How to Spot a Phishing Email (Real Examples)

Ninety seconds. That's roughly how long you get to decide if an email is legit before you click something you shouldn't. How to spot a phishing email comes down to five checks you can run fast: the sender's real address (not the display name), where links actually point, whether the message manufactures urgency, whether it asks for credentials or payment, and whether the tone matches how that sender normally writes to you. Get in the habit of checking all five, every time, and most phishing stops working on you.

I've cleaned up after phishing incidents on both ends — the person who clicked, and the help desk fielding the "why is my email sending Bitcoin scam replies to my whole contact list" ticket. The messages that get through aren't the ones with bad grammar and a Nigerian prince anymore. They're the ones that look exactly like your bank, your IT department, or your own CEO. Below are the checks that actually catch those.

What Actually Counts as Phishing (vs. Spam or a Scam)

People use these words interchangeably and they're not the same thing. Spam is unwanted bulk mail — marketing you never asked for. Annoying, not usually dangerous. A scam email might ask you to wire money for a fake prize or a romance con, but it doesn't always impersonate a real company. Phishing specifically impersonates a trusted brand or person to get you to hand over credentials, click a malicious link, or open a malicious attachment. Spear phishing is the same thing aimed at one specific person, using details about them to make it convincing. Business email compromise (BEC) is a variant where the attacker impersonates an executive or vendor to redirect a wire transfer — no malware involved at all, just a very convincing email.

The distinction matters because your response is different. Spam: mark it junk and move on. Phishing: don't click anything, verify through a separate channel, and report it (more on that below).

The 30-Second Checklist

Run through this before you click, reply, or download anything:

  1. Check the actual sender address, not the display name. "PayPal Security" as a display name means nothing — the real address might be security@paypa1-alerts.ru. Tap or hover on the sender name to reveal the full address.
  2. Hover over every link before clicking. Desktop: hover and read the status bar or tooltip. Mobile: long-press a link to preview the destination without opening it. If the link text says "yourbank.com" but the actual URL is something else, that's the whole story right there.
  3. Look for manufactured urgency. "Your account will be suspended in 24 hours," "unusual sign-in detected," "invoice overdue — pay immediately." Real companies rarely threaten immediate account closure by email, and real invoices don't usually demand same-day wire transfers.
  4. Be suspicious of any request for credentials, gift cards, or wire transfers — especially if it's the first time that person or company has asked you for it that way.
  5. Check whether the tone matches. If your CFO always signs off "Thanks, Dana" and this email says "Best regards, Ms. Patel," that's a tell. Attackers are good at logos, less good at mimicking someone's actual voice.

None of these checks alone is proof either way — legitimate emails occasionally trip one of them, and well-crafted phishing can pass one or two. It's the combination that tells you something's off.

Real Examples: What These Actually Look Like

These are composites based on common patterns I've seen reported, not screenshots of any specific real message — but the structure is exactly what shows up in inboxes.

Example 1: The Fake Delivery Notice

From: "USPS Delivery" <delivery-notice@usps-tracking-alert.com>
Subject: Your package could not be delivered — action required

We attempted to deliver your package today but were unable to complete delivery. Please confirm your address within 24 hours or your package will be returned to sender. Click here to confirm: usps-redelivery-confirm.net/track

The tell: USPS doesn't send delivery-failure emails from a domain like usps-tracking-alert.com, and it doesn't ask you to "confirm your address" by clicking a link to a completely different domain. The real USPS domain is usps.com. Anything with usps- tacked onto a different root domain is not USPS.

Example 2: The Fake IT / Password Reset

From: "IT Helpdesk" <it-support@yourcompany-portal.com>
Subject: Action Required: Your password expires today

Your network password expires in 4 hours. To avoid losing access, verify your credentials now: [Reset Password]

The tell: the domain isn't your actual company domain — it's a lookalike with "-portal" bolted on. Real IT departments almost never ask you to re-enter your password by clicking an emailed link; they point you to a self-service portal you access by typing the URL yourself, or the password reset happens inside a system you're already logged into.

Example 3: The BEC / Fake Executive Request

From: "Sarah Chen, CEO" <sarah.chen@company-inc.co>
Subject: Quick favor - urgent

Hi, I'm in back-to-back meetings and can't talk. I need you to process a wire transfer today for a vendor. I'll send details shortly, can't discuss over phone right now. Please confirm you're available.

The tell: notice the domain is company-inc.co, not company.com — a one-character swap most people won't catch on a phone screen. The message is vague on purpose (no specific amount yet), designed to get a "yes I'm available" reply before the actual ask lands. Any request for a wire transfer that arrives only by email, stresses urgency, and discourages a phone call is a BEC pattern, full stop.

How Do I Check Who Actually Sent an Email?

The display name is controlled entirely by whoever sends the email — it's trivial to fake. What's harder to fake is the full header, which records every server the message passed through and the authentication checks it ran.

In Gmail: open the message, click the three-dot menu in the top right, and select Show original. This opens the raw header data along with Gmail's own authentication summary.

In Outlook desktop: open the email, go to File > Properties, and look in the "Internet headers" box.

In Outlook on the web: open the email, click the three-dot menu, and choose View > View message source (or "View message details," depending on your version).

In Apple Mail: View > Message > All Headers.

What you're looking for in the headers is the Authentication-Results line. It reports three checks:

  • SPF (Sender Policy Framework) — confirms the sending server is authorized to send mail for that domain. A result of spf=fail means the server sending the email wasn't on the domain's approved list.
  • DKIM (DomainKeys Identified Mail) — a cryptographic signature confirming the message wasn't altered in transit and really came from where it claims. dkim=fail or a missing signature is a red flag.
  • DMARC — checks that the domain in the visible "From" address actually lines up with what SPF and DKIM verified (this is called alignment). dmarc=fail means something doesn't match up even if SPF or DKIM individually passed.

One honest caveat: passing all three doesn't guarantee a message is safe. A meaningful share of phishing now comes from genuinely compromised legitimate accounts — the email is really from that person's real, authenticated account, because their password (or their OAuth token) got stolen first. Authentication proves the message came from where it says it came from. It says nothing about whether the human or account behind that address has been compromised. Layer header checks with the other signals above; don't rely on SPF/DKIM/DMARC alone.

Why Do Some Phishing Links Look Exactly Right?

Because of a trick called an IDN homograph attack, and it's worth understanding once so you're not fooled by it. Domain names can only use ASCII characters at the DNS level, but browsers support internationalized domain names (IDNs) built from other alphabets — Cyrillic, Greek, and so on — which get converted behind the scenes using an encoding called Punycode. Punycode-encoded domains always start with the prefix xn--. The problem: some Cyrillic and Greek letters are visually identical to Latin letters. A security researcher, Xudong Zheng, demonstrated in 2017 that you could register a domain using only Cyrillic look-alike characters — encoded as xn--80ak6aa92e.com — that rendered as a pixel-perfect "apple.com" in Chrome, Firefox, and Opera, complete with a valid HTTPS certificate. Safari wasn't fooled, because Apple's browser is more conservative about which scripts it will render as native Unicode rather than raw Punycode.

Browsers have tightened their detection since, but research has found modern browsers still miss a meaningful share of crafted homograph domains. Practical defenses: type URLs for anything sensitive (banking, email, work systems) instead of clicking a link to get there. Let your password manager do the domain-matching for you — it won't autofill credentials on a lookalike domain even if it looks identical on screen to you. And if you ever see an unexpected xn-- prefix in a URL your business communicates with, that's worth a second look, though plenty of legitimate international domains use it too.

Phishing vs. Spam vs. Spoofing: Quick Reference

Type What it is Typical goal What to do
Spam Unwanted bulk email, usually marketing Sell you something Mark as junk/spam
Phishing Impersonates a trusted brand or person Steal credentials, install malware, get a payment Don't click; verify separately; report
Spear phishing Phishing targeted at one specific person, using real details about them Same as phishing, higher success rate Same as phishing, plus extra scrutiny of anything referencing internal details
Spoofing Forging the "From" address so a message appears to come from someone else Enable phishing, BEC, or malware delivery Check SPF/DKIM/DMARC in the header
Business email compromise (BEC) Impersonating an executive or vendor to redirect payment Get a wire transfer or gift cards sent to the attacker Confirm any payment request by phone, using a number you already have — not one in the email

What Do I Do If I Already Clicked a Phishing Link?

Don't spend time being embarrassed about it — good phishing is designed to fool careful people, and moving fast matters more than feeling bad. In order:

  1. Don't enter anything else. If you clicked a link but haven't typed a password or payment info yet, close the tab. If you already entered credentials, treat that account as compromised right now.
  2. Change the password for that account, and for any other account using the same or a similar password.
  3. Turn on multi-factor authentication if it isn't already on.
  4. If you're on a work account, tell IT or your security team immediately — don't sit on it. Attackers who compromise one account often use it to pivot to others, and the faster the account gets locked or reset, the smaller the blast radius.
  5. If you entered financial information, call your bank or card issuer directly using the number on the back of your card, not a number from the email.
  6. If you downloaded an attachment, don't open it. Check its SHA-256 hash against VirusTotal, or just delete it and let your endpoint security scan the system.
  7. Watch your accounts for anything unusual over the following weeks — attackers sometimes wait before acting on stolen credentials.

How Do I Report a Phishing Email?

Reporting takes a couple of minutes and it isn't wasted effort — email providers use reports to update their filters for everyone, and the aggregated reports federal agencies receive are what let them identify and act on large-scale campaigns, even though no single report gets an individual response.

Through your email provider

  • Gmail: open the email, click the three-dot menu, select Report phishing.
  • Outlook / Microsoft 365: select the email, click Report in the ribbon (or right-click), choose Report phishing.
  • Yahoo Mail: open the email, click the three dots next to reply, select Report phishing scam.
  • Apple Mail: there's no built-in report button — forward the email as an attachment to reportphishing@apple.com if it's impersonating Apple.

To outside agencies (US)

  • APWG (Anti-Phishing Working Group): forward the email, ideally as an attachment rather than a plain forward, to reportphishing@apwg.org. This is the address the FTC itself recommends, and it feeds a shared database that security vendors and law enforcement use to track and take down phishing infrastructure.
  • FTC: file at ReportFraud.ftc.gov. The FTC won't follow up on your individual case, but it uses aggregated reports to spot patterns and build enforcement actions.
  • FBI's IC3 (Internet Crime Complaint Center): file at ic3.gov if you lost money or had your identity stolen. This is the one that matters most if there's a financial loss — IC3 coordinates with law enforcement.
  • CISA: if you're reporting on behalf of an organization or want it treated as a security incident, CISA accepts reports through its portal at cisa.gov/report.

When you report, forward the full original email rather than describing it or copy-pasting the text — the header data that gets stripped out of a summary is often exactly what investigators need.

FAQ

How can I tell if an email address is spoofed?

Check the header's Authentication-Results line for SPF, DKIM, and DMARC results. A fail on any of these — especially DMARC — means the visible sender address doesn't line up with where the mail actually originated. Keep in mind a pass doesn't guarantee safety if the sending account itself has been compromised.

Can a phishing email pass SPF, DKIM, and DMARC and still be phishing?

Yes. If an attacker is sending from a genuinely compromised account, or from a domain they've registered and properly configured with valid SPF/DKIM/DMARC records, all three checks can legitimately pass. Authentication proves message integrity and origin — it doesn't vouch for the sender's intent.

What's the difference between phishing and spear phishing?

Phishing is sent broadly to many people with a generic pretext. Spear phishing targets one specific person and uses real details about them — their job title, a recent transaction, a colleague's name — to be far more convincing. Spear phishing has a meaningfully higher success rate because it doesn't read as mass-produced.

Is it safe to unsubscribe from a suspicious email?

Not if you're not sure it's legitimate. Clicking "unsubscribe" on a phishing email can confirm your address is active and monitored, and in some cases the unsubscribe link itself is the malicious link. If the sender is unfamiliar or the message has other red flags, report or delete it instead of unsubscribing.

Do I need to report a phishing email if I didn't click anything?

It still helps. Reporting an email you correctly identified and ignored still feeds the provider's spam filters and the aggregated data federal agencies use to track campaigns — it's a fast, low-effort way to help block the same message from reaching other people.

Will my company get in trouble if I click a phishing link during a security test?

That depends entirely on your employer's policy — most organizations treat simulated phishing clicks as a training moment, not a disciplinary one, but that's a question for your own security or HR team, not something with a universal answer.

None of this requires special tools. It's five checks, run consistently, every time something in your inbox asks you to click, log in, or pay. The moment you're rushed into skipping the checks is exactly the moment they're designed to catch.