Anatomy of a phishing email: 7 tells you can spot in 10 seconds
From mismatched senders to urgency traps — a visual field guide to reading a suspicious email the way an analyst does.
Phishing works because it exploits speed. Attackers don’t need to fool you forever — they need to fool you for the four seconds it takes to click a link. The good news: almost every phishing email leaks the same handful of tells, and once you know them, you can run a ten-second scan on any suspicious message the way a security analyst does.
Here are the seven tells, in the order you should check them.
1. The sender address doesn’t match the display name
The display name is free text — anyone can set it to “Microsoft Support” or “Your Bank”. The actual address behind it is harder to fake. Tap or hover on the sender name and read the real address.
Watch for:
- Lookalike domains —
micros0ft-support.com,paypa1.com,amazon-billing.net - Free mail providers — a “bank” writing from
@gmail.com - Subdomain tricks —
paypal.com.secure-verify.iois a page onsecure-verify.io, not PayPal
If the display name and the address tell different stories, believe the address — and then trust neither.
2. Manufactured urgency
“Your account will be suspended in 24 hours.” “Unusual sign-in detected — act now.” “Final notice.”
Urgency is the engine of phishing. It’s designed to switch off the part of your brain that checks things. Real institutions almost never demand immediate action by email, and nothing legitimate gets worse because you took ten minutes to verify it through the official app or website.
The rule: the more urgent the email, the slower you should go.
3. The link doesn’t go where the text says
Link text is a costume. https://www.yourbank.com/login can point anywhere. On desktop, hover over the link and read the target in the status bar. On mobile, long-press to preview it.
Read the domain right to left: the part that matters is the last two segments before the first /. In yourbank.com.account-check.ru/login, the real destination is account-check.ru.
If you can’t comfortably verify a link, don’t click it — go to the site yourself through a bookmark or by typing the address.
4. A generic greeting from someone who should know you
“Dear Customer.” “Dear user.” “Hello, [email protected].”
Your bank knows your name. So does every service you pay for. Mass phishing campaigns are sent to millions of scraped addresses, and personalization is expensive — so most don’t bother. A generic greeting on a message about your account is a strong signal that the sender doesn’t actually have an account relationship with you.
The inverse isn’t safe either — targeted (spear) phishing may use your real name — but a generic greeting plus any other tell on this list should end the conversation.
5. Unexpected attachments
Invoice you never ordered, “shipping label”, “scanned document”, résumé you didn’t ask for. Attachments are the classic malware delivery vehicle, and the dangerous ones are often disguised:
invoice.pdf.exe— an executable pretending to be a PDF.htmlattachments — open a fake login page hosted inside the file, invisible to URL filters- Office documents that ask you to Enable macros / Enable content — that button is the payload
If you weren’t expecting a file, verify with the sender through a different channel before opening it.
6. The tone is slightly… off
Modern phishing has moved past broken English, but tone is still hard to fake. Look for stilted phrasing, odd word choices, inconsistent formatting, logos that look re-compressed, or a signature block that doesn’t match the company’s usual style. Your brain flags these as “something’s weird” before you can articulate why. That feeling is data — treat it as a tell.
7. It asks for something no legitimate sender asks for by email
Passwords. Full card numbers. One-time codes. Seed phrases. Remote-access software installs. Gift cards.
No bank, employer, government agency, or tech company will ask for credentials or verification codes over email. A one-time code is the key to your account — the only people who ever ask you to read one out are the people trying to break in.
The 10-second scan, in order
- Sender — does the real address match the claimed identity?
- Urgency — is it pushing you to act right now?
- Links — hover: does the destination match the text?
- Greeting — generic, on an account-specific matter?
- Attachment — unexpected? Double extension? Wants macros?
- Tone — anything slightly off?
- The ask — credentials, codes, payments, gift cards?
One tell is suspicion. Two is a verdict. When in doubt, don’t click, don’t reply, don’t open — go to the source directly. Report the message with your mail client’s phishing button, then delete it.
Train the scan on your own inbox: open your spam folder and score three messages against this list. After a week, the checks stop being a checklist and start being reflex — which is exactly what you want, because reflex is faster than the click.