How Phishing Emails Work — and How to Spot One Every Time
Phishing emails are the world's most common cyberattack. Learn how they work, how to identify them, and the simple habits that will protect you from even the most convincing fakes.
Phishing is the world's most common cyberattack — and the most preventable. Every day, billions of phishing emails are sent worldwide, targeting everything from individual bank accounts to corporate networks. Understanding exactly how they work makes you far harder to fool.
What phishing emails are trying to do
Every phishing email has one of three goals:
Credential theft — Trick you into entering your username and password on a fake website that looks identical to a legitimate one. Once they have your login, they access your account, change the password, and either exploit it directly or sell it.
Malware installation — Trick you into downloading and opening an attachment (a PDF, Word document, or ZIP file) that installs malicious software on your device.
Financial fraud — Trick you into making a payment, sharing banking details, or authorising a transaction.
How phishing emails are constructed
Modern phishing emails are often indistinguishable from real ones at first glance. Scammers:
- Copy the exact design, logo, colours, and footer of the real organisation
- Use sending addresses that look almost correct (
no-reply@paypa1.cominstead ofpaypal.com) - Reference real information about you sourced from data breaches
- Create fake urgency: "Your account will be suspended in 24 hours"
- Use HTTPS on the fake website to display the padlock icon
The telltale signs
Check the actual sender address — not the display name. The display name can say anything. Click on the sender name to reveal the actual email address. security@paypal.com displayed as the sender but actually sent from alert@paypal-security.net is phishing.
Hover over links before clicking — Move your mouse over any link and look at the bottom of your browser to see the actual URL it goes to. If the link says "paypal.com" but the URL shows paypal.login-verify.com, it is fake.
Generic greetings — "Dear Customer" or "Dear User" instead of your actual name suggests a mass-sent phishing email. Legitimate companies know your name.
Urgency and threats — "Your account will be permanently deleted," "Unusual activity detected — verify now," "Your payment failed — update details immediately." These pressure tactics are designed to make you act before you think.
Requests for information you already gave them — Your bank already has your account number. Amazon already has your address. Any email asking you to re-enter information you already provided is suspicious.
Suspicious attachments — Be wary of unexpected attachments, especially executables (.exe), compressed files (.zip), and even Office documents (which can contain malicious macros). If you weren't expecting an attachment, don't open it.
FAQ
You may be taken to a fake login page that steals your credentials, a site that installs malware, or a page that harvests your personal information. Change your password immediately and run a security scan.
Yes. Modern phishing emails copy branding, logos, and formatting perfectly. Always check the sender's actual email address and hover over links before clicking.
Opening the email itself is generally safe in modern email clients. The danger is in clicking links or downloading attachments.
From data breaches, purchased email lists, harvesting from websites and social media, or guessing common address formats at known domains.