How to Spot Phishing Emails and Fake Websites

Phishing is the most common way people get hacked, and it works because the attacks look legitimate. A well-crafted phishing email from a supposed bank, employer, or tech company can fool even careful people. The criminals behind these attacks have gotten very good at mimicking real organizations, and the stakes are high: stolen credentials, emptied bank accounts, and compromised identities.

Learning to spot the signs is not difficult once you know what to look for.

Most phishing attempts share common patterns that give them away if you take a few seconds to check before clicking.

Check the Sender's Email Address

This is the first and most important check. Phishing emails often come from addresses that look similar to legitimate ones but have subtle differences. An email from "[email protected]" with a zero instead of the letter O, or from "[email protected]" instead of "[email protected]" are common tricks.

Look at the full email address, not just the display name.

Email clients show a friendly name like "Amazon Customer Service" above the actual address. Clicking or hovering over the display name reveals the real address underneath. If the address does not match the company's actual domain, it is fake.

Legitimate companies send emails from their own domains. Your bank will email you from @bankname.com, not from @bankname-alerts.com or @gmail.com. Any email from a major company coming from a free email provider like Gmail, Yahoo, or Outlook is almost certainly a phishing attempt.

Urgency and Threats

Phishing emails create artificial urgency to prevent you from thinking critically.

Messages like "Your account will be suspended in 24 hours," "Unauthorized login detected, act now," or "Your payment failed, update immediately" are designed to trigger a panic response that bypasses your better judgment.

Real companies do send security alerts, but they typically give you time to respond and provide multiple ways to verify the issue. If an email demands immediate action and makes you feel anxious, take a breath and verify independently.

Go directly to the company's website by typing the URL into your browser rather than clicking any links in the email.

Threats of account closure, legal action, or financial penalties are almost always phishing tactics. Legitimate organizations handle account issues through their normal customer service channels, not through threatening emails.

Hover Over Links Before Clicking

Every link in an email has two parts: the text you see and the actual URL it leads to. Phishing emails display text like "Click here to verify your account" while the underlying link points to a completely different website controlled by the attacker.

On a computer, hover your mouse over any link without clicking it.

Your email client or browser will show the actual destination URL, usually in the bottom-left corner of the screen. If the URL does not match the company the email claims to be from, do not click it.

On a phone, press and hold the link to preview the URL. This is harder to do on mobile, which is one reason phishing attacks increasingly target mobile users who are more likely to tap links without checking.

Watch for URL tricks like misspelled domains (gooogle.com instead of google.com), extra subdomains (login.paypal.secure-verify.com where the actual domain is secure-verify.com, not paypal.com), and URL shorteners that hide the true destination.

Poor Grammar and Generic Greetings

While phishing emails have improved in quality, many still contain grammatical errors, awkward phrasing, or unusual formatting that legitimate corporate communications would not have.

Mismatched fonts, inconsistent capitalization, and sentences that do not quite read naturally are all red flags.

Generic greetings like "Dear Customer" or "Dear User" instead of your actual name suggest a mass-sent phishing campaign rather than a legitimate communication. Most companies with your account information will address you by name.

That said, do not rely on grammar alone.

AI tools have made it easy for attackers to generate polished, grammatically correct phishing emails. Always verify through other methods rather than trusting an email just because it reads well.

Unexpected Attachments

Legitimate companies rarely send unexpected attachments. If you receive an email with an attachment you were not expecting, especially a zip file, executable, or document with macros, do not open it. These are common delivery methods for malware.

Even PDF attachments can be dangerous if they contain embedded links to phishing sites. If a company needs you to download a document, go to their website directly and access it from your account rather than opening an email attachment.

Invoice scams are particularly common.

An email claiming to have an invoice attached from a company you do business with is convincing, but legitimate invoices are usually accessible through your account portal rather than sent as email attachments.

Spotting Fake Websites

If you do click a link, checking the website itself can still save you. Fake login pages are designed to capture your credentials, and they often look very similar to the real thing.

Check the URL carefully.

The domain should exactly match the legitimate site. An HTTPS connection (padlock icon) does not guarantee safety since attackers can obtain SSL certificates for their fake sites. The padlock only means the connection is encrypted, not that the website is trustworthy.

Look for inconsistencies on the page. Missing navigation links, broken images, slightly different colors or fonts from the real site, and forms that only ask for login credentials without any other page content are signs of a fake.

Test by clicking links on the page. On a phishing site, navigation links often do not work or all redirect to the same fake login form.

Try entering a deliberately wrong password. A real website will tell you the password is incorrect. A phishing site will accept any input because its purpose is to capture whatever you type, not to actually authenticate you. After accepting your fake credentials, it typically redirects you to the real site so you do not realize what happened.

What to Do If You Suspect Phishing

Do not click any links or download any attachments. If you need to check whether the email is legitimate, go directly to the company's website by typing the URL manually into your browser. Log into your account normally and check for any alerts or messages there.

Report the phishing email to your email provider. Most clients have a "Report Phishing" or "Report Spam" option. This helps train spam filters and protects other users. You can also forward phishing emails to the company being impersonated, as most have a dedicated abuse reporting address.

If you already clicked a link and entered your credentials on a suspicious site, change your password for that account immediately from the real website. Enable two-factor authentication if you have not already. Monitor your account for unauthorized activity and contact the company's support team to flag the issue.

Two-Factor Authentication Is Your Safety Net

Even if a phishing attack captures your password, two-factor authentication prevents the attacker from accessing your account without your second verification factor. This is the single most effective protection against credential theft.

Use an authenticator app like Google Authenticator, Authy, or a hardware security key like YubiKey for your most important accounts. SMS-based two-factor is better than nothing but can be bypassed through SIM-swapping attacks. App-based or hardware-based authentication is significantly more secure.

Enable two-factor authentication on your email account first, since whoever controls your email can reset passwords on all your other accounts. Then add it to banking, social media, and any service that contains sensitive personal or financial information.