Phishing: How to Recognize a Fake Email

What Is Phishing?

Phishing is a social engineering attack where criminals send emails disguised as legitimate communications from trusted organizations — banks, tech companies, government agencies, or employers — in order to trick recipients into revealing sensitive information, clicking malicious links, or downloading malware. The term comes from "fishing" — casting a wide net and hoping someone bites.

Phishing has evolved far beyond the crude "Nigerian prince" emails of the early 2000s. Modern phishing campaigns use professionally designed emails that perfectly replicate the branding, layout, and tone of legitimate companies. Some use AI to generate personalized messages based on information about the target gathered from social media and data breaches.

The Red Flags to Watch For

Despite their increasing sophistication, most phishing emails share common characteristics that can help you identify them:

• Sender address mismatch: The display name may say "PayPal Security" but the actual email address is something like "security@paypa1-verify.com." Always check the full sender address, not just the display name.
• Urgency and fear: "Your account will be suspended in 24 hours," "Unauthorized access detected," "You must verify immediately." Legitimate companies rarely send panic-inducing emails demanding immediate action.
• Generic greetings: "Dear Customer" or "Dear User" instead of your actual name. Companies you have accounts with know your name and use it.
• Suspicious links: Hover over (do not click!) any link in the email. If the URL does not match the legitimate domain of the company, it is phishing. Watch for subtle misspellings: "arnazon.com" instead of "amazon.com."
• Unexpected attachments: Legitimate companies rarely send unsolicited attachments. Be especially wary of .zip, .exe, .js, or Office documents with macros.
• Poor grammar and formatting: While this is less reliable as AI improves, many phishing emails still contain subtle grammatical errors, inconsistent formatting, or low-resolution logos.

The Most Dangerous Variants

Spear phishing targets specific individuals using personal information gathered from social media, company websites, or data breaches. An email that mentions your specific job title, recent projects, or colleagues by name is far more convincing than a generic blast.

Business email compromise (BEC) involves impersonating a company executive or supplier to trick employees into transferring funds or sharing sensitive data. BEC attacks caused over $2.7 billion in losses in 2022 alone.

Clone phishing takes a legitimate email you have actually received and recreates it with malicious links or attachments, sending it from a spoofed address that closely resembles the original sender.

What to Do When You Spot a Phishing Email

• Do not click any links or download any attachments.
• Do not reply to the email.
• If the email claims to be from a company you use, open a new browser tab and go directly to the company's website (type the URL manually) to check your account.
• Report the email as phishing in your email client.
• If you have already clicked a link or entered credentials, immediately change your password on the real site and enable two-factor authentication.

Prevention Through Address Management

One underappreciated phishing defense is email address management. If you use a unique address for each service, you can immediately identify phishing attempts: an email claiming to be from your bank that arrives at the address you used for a forum registration is obviously fake.

Using disposable addresses from TempoMail for low-trust interactions also reduces your phishing exposure. If a temporary address receives a phishing email, you know the service it was used for has either been breached or sold your data — and you can simply discard the address without any risk to your real identity.