real company gives you time and never threatens to delete your account over one email.

Step 3: Inspect Links Before You Click

This is the single most useful habit you can build.

1. On a computer: hover your mouse over the link (don't click). The real destination appears at the bottom of the screen.
2. On a phone: press and hold the link to preview the address.
3. Read the domain carefully. amazon.com is real; amazon.com.account-verify.ru is not—the real brand is buried in a longer, foreign address.

If anything looks off, don't click. Open a new browser tab and type the company's address yourself instead.

Step 4: Never Enter Passwords From an Email Link

Even a perfect-looking login page can be fake. The safe rule: never sign in by clicking an email link. Go directly to the website or open the official app and log in there. If there's a genuine alert waiting, you'll see it once you're signed in.

Step 5: Treat Attachments With Suspicion

Unexpected attachments—especially .zip, .exe, or files asking you to "enable content"—are a common way malware spreads. If you weren't expecting a file, don't open it. When in doubt, contact the sender through a number or address you already trust, not the one in the email.

Common Scam Types to Recognize

• Fake delivery texts: "Your parcel is held—pay a small fee." Couriers don't collect fees by random text link.
• Tech support scams: a pop-up or call claiming "your PC is infected." Real companies never cold-call about viruses. If you've hit one of these, see remove fake antivirus scareware.
• Boss/CEO scams: an urgent message "from your manager" asking for gift cards or a wire transfer.
• Account verification: a perfect copy of a Microsoft or Google login page asking you to "confirm" your password.

What to Do If You Already Clicked

1. Don't panic, but act quickly. If you entered a password, change it immediately—from a device you trust.
2. Turn on two-factor authentication so a stolen password alone isn't enough to get in.
3. If you typed card details, call your bank and freeze the card.
4. Run a malware scan if you downloaded anything—see remove a virus or malware.

Your Three-Second Safety Check

Before reacting to any message, ask:

1. Who really sent this? (Check the address, not the name.)
2. Are they rushing me? (Urgency is a warning sign.)
3. Where does this link actually go? (Hover or long-press first.)

If any answer feels wrong, slow down. A genuine company will never punish you for taking a moment to verify—but a scammer is counting on you not to.