How to Spot a Phishing Attack Before It Spots You

The Attack That Starts With a Click

Phishing is the most common cyberattack on the planet. It does not require exploits, zero-days, or hacking skills. It just needs you to click a link, open an attachment, or enter credentials on a fake page. Over 90% of data breaches start with a phishing email. Here is how to spot them before they spot you.

The Anatomy of a Phishing Email

Urgency: "Your account will be suspended in 24 hours." Authority: Pretending to be your bank, boss, or a government agency. Fear: "Unauthorized login detected." Curiosity: "You have a package waiting." Every phishing email uses at least one of these psychological triggers to make you act before you think.

Red Flags in Emails

Check the sender address carefully. security@paypa1.com is not PayPal (that is a number 1, not the letter l). Hover over links before clicking and check the URL. Look for misspellings and grammar errors. Legitimate companies do not ask for passwords via email. Be suspicious of unexpected attachments, especially .zip, .exe, or Office files with macros.

Fake Websites

Modern phishing sites are pixel-perfect copies of real login pages. The only difference is the URL. Always check the domain carefully. login.google.com is real. login-google.com is not. google.com.evil-site.net is not. When in doubt, type the URL manually instead of clicking links.

Spear Phishing

While regular phishing casts a wide net, spear phishing targets you specifically. The attacker researches your name, job, colleagues, and recent activity to craft a convincing personalized message. "Hey, here is the report from yesterday meeting" from someone who looks like your coworker is much harder to spot than a generic Nigerian prince email.

What Happens After You Click

You enter your credentials on a fake page. The attacker now has your username and password. They log into your real account immediately (often within minutes). They change your password, add their own 2FA, and lock you out. Then they use your account to phish your contacts. The chain continues.

Protecting Yourself

Enable two-factor authentication on everything (it stops most phishing attacks even if you give up your password). Use a password manager (it will not auto-fill on fake domains). Verify your DNS settings to make sure you are not being redirected by a compromised network. Check your IP exposure regularly.

When In Doubt

Do not click the link. Go directly to the website by typing the URL. Call the company using a number from their official website, not from the suspicious email. Report phishing emails to your IT department or email provider. One moment of caution can prevent months of damage.