Scammers stole over $10 billion last year, and phishing emails are their favorite weapon. You don't need to be a tech expert to spot them—you just need to know where to look.

The 5-Second Check: Look at the Sender

The 'From' address is the single biggest giveaway. Legitimate companies use their own domain names, not free email services.

  1. Check for misspellings: 'amaz0n.com' or 'paypai.com' instead of the real thing.
  2. Look for public domains: 'netflix.support@gmail.com' is a scam. Netflix would never use Gmail.
  3. Spot the personal touch: If your bank emails you as 'Dear Customer' instead of your name, be suspicious.

If the sender's address looks off, delete the email immediately. Don't even open it.

The Urgency Trap and the Suspicious Link

Phishing emails create panic to bypass your logic. They threaten account closure, legal action, or promise unexpected money.

Before clicking any link, hover your cursor over it. A preview of the real web address will appear at the bottom of your screen.

  1. Mismatched text: A link saying 'Click to Secure Your Account' might lead to 'scam-site-123.ru'.
  2. Shortened URLs: Links from services like Bit.ly or TinyURL hide the destination. Don't trust them.
  3. HTTP vs. HTTPS: Legitimate login pages use 'https://'. An 'http://' address is a major red flag.

If you're unsure, never click. Go directly to the company's official website by typing the address yourself.

Grammar, Attachments, and the 'Too Good' Offer

Professional corporations have copy editors. Scammers often don't. Bad grammar, odd phrasing, and strange formatting are clues.

Unexpected attachments are a classic delivery method for viruses and ransomware. The FBI reports that malicious attachments are involved in 66% of all cyber incidents.

  1. Unexpected prize: 'You've won a $1,000 Walmart gift card!' from a sender you don't know.
  2. Fake invoice: An attachment labeled 'Invoice_YourOrder.pdf' for something you didn't buy.
  3. Urgent document: 'Your subpoena is attached' or 'See your tax refund details here.'

When in doubt, throw it out. Your curiosity is the scammer's best friend.

The goal isn't to create a perfect email. It's to create one good enough to fool the 5% who aren't paying attention. Your attention is your best defense.

What to Do If You Clicked

Act fast. If you entered a password on a fake site, change that password everywhere you use it immediately.

Run a full antivirus scan if you downloaded or opened an attachment. Contact your bank directly if you shared financial information.

Report the phishing attempt. Forward the email to reportphishing@apwg.org and to the impersonated company.

Your New 5-Second Defense Routine

Make this scan a habit for every unexpected email. It takes less time than brewing coffee.

  1. Second 1: Scan the sender's email address for flaws.
  2. Second 2: Read the subject and first line—is it manufacturing panic or greed?
  3. Second 3: Hover over any links (don't click!) to check the destination.
  4. Second 4: Look for spelling errors and poor formatting.
  5. Second 5: Decide: Is this legitimate, or is it trash? If unsure, it's trash.