How to Spot a Phishing Email: Red Flags, Examples, and What to Do

Daniel Zimmermann
10 Min Read
Suspicious phishing email with highlighted sender, unsafe link, attachment, and urgency clues
A suspicious email message with sender, link, attachment, and urgency clues highlighted for quick phishing checks.

A phishing email is a message that tries to make you click, sign in, pay, download a file, scan a QR code, or share sensitive information by pretending to be someone trustworthy. The fastest way to spot one is to check four things before you touch anything: the real sender domain, the link destination, the request, and the pressure tactic. If one of those does not match the organization or conversation you expected, verify through the official website, app, phone number, or internal channel instead of using the email button.

One-minute phishing check: expand the sender, preview the link, question the request, inspect attachments or QR codes, and verify outside the email thread. If you already clicked, jump to the recovery steps below instead of rereading the message.

How to spot a phishing email quickly

  1. Open the sender details. The display name can say “Security Team,” “Payroll,” or “Microsoft,” while the real address uses a free mailbox, a lookalike domain, or a domain unrelated to the company.
  2. Compare the reply-to address. A sender from one domain and a reply-to address on another domain is a common clue, especially in invoice, HR, and account-warning emails.
  3. Preview links before clicking. On desktop, hover over the link. On mobile, long-press carefully or copy the link without opening it. The real domain matters more than the words on the button.
  4. Ask whether the request changes normal behavior. Password reset, payment, gift cards, new bank details, document review, QR login, remote-support install, or MFA approval pressure should be verified another way.
  5. Treat unexpected files as risky. PDFs, ZIPs, SVG files, ISO files, Excel sheets, and “secure document” attachments can lead to fake login pages or malware downloads.
  6. Slow down when the email creates a deadline. “Today only,” “final notice,” “account closure,” and “payment failed” wording is designed to make you skip the checks above.
Diagram of phishing email red flags including sender domain, reply-to mismatch, urgent request, link preview, and attachment
Use this five-point anatomy check before clicking: sender domain, reply-to address, pressure, destination URL, and unexpected file.

What a phishing email can look like

Many phishing emails are short and ordinary. A realistic example may look like this:

Subject: Invoice requires review today
From: Billing Team <[email protected]>
Reply-to: [email protected]

Hi,
We noticed an issue with your latest invoice. Please review the details and confirm your information as soon as possible. If no action is taken today, late fees may apply and service could be interrupted.

Button: Review invoice
Attachment: Invoice_8427.pdf

The message does not need obvious spelling mistakes to be dangerous. In this example, the suspicious parts are the unrelated sender domain, the different reply-to address, the urgent request, the login-style button, and the unexpected attachment.

Payroll-themed variants can look even more routine. The Selectfood Payroll email scam uses an “Official Notification” subject and an “Update My Payroll Now” button to push recipients toward a fake sign-in page.

Mobile email example with suspicious sender, unsafe button, and unexpected PDF attachment highlighted
On mobile, expand the sender and treat buttons and attachments as unsafe until you can verify the request another way.

Phishing email red flags that still matter in 2026

  • Sender mismatch: the brand or coworker name looks familiar, but the domain is wrong, shortened, misspelled, or unrelated.
  • Hidden destination: the button says “View document” or “Verify account,” but the URL points to a different domain, a tracking redirect, or a login page you did not request.
  • Unusual payment instruction: the email asks for gift cards, crypto, wire transfer changes, refund calls, invoice payment, or bank-detail confirmation.
  • Credential or MFA pressure: the message asks you to enter a password, approve a sign-in, share a one-time code, or scan a QR code to “keep” access.
  • Unexpected attachment: the file claims to be a receipt, payslip, shipping label, voicemail, security report, or shared document you were not expecting.
  • Overconfident branding: logos, banners, and polished language do not prove legitimacy. Scammers copy templates and can write clean emails.
  • Wrong context: the email refers to a service, invoice, delivery, HR process, or account you do not use, or it arrives outside the normal process.

Read the registered domain, not the brand word inside the URL. A fake link can include the brand in a subdomain, path, or tracking parameter while the real site is somewhere else.

Looks official: https://accounts.example.com/security

Suspicious: https://accounts-example-security[.]com/login

Suspicious: https://example[.]com/login?brand=microsoft

If the email is about banking, payroll, taxes, delivery, a subscription, or a cloud account, open the official app or type the website address yourself. Do not use the email button as the source of truth.

Common phishing email examples

Use these examples to classify the message quickly. If the email matches one of them, verify outside the message before clicking.

  • Account verification: “Your account will be suspended” or “confirm your mailbox.” This usually targets passwords or MFA codes.
  • Fake invoice or refund: “You were charged” or “review attached invoice.” This can lead to callback scams, fake support numbers, or malicious files.
  • Shared document: “Someone shared a secure file.” This often opens a fake Microsoft 365, Google, DocuSign, courier, or webmail login page.
  • HR or payroll notice: “Benefits review,” “payslip available,” or “compensation update.” This targets work email credentials and employee portals.
  • Security alert: “New sign-in,” “password expires,” or “unusual activity.” Real alerts exist, so check the account manually rather than using the email link.
  • QR code email: “Scan to verify” or “scan to view document.” A QR code is just a link; treat it like one.

Check a suspicious message with Gridinsoft

Manual checks are useful, but polished phishing can still be hard to judge. If you have a suspicious message, use Gridinsoft Email Checker to inspect the sender, message text, links, and phishing signals before you reply, pay, or open a file. For a closer tool walkthrough, see the Gridinsoft Email Scam Checker overview.

Gridinsoft Email Checker interface for checking suspicious email text
Gridinsoft Email Checker helps inspect sender details, message text, and suspicious links before you reply, pay, or open a file.

What to do if you clicked a phishing email

  1. If you only opened the email, close it and avoid links, QR codes, attachments, unsubscribe buttons, and replies.
  2. If you clicked a link but entered nothing, close the page, do not approve notifications, and delete any downloaded file. Use the clicked phishing link checklist if the browser opened a suspicious page.
  3. If you entered a password, change it from the official site on a clean device, sign out other sessions, and check recovery email, phone, and MFA settings.
  4. If you entered a one-time code or approved a sign-in, treat the account as compromised until sessions and app permissions are revoked.
  5. If you paid, entered card details, or called a fake support number, contact your bank or payment provider through the number on the card or official website.
  6. If you opened an attachment or ran a file, disconnect from sensitive accounts and scan the computer before continuing normal work.

A security tool may remove the visible attachment or downloaded file, but phishing downloads can leave a loader, scheduled task, browser change, startup entry, or bundled module that brings the warning back. After opening or running a suspicious email attachment, run a full Gridinsoft Anti-Malware scan, remove detections, reboot, and scan again if pop-ups, redirects, blocked connections, or new alerts return.

Scan files downloaded from this scam.

If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.

Scan after a suspicious email download

Where to report phishing emails

Use your mail provider’s Report phishing option when it is available. If the message impersonates your employer, bank, marketplace, tax agency, school, delivery company, or software vendor, report it through that organization’s official channel. In the United States, the FTC accepts fraud reports at ReportFraud.ftc.gov, and CISA recommends reporting suspicious messages to the relevant organization or security team.

FAQ

What is the easiest way to spot a phishing email?

Check the real sender domain, the link destination, the request, and the pressure tactic. If the email asks you to sign in, pay, download, scan, or share data, verify through the official site or app instead of the email link.

Can a phishing email come from a real account?

Yes. A compromised mailbox can send phishing from a real address. That is why context matters: verify unusual payment, document, password, or MFA requests through another trusted channel.

Is bad grammar still a reliable phishing sign?

No. Bad grammar can be a clue, but modern phishing emails can be well written and branded. Sender, link, request, attachment, and context are more reliable checks.

Should I click unsubscribe in a suspicious email?

No. A malicious unsubscribe link can confirm that your address is active or send you to another phishing page. Use the mail app’s spam or phishing controls instead.

Can opening a phishing email infect my device?

Usually the bigger risk is clicking, downloading, scanning a QR code, or entering data. Still, keep your browser and mail app updated, and do not load unknown attachments or remote content from suspicious messages.

Sources

  1. Federal Trade Commission. “How To Recognize and Avoid Phishing Scams.” FTC Consumer Advice, accessed June 25, 2026. https://consumer.ftc.gov/articles/how-recognize-avoid-phishing-scams
  2. Cybersecurity and Infrastructure Security Agency. “Avoiding Social Engineering and Phishing Attacks.” CISA, accessed June 25, 2026. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
  3. Microsoft Support. “Protect yourself from phishing.” Microsoft, accessed June 25, 2026. https://support.microsoft.com/en-us/security/protect-yourself-from-phishing
Share This Article
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?