Why Phishing Works — And Why It Keeps Working

Phishing is the practice of tricking you into revealing credentials, downloading malware, or transferring money by impersonating a trusted entity. Despite decades of awareness campaigns, phishing remains the most common initial attack vector in cybersecurity incidents. The reason is simple: attackers are getting better at it, and a convincing email only needs to fool you once.

10 Red Flags That Signal a Phishing Email

1. Urgency or Fear-Based Language

Phrases like "Your account will be suspended in 24 hours", "Immediate action required", or "Unusual sign-in activity detected" are designed to bypass your rational thinking and make you act fast. Legitimate companies send these kinds of messages occasionally, but always verify through the official website or app — never by clicking the email link.

2. Mismatched or Suspicious Sender Address

Look beyond the display name. An email might show "PayPal Security" as the sender name, but the actual email address could be support@paypal-security-alert.net — which has nothing to do with PayPal. Always hover over or expand the sender field to see the real address.

3. Generic Greetings

Emails beginning with "Dear Customer," "Dear User," or "Hello Account Holder" are suspicious. Your bank knows your name. Phishing emails are often sent in bulk and use generic salutations because they don't have your real name.

4. Suspicious Links That Don't Match the Destination

Before clicking any link, hover your mouse over it to see the actual URL in your browser's status bar. A link displayed as "www.amazon.com" might lead to "www.amaz0n-login.ru". On mobile, press and hold the link to preview the URL.

5. Unexpected Attachments

Be extremely wary of unexpected email attachments, especially files with extensions like .exe, .zip, .docm, or .pdf from unknown senders. Even Word documents can contain malicious macros. If you weren't expecting a file, confirm with the sender via a separate channel before opening it.

6. Requests for Sensitive Information

Legitimate organizations — banks, government agencies, tech companies — will never ask for your password, Social Security number, credit card PIN, or one-time codes via email. Any email requesting this is a phishing attempt, full stop.

7. Poor Grammar and Spelling

While sophisticated phishing emails are increasingly well-written, many still contain grammatical errors, awkward phrasing, or inconsistent formatting. These are signs the email didn't originate from a professional organization's communications team.

8. Mismatched Branding

Phishers copy logos and email templates, but they often get details wrong — slightly off colors, stretched logos, different fonts, or outdated branding. Compare suspicious emails to recent legitimate ones from the same company.

9. The "Reply-To" Address Is Different

Some phishing emails use a legitimate-looking "From" address but set a different "Reply-To" address so that when you respond, your data goes to the attacker. Check both fields before replying to any sensitive request.

10. Offers That Seem Too Good to Be True

You didn't win a lottery you never entered. That famous person isn't offering you a personal investment opportunity. Prize notifications, inheritance schemes, and miracle investment returns are all phishing or scam attempts.

What to Do If You Receive a Phishing Email

  • Don't click links or open attachments
  • Report it as phishing or spam in your email client
  • Forward it to the impersonated company's abuse address (e.g., phishing@paypal.com)
  • Delete the email
  • If you accidentally clicked a link, change your passwords immediately and scan your device

The Golden Rule

When in doubt, go directly to the official website by typing the URL in your browser — never through a link in an email. This single habit eliminates the vast majority of phishing risk.