Back to Blog

How to Spot a Phishing Email: A Comprehensive Guide for Everyone

August 22, 2025

Phishing Is Still the Number One Threat

If there is one thing I want everyone to understand, it is this: phishing emails are the single most common way that people and organizations get hacked. Not some fancy zero-day exploit. Not a mysterious hacker in a dark room. A simple, well-crafted email that tricks someone into clicking a link or entering their password.

I am Bruce Johnson, a cybersecurity speaker based in the San Francisco Bay Area, and I have spent my career helping people recognize these attacks before they cause damage. The truth is, phishing emails have gotten incredibly sophisticated. But they still follow patterns, and once you know what to look for, they become much easier to spot.

Red Flag 1: A Sense of Urgency

Phishing emails almost always try to make you panic. "Your account has been compromised — act now!" "Your payment failed — update your information immediately!" "You have 24 hours to verify your identity or your account will be locked."

This urgency is intentional. When people feel rushed, they stop thinking critically. They click links without looking at them. They enter passwords without checking the URL. The attackers know this, and they exploit it.

Here is my rule of thumb: if an email makes you feel like you need to act right this second, that is exactly when you should slow down. Take a breath. Look at the email carefully. Legitimate companies rarely create this kind of artificial urgency.

Red Flag 2: Suspicious Sender Addresses

This one catches a lot of people off guard. The email might say it is from "Apple Support" or "Microsoft Security Team," but if you look at the actual sender address, it is something like support@apple-secure-verify.com or microsoft.alerts@randomdomain.net.

Attackers register domains that look close enough to the real thing that most people will not notice — especially on a phone where the full email address might be hidden. Always tap or click on the sender name to reveal the full email address. If it does not match the official domain of the company, do not trust it.

A real example: I have seen phishing emails that look identical to PayPal notifications, right down to the logo and formatting. But the sender address was paypal-service@secure-payment-center.com. That is not PayPal. That is someone pretending to be PayPal.

Red Flag 3: Hover Over Links Before Clicking

This is one of the most important habits you can develop. Before you click any link in an email, hover your mouse over it. On a computer, the actual URL will appear in the bottom-left corner of your browser or as a tooltip. On a phone, press and hold the link to preview the URL.

What you are looking for is whether the link goes where you expect it to go. If the email says it is from your bank but the link points to something like http://banking-verify-account.sketchy-site.com, that is a phishing attempt.

Legitimate links will always go to the company's actual domain. Amazon links go to amazon.com. Google links go to google.com. If the domain looks unfamiliar or has extra words tacked on, do not click it.

Red Flag 4: Grammar Mistakes and Odd Formatting

This used to be one of the easiest ways to spot phishing emails, and while attackers have gotten much better at writing convincing messages, many phishing emails still contain telltale errors. Misspelled words, awkward phrasing, inconsistent formatting, or logos that look slightly off.

Pay attention to how the email addresses you. A legitimate email from your bank will usually use your actual name. A phishing email might say "Dear Customer" or "Dear User" because the attacker does not know your name.

That said, do not rely on this alone. AI tools have made it possible for attackers to write polished, grammatically perfect phishing emails. Grammar mistakes are a red flag when they are present, but their absence does not guarantee an email is safe.

Red Flag 5: Requests for Personal Information

No legitimate company will ever ask you to send your password, Social Security number, or credit card number via email. Period. If an email asks you to reply with sensitive information, it is a scam.

This also applies to emails that ask you to "verify" your account by clicking a link and entering your credentials. If you think there might be a real issue with your account, go directly to the company's website by typing the URL into your browser — do not use the link in the email.

Red Flag 6: Too-Good-to-Be-True Offers

You did not win a lottery you never entered. You are not getting a free iPhone. A Nigerian prince does not need your help moving money. These scams sound obvious when I list them out, but they still work because they are designed to trigger excitement and greed — emotions that override careful thinking.

Modern versions of these scams are more subtle. You might get an email about an "exclusive discount" from a retailer you actually shop at, or a "limited-time offer" from a company you recognize. The key is to verify the offer independently. Go to the company's website directly. Call their customer service number. Do not trust the email alone.

What to Do If You Click a Bad Link

It happens. Even security professionals occasionally click something they should not have. The important thing is what you do next.

First, do not enter any information on the page that opens. Close it immediately.

Second, if you did enter a password, change that password right away — and change it on any other site where you used the same password. This is another reason why unique passwords for every account are so important.

Third, run a scan with your antivirus software if you have it.

Fourth, report the email. Most email providers have a "Report Phishing" option. At work, forward the email to your IT or security team.

Fifth, if you entered financial information, contact your bank or credit card company immediately. They can freeze your account and watch for suspicious activity.

Building a Phishing-Resistant Culture

If you are responsible for a team or an organization, the best thing you can do is create an environment where people feel safe reporting suspicious emails — even if they already clicked a link. When employees are afraid of getting in trouble, they stay quiet, and that makes the damage worse.

Regular training helps too. Not the kind where you read a policy document and check a box, but real, interactive sessions where people practice identifying phishing emails. I run these workshops throughout the Bay Area, and the difference between a trained team and an untrained team is night and day.

The Bottom Line

Phishing emails are not going away. They are getting more sophisticated every year. But the fundamental red flags remain the same: urgency, suspicious senders, misleading links, requests for personal information, and offers that seem too good to be true. Learn to recognize these patterns, and you will be much safer online.

Stay alert, take your time, and when in doubt — do not click.