The most effective phishing emails are designed to look completely legitimate. Here are the 10 red flags that expose even the most convincing phishing attempts — share this with your team.
Modern phishing emails don't look like the obvious spam of ten years ago. They use real branding, reference actual colleagues, and come from domains that look almost identical to the real thing. But even sophisticated phishing has tells.
1. The Sender Domain Doesn't Exactly Match
The display name can say anything — the actual email address is what matters. phishshield.in becomes phishshie1d.in (number 1 instead of letter l). Always check the full domain in the From address.
2. Unexpected Urgency or Threats
"Your account will be suspended in 24 hours." Urgency is the attacker's tool for bypassing critical thinking. Legitimate organizations give you time.
3. Requests for Credentials, OTPs, or Payment
No legitimate company will ever ask for your password, OTP, or payment details via email. Navigate to the website directly by typing the URL.
4. Mismatched or Suspicious Links
Before clicking any link, hover over it to see the actual destination URL. Red flags: domain doesn't match the sender's company, URL contains random characters, or uses a URL shortener.
5. Generic Salutation
"Dear Customer", "Dear User" — legitimate companies know your name and use it.
6. Unexpected Attachments
Enable macros = instant compromise
A common attack: send a Word document saying 'Enable content' to view it. The macro runs malware the moment you click enable. Legitimate documents never require macros.
7. Requests to Bypass Normal Procedures
"Don't tell anyone yet." "Process this wire transfer before approval gets routed." Legitimate executives use standard procedures.
8. Inconsistent Branding or Design
Slightly wrong logo colors, outdated branding, mismatched fonts. Compare suspicious emails to legitimate ones from the same sender.
9. Confirms Something You Didn't Request
"Your password was changed." If you receive a confirmation for something you didn't do, navigate to the service directly to verify — don't click 'Cancel this' in the email.
10. Asks You to Verify by Logging In via a Link
Never follow an emailed link to a login page. Open a new tab and navigate directly to the website.
The one rule that prevents most phishing
If an email creates urgency and asks you to click or open an attachment — pause 10 seconds. Ask: was I expecting this? Can I verify through another channel? If no, report to IT.
Written by
Priya Sharma
Threat Intelligence Analyst at PhishShield
