Phishing is the oldest trick in the cybercriminal playbook, and it keeps working because it looks so convincing. The good news: with a handful of simple habits, you can catch almost every scam before it does any damage — often in under ten seconds.
1. Check the sender’s real address, not the display name
Scammers love to fake the From name so it reads PayPal or Your Bank, but the actual email address is what matters. Hover over or tap the sender and look at the part after the @ — a message from Apple Support arriving from [email protected] is an instant red flag.
2. Mouse over links before you click
On a computer, hover your cursor over any link to preview the real destination in the bottom corner of your browser. If the text says Reset Password but the link points to something like http://amaz0n-billing.xyz/login, trust the URL, not the label.
- On a phone, long-press the link to reveal where it really goes.
- Watch for look-alike domains: rnicrosoft.com (r plus n instead of m), g00gle.com, or extra words jammed into a familiar name.
3. Look for urgency and fear
Almost every phishing message tries to rush you: Your account will be locked in 24 hours, Unusual login detected — confirm now, or Final notice. Pressure is the scammer’s favorite tool because it short-circuits your judgment. A legitimate company will never threaten you into immediate action over email.
4. Spot the generic greeting and sloppy writing
Real companies usually address you by name. Messages that start with Dear Customer or Valued User, plus obvious grammar and spelling mistakes, are classic tells. Professional organizations rarely send out broken English or odd formatting.
5. Be suspicious of unexpected attachments
If you were not expecting an invoice, shipping label, or voicemail file, do not open it. Malware often hides in .exe, .zip, .docm, or macro-enabled Office files. When in doubt, log in to the service directly through your browser instead of opening the attachment.
6. Verify through a second channel
Got a weird message from a friend asking for money, or from IT demanding your password? Reach out through a different method — a phone call or a fresh text — to confirm. A thirty-second check can save you from sending cash to a hijacked account.
7. When unsure, go direct — never through the message
The safest habit of all: if a message mentions your bank, mail provider, or any account, open a new tab and type the official address yourself. Do not click links or call numbers from the email. Logging in the normal way tells you in seconds whether the alert was real.
A little healthy suspicion goes a long way — most scams fall apart the moment you slow down and actually look. Build these checks into your routine and you will spot the fakes before they ever become a problem.
