How to Spot Phishing Emails: A Visual Guide with Real Examples

The three checks that catch most phishing

Phishing is a social-engineering attack: someone impersonates a service you trust to make you reveal a credential, click a malicious link, or open a hostile attachment. You do not need to be a security expert to catch the majority of it. You need a short, repeatable routine.

1. Read the real sender address, not the display name

The display name ("PayPal Security", "Microsoft 365") is just a label the sender chooses. The address after it is what matters. A genuine PayPal notice comes from a @paypal.com domain; a fake one comes from something like security@paypal-alerts-verify.com or a free Gmail/Outlook account dressed up with a corporate name. Look-alike domains are the classic tell: micr0soft.com (zero for o), paypa1.com (one for l), arnazon.com (rn for m). If the reply-to address differs from the visible sender, that is another flag.

2. Hover every link before you click

The blue "Verify account" text can point anywhere. On a desktop, hover over the link and read the status bar; on mobile, press and hold to preview the URL. You are checking whether the domain you see matches the company you expect. account-security.microsoft.com is plausible; microsoft.account-verify.ru is not. HTTPS and a padlock prove nothing here, because attackers get free certificates too, so a padlock only means the connection is encrypted, not that the site is honest.

3. Distrust manufactured urgency and secrecy

Real companies rarely give you 24 hours to act or your account dies. Phishing leans on pressure ("permanent suspension", "final notice") and, in workplace scams, secrecy ("keep this between us", "I'm in meetings, just handle it"). The emotion is the payload. Verizon's finding that people fall in under a minute is exactly why: the message is engineered to make you act before you think.

If all three checks pass and the email still wants a password, a payment, or a code, do not act inside the email. Open a new tab and go to the service directly.

Four real phishing patterns, and how to read them

These are not hypothetical. Each maps to a campaign type seen repeatedly in the wild, and each is chosen because the data says it is common. We list the tells so you can recognise the shape, not memorise one example.

The fake Microsoft login

Microsoft is the brand attackers impersonate most. Check Point Research found it accounted for 38% of all brand-phishing attempts in Q1 2024, the largest share of any brand. The email looks like a clean Microsoft 365 notice: "Your password expires today", with a "Keep my password" button.

The tells: the sender is something like office365-admin@microsoft-notifications.net, not a @microsoft.com or @accountprotection.microsoft.com domain. Microsoft does not ask you to renew a password through an email button. The button leads to a pixel-perfect login page on a domain that is not Microsoft's. It works because losing access to a work account is a real fear, and these notices feel routine.

The social-media account alert

Social platforms have overtaken banks as the top phishing target. APWG's data for Q1 2024 put social media at 37.6% of all phishing attacks, well ahead of online-payment services at 7.2%. The bait is usually "Suspicious login from a new device" or "Your account will be disabled for a policy violation", with a button to "secure your account".

The tells: the link goes to a look-alike domain (facebook-security-check.com) rather than the platform itself, and the message wants your password rather than directing you to in-app settings. Real platforms surface security alerts inside the app, not only by email.

The unexpected order or invoice

You get a receipt for something you never bought, perhaps a $1,299 phone or a renewed subscription, with a phone number or link to "cancel" or "dispute" the charge. The goal is panic. You think "I didn't order this", and you call the number or click before checking your real account.

The tells: the email pushes you to a link or a phone number instead of telling you to open the retailer's app. Order numbers and item descriptions are generic. The "support" line is staffed by the scammers. The fix is boring and reliable: ignore the email's buttons, open the retailer directly, and check your actual order history.

Business email compromise (the boss who needs a wire)

This is the most expensive variety by far. The FBI attributes $2.9 billion in 2023 losses to business email compromise alone. A finance employee gets an email that appears to be from the CEO: an urgent, confidential wire transfer for an acquisition or vendor payment.

The tells: the display name matches the executive but the address is subtly wrong or a free webmail account; the request is unusual (executives rarely initiate wires by email); and there is heavy emphasis on speed and secrecy. The defence is procedural, not technical: verify any payment request through a second channel you already trust, such as a phone call to a known number.

The 60-second red-flag checklist

Run this on any unexpected email that asks you to do something. If two or more lines trip, stop and verify through the company's real website or app before you touch a link.

Watch for QR codes in attachments

A newer trick called "quishing" hides the malicious link inside a QR code, often embedded in a PDF, to slip past filters that scan text links. Barracuda researchers identified more than half a million phishing emails with QR codes embedded in PDFs in a single three-month window in 2024. If an email asks you to scan a code to "verify", "reactivate", or view a document, treat it exactly like a suspicious link: do not scan it on instinct, and confirm through the service directly.

The reason a checklist beats intuition is volume. Kaspersky measured 47.27% of all email sent worldwide in 2024 as spam, so a fraudulent message is not a rare event you can spot by feel; it is a constant stream. A routine you run every time scales; vigilance that depends on mood does not. For a deeper, printable version, see our email security checklist.

Why even careful people get caught

It is tempting to think phishing only fools the careless. The evidence says otherwise. Proofpoint reported that 71% of working adults admitted to a risky action in the past year, such as reusing a password, clicking a link from an unknown sender, or handing over credentials. Of those risk-takers, 96% did so knowing the danger, meaning 68% of all employees willingly undermined their organisation's security. Awareness is not the same as a habit.

Three forces work against you. The first is speed: when the median time to fall for a phish is under a minute, there is no time for second thoughts unless you have built the pause in advance. The second is design quality. The era of broken-English scams is over; modern phishing pages are pixel-perfect clones. The third is scale and success rate: Proofpoint found 71% of surveyed organisations suffered at least one successful phishing attack in 2023. The attackers only need one click.

A stolen credential has real resale value, which is why the volume keeps climbing. IBM puts the average cost at $169 per compromised record, and the supply of leaked addresses to target is enormous: Have I Been Pwned tracks over 17.5 billion compromised accounts. Your address is very likely already in a breach somewhere, which is exactly how attackers know which services to impersonate when they email you.

What to do if you already clicked

Clicking a link is not game over. What you typed or downloaded next is what matters. Move quickly and in order.

1. Stop and disconnect. Do not enter anything else. If you are looking at a fake login page, close it. If a file started downloading, delete it and do not open it. Disconnecting Wi-Fi or Ethernet limits any malware that did run.
2. Work out what actually happened. A bare click with no input is the lowest risk, though a download may have been attempted. Entering a password means assume the account is compromised. Entering card or bank details means assume fraud is imminent. Opening a file means assume the device may be infected.
3. Change the password from a different, trusted device, and turn on two-factor authentication. If you reused that password anywhere else, change it there too; credential stuffing across reused passwords is how one phish becomes ten breaches.
4. If money was exposed, call your bank or card issuer now, ask for a new card number, and place a fraud alert. Speed matters more than embarrassment.
5. If you downloaded or opened a file, run a full scan with your antivirus, then a second-opinion scan, and check for unfamiliar programs installed recently.
6. Report it (next section) and keep a screenshot for evidence.

Most "I clicked" moments are not catastrophic exposures of a bank login. The lower-stakes cases are codes and passwords entered for accounts that should have been signed up with a throwaway address in the first place, which is the whole point of the next section.

How to report phishing, and shrink your future exposure

Reporting takes a minute and helps the providers tune their filters for everyone.

In Gmail, open the message, use the three-dot menu, and choose "Report phishing." In Outlook, use the "Junk" dropdown and select "Phishing." You can forward phishing to the Anti-Phishing Working Group at reportphishing@apwg.org, and in the US to the FBI at ic3.gov. Most impersonated brands also take reports directly, for example spoof@paypal.com and phish@office365.microsoft.com.

Reduce how much phishing reaches you at all

Detection is the last line of defence. The cheaper move is to give attackers fewer places to find you. Every site you hand your primary address creates another record that can leak in a breach and another way for a phisher to learn which services you use. The fix is compartmentalisation: keep your real address for accounts that matter and use a disposable one for everything else.

That is what a tool like TempMailSpot is for. It is a free, no-registration inbox: open it and an address is ready, with new mail appearing automatically within seconds (it polls quickly at first, then eases off). The inbox lasts ten minutes by default and you can extend it as long as you need. Unlike most receive-only rivals, it can also send a reply behind a CAPTCHA, and you can export anything that arrives to PDF, JSON, or EML if you need a record. Use it for free trials, one-time downloads, forum signups, and Wi-Fi portals, anywhere you would otherwise burn your real address.

A disposable inbox is not a phishing filter; it is a smaller target. When a throwaway address shows up in a breach, the attacker learns nothing about you and has nowhere to reach you. For the wider habits that pair with this, see our guide to protecting your privacy online.