Phishing Is Still the #1 Attack Vector

Despite decades of awareness campaigns, phishing emails remain one of the most effective tools in a cybercriminal's arsenal. Why? Because they exploit human psychology — urgency, fear, curiosity — rather than technical vulnerabilities. Modern phishing attempts can be highly convincing, mimicking real brands with near-perfect accuracy. Knowing what to look for is your best defense.

8 Red Flags That Signal a Phishing Email

1. Urgency and Pressure Tactics

Subject lines like "Your account will be suspended in 24 hours!" or "Immediate action required" are designed to short-circuit rational thinking and push you to click before you think. Legitimate companies rarely issue extreme ultimatums via email without prior contact.

2. Mismatched or Suspicious Sender Address

The display name might say "PayPal Support" but always check the actual email address. Phishing addresses often look like support@paypa1-security.com or noreply@paypal.accounts-verify.net — the domain after the @ is the tell. Hover over the sender name to reveal it.

3. Generic Greetings

Emails from real services you use will typically address you by name. Greetings like "Dear Customer", "Dear User", or "Dear Account Holder" suggest the sender doesn't actually know who you are — a sign of mass phishing.

4. Suspicious Links (That Don't Match Where They Go)

Before clicking any link, hover your mouse over it to preview the URL in your browser's status bar. If the visible link says paypal.com but the hover URL shows login-paypal.malicious-site.com, that's a clear phishing indicator. Never click first and check second.

5. Unexpected Attachments

Unsolicited attachments — especially .exe, .zip, .docm, or .xlsm files — are a major red flag. These may contain malware that installs itself the moment you open them. Be equally cautious of PDFs requesting you to "enable macros."

6. Requests for Sensitive Information

Legitimate organizations — banks, government agencies, reputable tech companies — will never ask you to confirm passwords, social security numbers, or full credit card details via email. If an email asks for this, it is almost certainly fraudulent.

7. Poor Grammar and Spelling

While some phishing emails are now well-written (especially AI-generated ones), many still contain awkward phrasing, inconsistent formatting, or obvious spelling errors. Large companies have professional communications teams — typos in official correspondence are a warning sign.

8. Unexpected "Confirmations" for Things You Didn't Do

Emails claiming you've just made a purchase, changed your password, or signed in from a new location — when you haven't — are designed to create panic. Rather than clicking the email's link, go directly to the service's website by typing the address in your browser.

What to Do If You Receive a Suspicious Email

  • Don't click any links or download attachments.
  • Report it using your email client's "Report Phishing" or "Mark as Spam" feature.
  • If it impersonates a real company, forward it to that company's abuse email (e.g., phishing@paypal.com).
  • If you already clicked a link, change your password for that account immediately and enable 2FA.

When in Doubt, Go Directly to the Source

The single most reliable rule: if an email prompts you to take action on an account, don't use the links in that email. Open a new browser tab, navigate to the official website manually, and check your account there. This one habit neutralises the vast majority of phishing attempts.