How to Spot Phishing Emails and Fake Websites

Q: How do I spot a phishing email?

Look for urgency or threats ("your account will be closed in 24 hours"), a sender address that does not match the display name, generic greetings like "Dear Customer," and unexpected attachments, especially .zip, .exe, or Office files with macros. Always check the actual email address, not just the name shown.

Q: What are the signs of a phishing email?

The main signs are artificial urgency and threats, a mismatch between the display name and the real sender address, generic greetings instead of your name, and unexpected attachments. In 2026, AI-generated phishing often has perfect grammar, so do not rely on spelling mistakes alone.

Q: How can you tell if a link is safe?

Hover over the link without clicking and read the destination URL. Check that the domain matches the supposed sender, be wary of shortened URLs like bit.ly in official emails, and remember that HTTPS alone is not proof of safety because attackers use it too. When in doubt, type the address directly instead of clicking.

Q: How do I detect a phishing website?

Inspect the URL closely: lookalikes like paypa1.com (with a 1) or paypal-secure-login.com are fakes, and the real domain is always immediately before the top-level domain. Watch for poor design quality, and check the certificate with our SSL/TLS Checker, though note that HTTPS by itself does not make a site legitimate.

Q: What are the red flags of a phishing scam?

Urgency and threats, a sender address that does not match the brand, generic greetings, unexpected attachments, lookalike domains, and requests for information the company should already have. Modern tactics include AI-written emails, fake login pages that relay your 2FA code in real time, and QR-code phishing.

~/sheets/phishing-detection.md

Phishing Is the Number One Cyber Threat
Over 90% of successful cyberattacks begin with a phishing email. In 2026, AI-generated phishing is more convincing than ever — gone are the obvious spelling errors and crude formatting. Modern phishing emails are virtually indistinguishable from legitimate communications. Here is how to protect yourself.
Red Flags in Emails
Urgency and threats: "Your account will be closed in 24 hours" or "Unauthorized login detected — verify immediately." Legitimate companies rarely create this urgency. Sender address mismatch: The display name says "PayPal" but the email comes from paypal-security@random-domain.com. Always check the actual email address. Generic greetings: "Dear Customer" instead of your name. Unexpected attachments: Especially .zip, .exe, or Office files with macros.
Fake Website Warning Signs
URL inspection: Look carefully at the domain. "paypa1.com" (with a 1) or "paypal-secure-login.com" are fakes. The real domain is always immediately before the TLD (e.g., paypal.com). Missing HTTPS: Check for the padlock icon — though note that attackers now use HTTPS too. Check a site's SSL certificate with our SSL/TLS Checker. Poor design quality: Misaligned elements, broken images, or missing pages that a real company would never have.
Advanced Phishing Tactics in 2026
AI-generated content: Phishing emails written by AI have perfect grammar and match the company's tone exactly. Real-time man-in-the-middle: Fake login pages that relay your credentials to the real site instantly, capturing your 2FA code in real time. Business Email Compromise: Attackers compromise a real email account and send phishing from a legitimate address. QR code phishing: Malicious QR codes in physical mail or printed materials.
How to Verify Suspicious Communications
Never click links in suspicious emails — type the URL directly in your browser
Check the sender's full email address (not just display name)
Hover over links to preview the destination URL before clicking
Contact the company directly through their official website or app
Use our Email Breach Checker to see if your email is in breach databases (which makes you a target)
Technical Protection Layers
Enable 2FA on all accounts (preferably hardware keys or authenticator apps — not SMS). Use a password manager that will not auto-fill on fake domains. Keep your browser updated — modern browsers detect many known phishing sites. Use DNS filtering (Cloudflare 1.1.1.2 or Quad9) to block known malicious domains. Verify your DNS is properly configured with our DNS Leak Test.
If You Clicked a Phishing Link
Change the password immediately for any account you may have entered credentials for. Enable 2FA if you have not already. Check for unauthorized activity in your accounts. Run our breach checker to monitor for newly exposed data. Consider a full Privacy Checkup to verify your connection is not compromised.
Frequently Asked Questions
How do I spot a phishing email?
Look for urgency or threats ("your account will be closed in 24 hours"), a sender address that does not match the display name, generic greetings like "Dear Customer," and unexpected attachments, especially .zip, .exe, or Office files with macros. Always check the actual email address, not just the name shown.
What are the signs of a phishing email?
The main signs are artificial urgency and threats, a mismatch between the display name and the real sender address, generic greetings instead of your name, and unexpected attachments. In 2026, AI-generated phishing often has perfect grammar, so do not rely on spelling mistakes alone.
How can you tell if a link is safe?
Hover over the link without clicking and read the destination URL. Check that the domain matches the supposed sender, be wary of shortened URLs like bit.ly in official emails, and remember that HTTPS alone is not proof of safety because attackers use it too. When in doubt, type the address directly instead of clicking.
How do I detect a phishing website?
Inspect the URL closely: lookalikes like paypa1.com (with a 1) or paypal-secure-login.com are fakes, and the real domain is always immediately before the top-level domain. Watch for poor design quality, and check the certificate with our SSL/TLS Checker, though note that HTTPS by itself does not make a site legitimate.
What are the red flags of a phishing scam?
Urgency and threats, a sender address that does not match the brand, generic greetings, unexpected attachments, lookalike domains, and requests for information the company should already have. Modern tactics include AI-written emails, fake login pages that relay your 2FA code in real time, and QR-code phishing.
Last updated: April 2026