Why Phishing Still Works

Phishing — the act of tricking someone into revealing sensitive information through a fake email or website — remains one of the most common ways people get hacked. Despite decades of awareness campaigns, it keeps working because attackers keep evolving their tactics. Modern phishing emails can look nearly identical to messages from your bank, your employer, or even a trusted friend.

The good news: even the most convincing phishing attempts leave clues. Here are eight red flags to watch for every time you open a suspicious email.

Red Flag #1: The Sender's Email Address Doesn't Match

The name in your inbox might say "PayPal Support," but always check the actual email address. Click or hover over the sender name to reveal it. Phishing addresses often look like: support@paypa1-secure.com or noreply@paypal.account-verify.net — not a legitimate company domain.

Red Flag #2: Urgent or Threatening Language

Phrases like "Your account will be closed in 24 hours", "Immediate action required", or "Suspicious activity detected" are designed to panic you into clicking without thinking. Legitimate companies rarely communicate genuine emergencies exclusively by email.

Red Flag #3: Generic Greetings

A real service you use knows your name. If an email starts with "Dear Customer," "Dear User," or "Hello Account Holder," that's a warning sign. Personalized phishing does exist, but mass-send attacks typically use generic salutations.

Red Flag #4: Suspicious Links

Before clicking any link, hover over it to preview the URL (on desktop). Look for:

  • Misspelled domain names (e.g., amazzon.com, g00gle.com)
  • Extra subdomains that bury the real domain (e.g., amazon.com.verify-account.net — the actual domain here is verify-account.net)
  • URL shorteners (bit.ly, tinyurl) hiding the real destination
  • HTTP instead of HTTPS for pages asking for login credentials

Red Flag #5: Unexpected Attachments

Did you request a document? If not, be extremely cautious about opening any attachment — especially .zip, .exe, .docm, or .xlsm files. Even PDFs can carry malicious scripts. When in doubt, contact the sender through a separate channel to verify they actually sent it.

Red Flag #6: Requests for Personal or Financial Information

No legitimate bank, government agency, or well-known company will ask you to confirm your password, full credit card number, or Social Security number via email. If an email asks for this, it's almost certainly a scam.

Red Flag #7: Poor Grammar and Spelling

While AI is making phishing emails more polished, many still contain awkward phrasing, odd capitalization, or obvious spelling mistakes. These errors often appear because attackers are working in a second language or using automated tools that don't proofread well.

Red Flag #8: The Offer Seems Too Good to Be True

Won a prize you never entered? Received an unexpected inheritance? Been offered a job with no interview? These classic lures work by exploiting curiosity and greed. If it seems too good to be true, it almost certainly is.

What to Do If You Suspect a Phishing Email

  1. Don't click any links or open attachments.
  2. Report it as phishing in your email client (Gmail, Outlook, and Apple Mail all have this option).
  3. If it claims to be from a company you use, contact that company directly through their official website.
  4. Delete the email.

Trust your instincts. If something feels off about an email, take 30 seconds to verify before acting. That pause can save you from a serious headache.