How to Identify Phishing Emails: 15 Red Flags to Watch For

Phishing emails trick people by impersonating trusted brands, colleagues, or government agencies. The average phishing campaign now runs for less than 12 hours before the attackers rotate domains, which means automated filters sometimes miss the first wave entirely. Here are 15 concrete red flags that expose a phishing email — no matter how polished it looks.

Red Flags in the Sender Details

1. The domain doesn't match the brand. An email claiming to be from Apple but sent from apple-id-verification@signin-helper.com is fraudulent. Always check the full address, not just the display name. Scammers set the display name to "Apple Support" while the actual address is something completely unrelated.
2. The display name and email address don't agree. If the name says "Chase Bank" but the address is j.smith4782@gmail.com, that mismatch is a giveaway. Legitimate companies send from their own domains.
3. Free email providers for "official" messages. No bank, shipping company, or government agency sends account alerts from Gmail, Yahoo, or Outlook personal accounts.
4. Reply-to address differs from the sender. Scammers sometimes spoof the "From" field but set the reply-to as a different address they control. Check both.

Red Flags in the Message Content

5. Urgency or threats. "Your account will be closed in 24 hours" or "You will be charged $499 unless you call now." Legitimate companies give reasonable notice and don't threaten you in emails.
6. Generic greetings. "Dear Customer" or "Dear User" instead of your actual name. While some real companies use generic greetings in bulk mail, combined with other red flags it's a strong signal.
7. Grammar and spelling errors in key places. Typos in the brand name, inconsistent capitalization, or broken sentences in the subject line. Modern phishing can be well-written, but errors in the company name or product titles remain common.
8. Requests for sensitive information. No legitimate company asks you to reply with your password, Social Security number, or credit card details via email. Ever.
9. Unexpected attachments. An invoice you didn't request, a shipping document for an order you didn't place, or a "voicemail" attached as a .zip file. These often contain malware.
10. Suspicious link text. Hover over links before clicking. If the visible text says www.paypal.com/account but the actual URL points to payp4l-secure.xyz/login, it's phishing.

Red Flags in the Technical Details

11. Mismatched or missing branding. Low-resolution logos, wrong brand colors, or a footer that references a different company. Attackers sometimes reuse phishing kits across brands and forget to update every element.
12. The email arrived in your spam folder, then claims to be important. If your email provider flagged it, pay attention. Providers check SPF, DKIM, and DMARC records — failures in those checks are a strong signal.
13. Links use URL shorteners or redirects. Legitimate companies almost never send you to bit.ly/3xK9z for a password reset. URL shorteners hide the true destination.
14. The email asks you to "verify" something you didn't initiate. You didn't request a password reset, but you're being told to verify one. You didn't sign up for a service, but they want you to confirm your account.
15. Unusual sending time. An email from "your CEO" sent at 3:47 AM on a Sunday requesting gift card purchases. Context matters — does this fit the normal pattern?

Red Flags in the Context

Beyond the email itself, the circumstances around it matter just as much:

• You don't have an account with the company. Getting a "password reset" from a bank you've never used, or an "order confirmation" from a retailer you've never shopped at, is an obvious tell. But scammers play the numbers — send a fake Amazon email to a million people, and hundreds of thousands of them will have Amazon accounts.
• The email arrived after a public data breach. Scammers monitor breach announcements. When a major company discloses a breach, phishing emails impersonating that company spike within hours. They know you're already anxious about your account security.
• You received multiple similar emails in a short period. Phishing campaigns often send several variants to the same address. If you get three "account suspended" emails in two days from slightly different senders, they're all part of the same attack.
• The email references a real event but with wrong details. A scammer might reference a real product recall or service outage but get specific details wrong — the wrong date, the wrong product model, or a different issue than what was actually reported.

How Modern Phishing Has Evolved

The phishing emails of 2026 are far more sophisticated than the Nigerian prince scams of the past. Here's what's changed:

AI-generated content. Scammers use large language models to write emails that are grammatically perfect, tonally appropriate, and free of the awkward phrasing that used to make phishing obvious. The "bad grammar = scam" rule is no longer reliable on its own.

Spear phishing. Rather than generic mass emails, attackers research specific targets. They scrape your LinkedIn profile, company website, and social media to craft emails that reference your real job title, colleagues' names, recent projects, or industry events. These highly targeted emails are called spear phishing, and they're remarkably effective even against security-conscious professionals.

Thread hijacking. Attackers compromise an email account and then reply to real ongoing conversations. Because the email appears in an existing thread from a real person you know, it bypasses both technical filters and human suspicion. The attacker might insert a malicious link or attachment into a legitimate business conversation.

Multi-channel attacks. A phishing email might be followed by a phone call from someone claiming to be the same company's support team, "following up" on the email you received. The call adds a layer of perceived legitimacy that makes you more likely to trust the original email.

Clone phishing. The attacker takes a real email you previously received from a legitimate company, replaces the links or attachments with malicious versions, and re-sends it. Because you've seen a nearly identical legitimate email before, the clone is much harder to detect.

Real Examples

Here's a phishing email our team analyzed recently:

From: Netflix Support <account-update@netflix-billing-secure.com>
Subject: Your payment was declined — update now to avoid suspension

Dear Customer,

We were unable to process your last payment. Please update your billing information within 24 hours or your account will be permanently suspended.

Update Payment Method →

Red flags present: wrong domain (netflix-billing-secure.com instead of netflix.com), urgency ("24 hours"), threat ("permanently suspended"), generic greeting ("Dear Customer"), and the link destination didn't match Netflix's real domain.

Another example from a "bank":

From: Wells Fargo Alerts <security@wf-alerts-center.com>
Subject: Unusual activity detected on your account

We detected a login attempt from an unrecognized device in Lagos, Nigeria. If this wasn't you, verify your identity immediately by clicking below.

Secure My Account

The scammer adds a specific location ("Lagos, Nigeria") to create fear, uses a lookalike domain, and pressures you to click before thinking. Wells Fargo's actual alerts come from @wellsfargo.com and direct you to log in through the app or website — not through an email link.

What to Do When You Spot a Phishing Email

1. Don't click any links or download attachments. If you're curious about a link, hover over it to see the URL — but don't click.
2. Don't reply. Replying confirms your address is active and can lead to more targeted attacks.
3. Report it. Forward the email to the company being impersonated (most have a dedicated phishing address like phishing@company.com). Mark it as phishing in your email client.
4. Verify independently. If you think the message might be legitimate, open a new browser tab, go directly to the company's website, and log in there. Don't use any links from the email.
5. Use an analysis tool. Copy the email text and paste it into IsThisAScam for an instant AI-powered breakdown of the red flags present.

Building Long-Term Habits

Identifying phishing isn't about memorizing a list — it's about building a reflex. Every time an email asks you to take action, pause for five seconds and ask:

• Did I expect this email?
• Does the sender address match the company?
• Is there pressure to act quickly?
• Would I reach the same page by going to the company's website directly?

That five-second pause catches the vast majority of phishing attempts. Scammers rely on speed — they need you to click before you think. Slow down, and their entire strategy falls apart.

Protecting Your Organization

If you manage email security for a team or company, these additional measures reduce phishing risk significantly:

• Implement DMARC, SPF, and DKIM. These email authentication protocols make it much harder for scammers to spoof your domain. DMARC alone blocks the majority of direct-impersonation phishing.
• Use email filtering with real-time link scanning. Modern email security tools scan links at the time of click, not just at delivery. This catches phishing pages that are activated after the email passes initial filters.
• Run phishing simulations. Regular simulated phishing tests keep employees alert and identify who needs additional training. The goal isn't to punish people who click — it's to build the muscle memory of pausing and checking.
• Establish a reporting culture. Make it easy and judgment-free for employees to report suspicious emails. A quick-report button in the email client reduces friction. Praise people who report — even false positives — because you'd rather have 100 reports of legitimate emails than miss one real phishing attack.
• Enforce multi-factor authentication. Even if credentials are phished, MFA prevents the attacker from accessing the account. Hardware security keys (like YubiKeys) are the most phishing-resistant form of MFA because they verify the legitimate domain.

For emails you're still unsure about, IsThisAScam analyzes the content in seconds and explains exactly which red flags are present and how severe they are. It's free and doesn't require an account.