📧

How to Spot Phishing Emails

6 minute read

How to handle suspicious email without relying on typos, logos, or perfect inspection.

Do not sign in, pay, call, download, or verify from an unexpected email. Open the real app or type the real website yourself.

The Email Rule

Phishing emails work by making the message feel like the place where the problem must be solved. That is the trap.

If an email says your bank account has a problem, close the email and open your banking app. If it says your Microsoft, Amazon, Netflix, PayPal, or Apple account needs attention, type the real website yourself or open the app you already use. If it gives you a phone number, do not call that number; use the number on the card, statement, official website, or app.

If the issue is real, it will still be there when you arrive through the front door.

Checks That Help

Inspection can help, but it is not the primary defense. The primary defense is leaving the email and using a known-good route.

  • Sender domain: tap or click the sender name and look at the real address. support@netflix-billing.com is not the same as netflix.com, even if the display name says Netflix.
  • Link destination: on a computer, hover before clicking; on a phone, press and hold without opening. Short links, misspelled domains, and extra words around a brand name are reasons to stop.
  • Attachments: do not open unexpected invoices, shipping labels, security reports, voicemail files, or shared documents. If the file matters, confirm through the real company, person, or work system first.
  • Unexpected urgency: “today only,” “your account will close,” “unusual activity,” and “payment failed” are designed to move you from reading to reacting.
  • Request type: stop when the email asks you to sign in, reset a password, approve a login, share a one-time code, update payment details, download software, open an attachment, or call a number.

These checks are useful because they can give you a reason to stop. They are not a reason to trust the email and keep going inside it.

Let Your Password Manager Help

Password managers do more than remember passwords. They check domains.

If you saved your Amazon password for amazon.com, your password manager should offer it on Amazon’s real sign-in page. If a page looks like Microsoft, Amazon, Netflix, or your bank but the password manager does not offer the saved password, stop.

That warning catches polished phishing pages because the domain is wrong. The logo, colors, wording, and grammar can all look perfect. The password manager is not judging the design; it is checking whether you are actually on the site where that password belongs.

Examples

Account Locked Email

From: Amazon Security <security@amazon-verify.com>

Subject: Your Account Has Been Locked

We detected unusual activity. Verify your information within 24 hours or your account may be suspended.

[Verify Now]

What to do: Do not use the button. Open the Amazon app or type amazon.com yourself. If there is a real account issue, handle it there.

Payment Failed Email

From: Netflix Support <support@netflix-billing.com>

Subject: Action needed: Update your payment method

Your last payment did not go through. To avoid interruption, update your payment information.

[Update Payment Method]

What to do: Do not use the link. Open the Netflix app or type netflix.com yourself. If you use a password manager and it does not offer your saved Netflix password, leave the page immediately.

If You Already Clicked Or Entered Information

What matters now is what changed.

  • Only opened the email or clicked a link: close it. Watch for anything that downloaded, opened, or asked for permission.
  • Entered card or payment details: call the card issuer, bank, or payment provider using the number on the card, statement, real app, or official site.
  • Entered a password: go to the real site or app yourself, change the password, sign out of other sessions, and check recovery email, recovery phone, recent logins, and connected apps.
  • Entered a one-time code: secure the account immediately. Change the password, sign out of other sessions, and review recovery details and security settings.
  • Opened an attachment or installed software: stop using that device for banking, email, shopping, password changes, or other sensitive actions. Use a different device and go to I Installed Remote Access if remote access or support software was involved, or start with I Think I Was Scammed for broader recovery steps.

If you are not sure how far it went, start with the most sensitive thing exposed: money first, then accounts, then the device.

Quick Checklist

  • Do not sign in, pay, call, download, or verify from an unexpected email.
  • Open the real app, type the real website, or call a number you already trust.
  • Use sender domains, link destinations, attachments, urgency, and request type as reasons to stop, not reasons to proceed.
  • Let your password manager warn you when the domain does not match.
  • If you already entered information, move to payment, account, or device recovery based on what changed.

If the email is real, this process still works. You will find the same issue when you arrive through the real app, typed website, or trusted phone number.

Practice Your Skills

Think you can spot phishing emails? Test yourself with real examples.

Take the Phishing Quiz →

Next up Recognize Phone Scams