3.4 billion phishing emails are sent every day. Modern attacks are well-written, correctly branded, and nearly impossible to spot at a glance. Here are the nine signs that reliably identify every phishing email.
3.4B
Phishing emails sent daily
36%
Of data breaches involve phishing
$17,700
Lost per minute to phishing
The sender address doesn't match the display name
CriticalThe email says it's from "PayPal Support" but the actual sending address is paypal-support@secure-notifications-paypal.com. Legitimate companies send from their own domains. Check the full email address, not just the display name.
Example:
Display name: "Apple Support" | Actual address: support@apple-help-center.ru
The link URL doesn't match the displayed text
CriticalHover over any link before clicking. The URL shown in your browser's status bar should match what you expect. Phishing links commonly use: typosquatting (paypa1.com), subdomain tricks (paypal.com.evil-domain.com), or URL shorteners to hide the real destination.
Example:
Link text: "Verify your account at amazon.com" | Actual URL: amazon-account-verify.net/login
It creates extreme urgency or fear
CriticalPhishing relies on panic overriding judgment. "Your account will be suspended in 24 hours." "Unusual sign-in detected — verify immediately." "Your payment failed — update billing now." Legitimate companies do not threaten immediate account closure via email and do not require you to "verify" by clicking a link.
Example:
"Your Apple ID has been locked. Click here within 12 hours to prevent permanent deletion."
It asks for personal information no legitimate company needs
HighBanks, payment processors, and tech companies already have your password, full credit card number, and social security number. They never need to ask you to "confirm" them by email. If an email asks you to reply with sensitive information or enter it on a linked page, it's phishing.
Example:
"To verify your identity, please reply with your full card number and billing address."
You weren't expecting it
HighYou get a password reset email but didn't request one. A "delivery failed" notification for a package you didn't order. An invoice for a purchase you didn't make. Unsolicited messages that require action are a major red flag. Attackers know you'll click a delivery notification even without a package.
Example:
"Your DHL package has been held. Pay £2.50 customs fee to release it."
The email contains an unexpected attachment
HighInvoices you didn't request, "important documents", HR policies, shipping labels — these are common pretexts for malicious attachments. Be especially suspicious of .zip, .exe, .docm, and .pdf files from unknown senders. Scan any unexpected attachment before opening.
Example:
"Please review the attached invoice INV-2026-00847.pdf — payment due within 7 days."
Generic greeting instead of your name
Medium"Dear Customer", "Dear User", "Hello Account Holder" — your bank knows your name. Bulk phishing campaigns use generic greetings because they target millions of people simultaneously. Personalised phishing (spear phishing) is more dangerous but uses your name to build false trust.
Example:
"Dear Valued Customer, your account requires immediate verification."
The email is about an account you don't have
MediumPhishing attacks are sent to millions of addresses at once. You may receive "your Netflix account has been suspended" even if you don't have Netflix. Attackers know a percentage will have the account — and curious non-users sometimes click anyway.
Example:
"Your Coinbase account has been temporarily restricted. Verify to restore access."
Email headers show the message wasn't sent from the claimed server
MediumEmail headers contain the full technical trail of where an email originated. Legitimate emails from PayPal will have headers showing they came from PayPal's mail servers and pass SPF/DKIM/DMARC authentication. Our free email header analyzer checks all of this automatically.
Example:
Check with SafeSearchScan's email header analyzer — available free, no sign-up.
Run through this every time you receive an unexpected email
If you answered "yes" to any of these — treat the email as phishing until proven otherwise.
Yes — this is called email spoofing. Attackers can send emails that display any "From" name and even fake the visible email address in basic mail clients. However, the actual sending server information is recorded in the email headers, which our email header analyzer can reveal. In 2026, sophisticated phishing campaigns compromise legitimate email accounts (via credential theft) and send phishing emails from real, trusted addresses — making header analysis even more important.
Do not click any links, download attachments, or reply. Report it to your email provider (in Gmail: three dots menu > Report phishing; in Outlook: Report > Report phishing). If it's impersonating a specific company (your bank, PayPal, etc.), forward it to that company's phishing report address — most major organisations have one (e.g., phishing@paypal.com). This helps protect other people. Then delete it.
No — this is a dangerous misconception. Modern phishing emails are often perfectly written, correctly branded, and indistinguishable from legitimate communications at first glance. AI tools have made it trivial to generate fluent, convincing phishing emails in any language. The tells are now in the sender address, URL destination, unexpected urgency, and requests for information legitimate companies never ask for by email.
Hover your mouse over the link (without clicking) to see the actual URL in the bottom left of your browser or email client. If the displayed text says "paypal.com" but the URL shows "paypa1-secure.com" or any other domain, it's phishing. You can also right-click the link, copy the URL, and paste it into SafeSearchScan's website safety checker to analyse it without visiting the destination.