A phishing email is an email that tries to make you click, sign in, pay, download a file, scan a QR code, or share sensitive information under false pretenses. The fastest way to spot one is to check the sender domain, the link destination, the request, and whether the message creates pressure that does not match the account or service it claims to represent. For non-email phishing, start with the phishing scam prevention checklist, use our phishing scam signs checklist for quick red flags, and use the signs of online scams guide for broader fraud patterns.
If the suspicious message looks like a Microsoft 365 security notification but also mentions Costco rewards or a BT account issue, use our Office365alerts Costco and BT email scam checklist before clicking any alert button.
If the message only proves that a scammer knows your address, use our scammer has your email address response guide to check whether the mailbox was actually hacked, spoofed, or just targeted by spam.
If an email claims that police or a court recovered money for you, compare it with our Internet Fraudsters Arrested email scam example before replying or sending documents.
The same logic applies after a suspicious redirect: our Ixtok.com safety check shows why you should judge the final page and its data requests, not only the first domain you clicked.
The same link-checking habit matters for event scams. A fake FIFA ticket email or sponsored result can look polished, so use the domain and payment checks in our World Cup 2026 ticket scam guide before signing in or paying.
For finance-themed messages, a fake SWIFT Confirmation Copy email is a common example: the email looks like payment proof but leads to a fake login page or risky attachment.
First checks: how to spot a phishing email
- Check the real sender domain, not only the display name. A message can say “Microsoft” or “Bank Support” while coming from an unrelated domain.
- Do not trust urgent buttons. Open the company website manually or use the official app instead of the email link.
- Look for a request that changes your normal behavior. Password reset, invoice payment, document review, gift card purchase, bank verification, or MFA approval pressure are common hooks.
- Treat attachments and QR codes like links. They can lead to fake sign-in pages or malware downloads. If a courier-themed email pushes an Excel attachment, use our FedEx e-Order Notification email virus cleanup steps before enabling content.
- When unsure, check the message with GridinSoft Email Checker before you interact.
If you already have a suspicious message, paste its headers or content into Gridinsoft Email Checker. This article is the manual checklist; the checker is the tool for analyzing a real email.
Phishing email red flags
Sender mismatch. The display name is familiar, but the address uses a lookalike, free mailbox, or unrelated domain. Compare the domain with the official site and do not reply with personal data.
Urgency. Phrases like “payment failed,” “verify now,” or “last warning” are meant to rush the click. Open the account manually in a browser or app.
Hidden link. The visible button says one thing, but the destination points somewhere else. Preview the destination and check the domain before opening it.
Unexpected attachment. Treat unsolicited invoices, voicemail files, shipping labels, payroll documents, or security reports as suspicious until the sender confirms them through another channel.
QR code. A QR code in an email is still a link. Do not scan it from a work, banking, or admin device until you know where it leads; for examples and safe checks, see our QR code phishing guide.
Unusual payment. Gift cards, crypto, wire transfers, refunds, unknown invoices, and changed bank details deserve an out-of-band check using a known phone number or portal. This is especially important for business email compromise, where a real or spoofed mailbox can push fake payment instructions.
MFA or password pressure. If a message asks for a code, approval, or password confirmation, go to the official site yourself and change the password if exposure is plausible.
Check the sender, reply-to, and domain
Phishing emails often borrow a trusted brand name in the visible sender field. That field is easy to fake. Expand the message details and check the actual email address, the reply-to address, and the domain after the @ symbol.
A real sender can still be abused if a mailbox was compromised, so do not stop at the domain. Ask whether the message matches normal communication from that company or person. A supplier who suddenly asks for a new bank account, a manager asking for gift cards, or a cloud service asking for a password through an email button should be verified outside the email thread.
Check links without clicking them
On desktop, hover over a link and read the destination shown by the browser or mail client. On mobile, long-press may preview or copy the URL, but avoid opening it. Look at the registered domain, not only the first word in the URL.
Looks safe: https://accounts.google.com/
Suspicious: https://google-security.example-login[.]com/
Suspicious: https://example[.]com/login?brand=microsoft
The brand name inside a path or query string does not make a link official. If the email is about an account, subscription, bank, delivery, or tax issue, type the real website into the browser yourself.
Common phishing email examples
Fake account verification email
The email claims your account will be suspended unless you verify it. The goal is usually credential theft. We see this pattern in fake Microsoft, Google, Apple, Netflix, and banking messages. For a subscription-specific example, see the Netflix scam email guide covering payment-failed, account-hold, password, and card-theft lures.
Fake HR or benefits notice
The email claims Human Resources needs you to review compensation, benefits, or coverage details. If the button opens a generic mail login instead of your company HR portal, treat it as credential phishing. See the Benefits Review Notice email scam guide for the workplace-account recovery steps.
Fake invoice or refund email
The email says you were charged, renewed, or approved for a refund. Scammers want you to call a fake support number, open a malicious attachment, or enter payment details on a fake page.
Fake shared document email
The message says someone shared a file with you. It often leads to a fake Microsoft 365 or Google sign-in page. If you were not expecting the document, verify with the sender first.
Fake security alert
The email warns about a login, device, password, or “blocked” account. Real services do send security alerts, but phishing copies their style. Go to the account manually and check recent activity there.
Use Email Checker for a suspicious message
Manual checks are useful, but phishing messages can be polished and convincing. Gridinsoft Email Checker helps analyze suspicious email text, headers, senders, URLs, and phishing signals without turning the guide itself into a separate “email checker” page. For a closer look at the free scam-assessment tool, read the Gridinsoft Email Scam Checker overview.
Have a suspicious email?
Check the sender, links, and message content before you click, reply, pay, or open attachments.
What to do if you clicked a phishing email
- If you only opened the email, close it and do not interact with links, QR codes, or attachments.
- If you clicked a link but did not enter data, close the page, clear site data for that domain, and scan the device if anything downloaded.
- If the link opened in a browser, use our clicked phishing link checklist to decide whether the click was low risk, account exposure, notification spam, or a download problem.
- If you entered a password, change it from the official website on a clean device and sign out other sessions.
- If you entered a 2FA code, treat the account as compromised. Change the password, revoke sessions, and review recovery email/phone settings.
- If you paid or entered card details, contact the bank or payment provider immediately and monitor transactions.
- If you opened an attachment or ran a file, disconnect from sensitive accounts and run a full malware scan.
Where to report phishing emails
Use your mail provider’s “Report phishing” option where available. In the United States, the FTC asks users to report phishing at ReportFraud.ftc.gov, and CISA recommends reporting suspicious messages to the relevant organization or security team. If the email impersonates a bank, marketplace, tax agency, or employer, report it through that organization’s official channel.
Related GridinSoft guides
- Phishing vs spoofing: what is the difference?
- Spear phishing: targeted email attacks explained
- Benefits Review Notice email scam: HR phishing warning
- Microsoft Anti Xploit Guard email scam
- Fake Norton invoice refund scam
- Account verification alert email scam
Brand impersonation example: Phishing is not limited to email. A fake Adidas Copa 2026 promotion shows the same trust trick in a WhatsApp-style prize funnel: familiar brand, urgent reward, non-official domain, and a request for personal data.
Phishing also targets developers: Some fake notices do not arrive as classic mailbox scams. A current Chrome Web Store copyright removal request phishing page uses extension IDs, countdown pressure, and a fake sign-in panel to steal Google logins.
Phishing defenses work best when browser warnings, cautious reading, and active protection work together. For the broader device-protection layer, see our guide on whether you still need antivirus in 2026 and when Defender is enough.
FAQ
What is the easiest way to spot a phishing email?
Check whether the sender domain, link destination, request, and urgency match the real organization. If any one of them feels wrong, do not click the email link.
Can a phishing email come from a real account?
Yes. A compromised mailbox can send phishing from a real address. Verify unusual payment, password, file-sharing, and account requests through another trusted channel.
Is bad grammar still a reliable phishing sign?
No. Modern phishing emails can be well written, branded, and personalized. Grammar can help, but sender, link, request, and context matter more.
Should I click unsubscribe in a suspicious email?
Not if the message looks malicious. The unsubscribe link may confirm your address or lead to another phishing page. Use the mail client’s spam/phishing controls instead.
Can opening a phishing email infect my device?
Usually the main risk is clicking, downloading, scanning a QR code, or entering data. Still, keep your mail app and browser updated and avoid loading unknown attachments.
When a phishing message points to a “leak checker,” treat the checker itself as part of the lure. Our OnlyFans leak checker scam guide explains why you should not enter credentials or install files from those pages.
Sources
- FTC, ReportFraud.gov phishing and fraud reporting portal. Report
- CISA, “Avoiding Social Engineering and Phishing Attacks.” Guidance
- Microsoft Support, “Protect yourself from phishing.” Guidance
Also treat unexpected browser authentication pop-ups as a credential-phishing risk. For a current example, see our note on the polyfill.io login prompt and why users should not enter passwords into third-party browser prompts.
Phishing can start before an email reaches you: poisoned search results and hacked pages may lead users to fake login or download pages. Our SEO poisoning phishing guide explains what to check in search results before you click.
If the subject says your mailbox has “Insufficient Email Capacity” or is over quota, use the exact Insufficient Email Capacity scam checklist before signing in through the message.
If the message specifically claims a PayPal Unauthorized Transaction and pushes a phone number, use our focused PayPal unauthorized transaction email scam checklist before calling, clicking, or reporting the charge.
For a bank-specific example, the Capital One phishing email scam shows how replacement-card, claim-approval, and refund subjects can all lead to the same fake sign-in page.
