Expertspost · Practical guides, tested and explained
Home & Living · Tech & Gadgets · Productivity
Expertspost.
Practical guides for
home, tech & getting things done
About Free weekly letter
Expertspost Tech & Gadgets

How to spot a phishing email before you click

Phishing emails have gotten good enough to fool careful people. Here are the tells that still give them away, the one habit that protects you even when you are tired, and what to do if you already clicked.

Daniel Reyes
Daniel Reyes
Founder & writer
 · Published March 6, 2026 · 8 min read
How to spot a phishing email before you click
Above: A laptop showing an email inbox with a suspicious message highlighted.

I almost fell for one last year. An email that looked exactly like a delivery notice, arriving the same week I was actually expecting a package, telling me to confirm my address. I had my thumb over the link before something felt slightly off about the sender address. That near-miss taught me that spotting phishing is less about being clever and more about having a couple of reflexes that fire even when you are distracted.

Why even careful people fall for it

The old image of a phishing email, full of typos and a prince offering you millions, is out of date. Modern phishing is well-written, copies real company logos perfectly, and is often timed to coincide with something plausible. The attackers play the odds; send enough delivery notices and some will land in the inbox of someone actually waiting on a package.

The real weapon is urgency. Phishing emails almost always try to make you act fast and emotional: your account will be closed, a payment failed, suspicious activity detected, click now. That pressure is designed to switch off the careful part of your brain. Recognizing the urgency itself as a warning sign is half the battle.

Phishing has also moved beyond email. The same tricks arrive as text messages (often called smishing), as fake voicemails, and as direct messages on social platforms. A text saying a package "could not be delivered, click to reschedule" is the texted cousin of the email that nearly got me. The medium changes; the playbook does not. Everything in this article applies to a suspicious text just as much as a suspicious email.

The tells that still work

Even good fakes leave fingerprints. These are what I scan for before acting on any unexpected email.

  • The sender's actual address. The display name says "Apple Support," but the real address behind it might be a random string at a domain that has nothing to do with the company. Tap or hover on the sender name to reveal the true address.
  • Generic greetings. A real company you have an account with usually knows your name. "Dear Customer" or "Dear User" on an account alert is a soft warning.
  • Urgency and threats. Deadlines, account suspension, "act within 24 hours." Legitimate companies rarely threaten you into clicking.
  • Requests for credentials or payment details. No real bank emails you a link asking you to confirm your password or card number. This is the biggest red flag of all.
  • Slightly-off details. Odd phrasing, a logo that is subtly the wrong color, a domain like "amaz0n-support.com." Small wrongness adds up.

Urgency is the tell. If an email is rushing you to click, slow down on purpose.

The link is where the damage happens, so learning to inspect one without clicking is the core skill. On a computer, hover your mouse over the link without clicking, and the real destination appears at the bottom of the window or in a small tooltip. Read it carefully.

What you are checking is the actual domain, the part right before the first single slash. A real PayPal link goes to paypal.com. A phishing link might read "paypal.com.account-verify.ru" or "secure-paypal.login-check.com." The trick is that scammers put the real name as a subdomain or in the path to fool a quick glance. The true domain is always the bit immediately before that first slash, so train your eye to find it.

On a phone, hovering is harder, but you can press and hold the link to preview the destination without opening it. If you are not certain, do not open it. There is no penalty for being cautious, and that is the whole point of the next section.

The one habit that protects you

Here is the single reflex that protects you even when you are tired, distracted, or the email is genuinely convincing: never act through a link in an unexpected email. Go to the source directly instead.

If you get an email saying there is a problem with your bank account, do not click the link. Open a new browser tab and type your bank's address yourself, or open its official app, and check from there. If there is a real issue, it will be waiting for you in your actual account. If there is nothing, the email was a fake. This one habit defeats nearly every phishing attempt regardless of how polished it is, because you simply never use the attacker's link.

Two more layers make this stronger. Turn on two-factor authentication on important accounts, so a stolen password alone is not enough. And use a password manager, which as a bonus will refuse to autofill your credentials on a fake lookalike site, a quiet warning I have come to appreciate; I wrote about why it is worth it separately.

One more reflex worth building: be suspicious of attachments you did not expect, especially files ending in things you do not recognize, or a document that insists you "enable editing" or "enable content" to view it. That prompt is a classic way malicious files try to run. A real invoice from a company you actually deal with will not need you to disable your own safety features to read it. If an attachment surprises you, confirm with the sender through a channel you trust before opening it.

What to do if you already clicked

Mistakes happen, and panic makes them worse. If you clicked a link or, worse, entered information, act calmly and in order.

  1. If you entered a password, change it immediately on the real site, and change it anywhere else you reused that same password. This is exactly why reusing passwords is so dangerous.
  2. Turn on two-factor authentication on that account if it was not already on, to lock out anyone who got the password.
  3. If you entered card or bank details, contact your bank directly using the number on the back of your card, and watch for unfamiliar charges.
  4. If you only clicked a link but entered nothing, you are very likely fine; just do not enter anything and close the page. Run a malware scan if you are concerned.
  5. Report it. Most email apps have a "Report phishing" option, and reporting helps protect others on the same provider.

The goal is not to become paranoid about every email. It is to build two small reflexes: treat urgency as suspicious, and go to the source directly instead of clicking. Do those two things and the convincing fakes lose their power, because the whole scam depends on you using their link instead of your own front door.

Editorial note. Expertspost publishes practical, general how-to information. Steps, settings, and product details describe what worked for the author and may differ on your setup or model — check manufacturer instructions before making changes you can't undo. Nothing here is professional medical, legal, or financial advice. Read our full editorial & affiliate disclosure.
Daniel Reyes

Daniel Reyes

Founder & writer · Expertspost

Daniel Reyes writes Expertspost, where every guide gets tested before it's published. He covers the home, the tech you already own, and the small routines that make a busy week work — usually after trying them in his own apartment, including the parts that didn't go to plan. He's a writer, not a salesperson, and nothing on this site is professional medical, legal, or financial advice.

All articles by Daniel →

You might also read

More from Tech & Gadgets