How to recognise a phishing email before it is too late
Phishing remains the single most common entry point for cyberattacks. Despite years of awareness campaigns, it works — because the emails keep getting better. Today's phishing messages are often indistinguishable from legitimate correspondence at first glance, using real brand logos, accurate formatting, and contextually relevant subject lines.
Knowing what to look for is still your strongest defence. Here is a practical guide to spotting phishing before you click.
Red flags in the sender address
The display name may say "Apple Support" or "Your Bank", but the actual email address tells a different story. Hover over (or tap and hold on mobile) the sender name to reveal the full address. Look for misspellings, extra characters, or domains that do not match the official website — for example, support@app1e-billing.com instead of support@apple.com.
Urgency and pressure tactics
Phishing emails almost always manufacture urgency. "Your account will be locked in 24 hours", "Unusual sign-in detected — act now", "Final notice before suspension". Legitimate companies rarely demand immediate action via email. If a message makes you feel rushed, that is a signal to slow down and verify independently.
Suspicious links and attachments
Before clicking any link, hover over it to preview the destination URL. Phishing links often use URL shorteners, misspelled domains, or subdomains designed to look authentic (e.g., login.bankname.fake-domain.com). Unexpected attachments — especially .zip, .exe, or macro-enabled Office files — should be treated with extreme caution.
Generic greetings and poor personalisation
Messages that open with "Dear Customer" or "Dear User" rather than your actual name are often bulk phishing attempts. However, targeted spear-phishing may include your name, job title, and recent activity, so personalisation alone does not guarantee legitimacy.
What to do if you suspect phishing
- Do not click any links or download attachments
- Do not reply to the email
- Report it using your email provider's built-in phishing report button
- If the email claims to be from a company you use, navigate to their website directly — never through the email link
- If you already clicked, change your password immediately and run a security scan
The bottom line
Phishing succeeds because it exploits trust and urgency — not because victims are careless. Staying alert to the warning signs and pausing before you click is the most effective protection. Combine that habit with a security suite that includes web filtering and phishing detection, and you dramatically reduce your exposure.
