CyberSearch .in
SUBSCRIBE
← All articles
PHISHING · 6 min read

Anatomy of a phishing email: 7 tells you can spot in 10 seconds

From mismatched senders to urgency traps — a visual field guide to reading a suspicious email the way an analyst does.

cover image

Phishing works because it exploits speed. Attackers don’t need to fool you forever — they need to fool you for the four seconds it takes to click a link. The good news: almost every phishing email leaks the same handful of tells, and once you know them, you can run a ten-second scan on any suspicious message the way a security analyst does.

Here are the seven tells, in the order you should check them.

1. The sender address doesn’t match the display name

The display name is free text — anyone can set it to “Microsoft Support” or “Your Bank”. The actual address behind it is harder to fake. Tap or hover on the sender name and read the real address.

Watch for:

  • Lookalike domainsmicros0ft-support.com, paypa1.com, amazon-billing.net
  • Free mail providers — a “bank” writing from @gmail.com
  • Subdomain trickspaypal.com.secure-verify.io is a page on secure-verify.io, not PayPal

If the display name and the address tell different stories, believe the address — and then trust neither.

2. Manufactured urgency

“Your account will be suspended in 24 hours.” “Unusual sign-in detected — act now.” “Final notice.”

Urgency is the engine of phishing. It’s designed to switch off the part of your brain that checks things. Real institutions almost never demand immediate action by email, and nothing legitimate gets worse because you took ten minutes to verify it through the official app or website.

The rule: the more urgent the email, the slower you should go.

Link text is a costume. https://www.yourbank.com/login can point anywhere. On desktop, hover over the link and read the target in the status bar. On mobile, long-press to preview it.

Read the domain right to left: the part that matters is the last two segments before the first /. In yourbank.com.account-check.ru/login, the real destination is account-check.ru.

If you can’t comfortably verify a link, don’t click it — go to the site yourself through a bookmark or by typing the address.

4. A generic greeting from someone who should know you

“Dear Customer.” “Dear user.” “Hello, [email protected].”

Your bank knows your name. So does every service you pay for. Mass phishing campaigns are sent to millions of scraped addresses, and personalization is expensive — so most don’t bother. A generic greeting on a message about your account is a strong signal that the sender doesn’t actually have an account relationship with you.

The inverse isn’t safe either — targeted (spear) phishing may use your real name — but a generic greeting plus any other tell on this list should end the conversation.

5. Unexpected attachments

Invoice you never ordered, “shipping label”, “scanned document”, résumé you didn’t ask for. Attachments are the classic malware delivery vehicle, and the dangerous ones are often disguised:

  • invoice.pdf.exe — an executable pretending to be a PDF
  • .html attachments — open a fake login page hosted inside the file, invisible to URL filters
  • Office documents that ask you to Enable macros / Enable content — that button is the payload

If you weren’t expecting a file, verify with the sender through a different channel before opening it.

6. The tone is slightly… off

Modern phishing has moved past broken English, but tone is still hard to fake. Look for stilted phrasing, odd word choices, inconsistent formatting, logos that look re-compressed, or a signature block that doesn’t match the company’s usual style. Your brain flags these as “something’s weird” before you can articulate why. That feeling is data — treat it as a tell.

7. It asks for something no legitimate sender asks for by email

Passwords. Full card numbers. One-time codes. Seed phrases. Remote-access software installs. Gift cards.

No bank, employer, government agency, or tech company will ask for credentials or verification codes over email. A one-time code is the key to your account — the only people who ever ask you to read one out are the people trying to break in.

The 10-second scan, in order

  1. Sender — does the real address match the claimed identity?
  2. Urgency — is it pushing you to act right now?
  3. Links — hover: does the destination match the text?
  4. Greeting — generic, on an account-specific matter?
  5. Attachment — unexpected? Double extension? Wants macros?
  6. Tone — anything slightly off?
  7. The ask — credentials, codes, payments, gift cards?

One tell is suspicion. Two is a verdict. When in doubt, don’t click, don’t reply, don’t open — go to the source directly. Report the message with your mail client’s phishing button, then delete it.

Train the scan on your own inbox: open your spam folder and score three messages against this list. After a week, the checks stop being a checklist and start being reflex — which is exactly what you want, because reflex is faster than the click.

Written & tested by CyberSearch Get one tip a week →
KEEP READING

More from the blog

PASSWORDSJun 26, 2026 · 8 min
How password managers actually keep your secrets

Vaults, key derivation and zero-knowledge — explained without the jargon.

PRIVACYJun 19, 2026 · 5 min
Is your browser extension spying on you?

Permissions to check before you click "Add to browser".

WI-FIJun 12, 2026 · 7 min
Public Wi-Fi survival guide for travellers

What's actually risky, what isn't, and the 3-step routine to stay safe.