How to Spot a Phishing Email Before It's Too Late

01 Why Phishing Still Works in 2026

Phishing remains the most common entry point for cyberattacks — not because people are careless, but because attackers are skilled at triggering automatic, emotional responses. They impersonate trusted brands, colleagues, and government agencies to trick you into revealing passwords, clicking malicious links, opening attachments, or transferring money.

AI has made phishing emails more polished. Perfect grammar no longer means an email is safe. But the core psychological tactics — urgency, fear, impersonation — haven't changed. Knowing what to look for lets you pause and think before reacting.

The cost of one click

A single successful phishing attack can lead to account takeover, ransomware that encrypts your entire organisation's files, identity theft, or direct financial loss. Awareness is your first — and most powerful — line of defence.

02 The 9 Red Flags: Complete Checklist

When an email arrives, run through these checks. If you tick several boxes, treat the message as suspicious — verify through official channels before taking any action.

The display name can say anything — always check the actual email address. Hover over the sender's name or tap it on mobile to reveal the full address. Look for subtle misspellings, wrong top-level domains, or a personal email address impersonating a company.

Also check if the Reply-To address is different from the From address — a classic sign of spoofing.

amaz0n.com micr0soft.com paypa1.com support@gmail.com claiming to be your bank

Artificial urgency is the attacker's most effective weapon. It bypasses rational thinking and pushes you to act before you think. Legitimate organisations rarely create panic or demand immediate action via email.

"Act now or your account will be suspended" "Immediate action required" "You have 24 hours" "Your payment failed"

Companies that have your account use your name. A greeting like "Dear Customer" or "Dear User" signals a mass-sent phishing attempt. A service you've never signed up for suddenly emailing you is another warning sign.

"Dear Customer" "Dear User" "Hello Sir/Madam" No greeting at all

Hover over every link before clicking — the real URL appears in your browser's status bar. On mobile, long-press the link to preview the actual destination. The displayed text and the real URL are often completely different.

Watch for: typosquatted domains, odd subdomains, URL shorteners hiding the real destination, and links that redirect through unexpected third-party sites.

paypal-secure-login.net google.support-alerts.com bit.ly/abc123 (shortened, unknown destination)

No legitimate company will ever ask for your password, credit card details, national ID, or 2FA codes via email. Real services direct you to log in through their official website or app — they never ask you to reply with credentials.

Reply with your password Confirm your card number Enter your verification code here Update payment info via this link

Unsolicited invoices, voice messages, "missed delivery" notices, or documents are classic phishing lures. Even PDFs can contain malicious scripts or links. Never open attachments you didn't expect, even from people you know — their accounts may have been compromised.

.exe files .zip archives .html attachments Unexpected invoice PDFs "Voicemail" .mp3 files

AI has made this less reliable than it used to be — well-written phishing emails exist. But awkward phrasing, inconsistent tone, mixed fonts, off-brand logos, or text that doesn't match the company's usual communication style are still worth noting as part of the overall picture.

Unexpected prizes, unclaimed refunds, job offers with no application process, or package delivery notices for parcels you didn't order. If you didn't initiate something, be very sceptical about an email claiming it happened.

"You've won a prize" "Your refund is ready" "Package held — pay fee" "Urgent IT upgrade required"

Modern phishing techniques go beyond simple email links. Watch for these newer tactics:

Clone phishing — spoofed reply chains that look like an existing email thread. Quishing — QR codes embedded in emails that lead to malicious sites (harder to hover-check). Unusual formatting — excessive emoji, highlighted boxes, or graphics where plain text would normally appear in a professional context.

The 10-second rule

Before acting on any email that creates urgency, pressure, or requests sensitive information — pause for 10 seconds. Ask: "Was I expecting this? Does the sender address match? Does this request make sense?" That pause alone prevents the majority of successful phishing attacks.

03 Real-World Attack Scenarios

These are the most common phishing themes. Recognising the pattern means you won't be caught off guard when one lands in your inbox.

An email claiming your Gmail, Microsoft, or social media account will be locked unless you verify your details immediately.

"Your account will be permanently disabled in 24 hours."

An unsolicited bill — often impersonating PayPal, a supplier, or a subscription service — with a "Pay Now" button leading to a fake login page.

"Please review your invoice #INV-00312 attached."

Fake DHL, FedEx, or Ghana Post notices claiming a package is held and requires you to log in or pay a small release fee.

"Your parcel could not be delivered. Pay GH₵5 to reschedule."

A warning claiming your device has a virus and urging you to call a number or install remote access software — putting attackers directly on your machine.

"Your computer is infected. Call Microsoft support immediately."

Business Email Compromise — an attacker impersonates a CEO or manager requesting an urgent wire transfer, gift card purchase, or sensitive data. Common in organisations.

"Hi, I need you to process a wire transfer urgently. Keep this confidential."

Fake emails from your bank claiming suspicious activity and urging you to verify your account — linking to a pixel-perfect replica of the bank's login page.

"Unusual activity detected. Verify your account within 12 hours."

04 What To Do When You Spot One

Spotting a phishing email is only half the job. Here's the correct response, step by step.

Do Not Click, Reply, or Download Anything

No links, no attachments, no reply — even replying to confirm "I know this is phishing" lets the attacker know your address is active.

Check Sender Details and Links Without Clicking

Hover over the sender name to reveal the actual email address. Hover over links to preview the real URL in your status bar. On mobile, long-press a link to preview it.

Verify Independently Through Official Channels

If the email claims to be from your bank or a service you use, open a new browser tab and go directly to the official website — type the URL yourself or use your bookmarks. Or call the company using a number from their official website, not from the email.

Report It

Forward the email to your email provider's phishing report address, or use the "Report Phishing" / "Mark as Spam" button. In a work context, use your organisation's IT security report button. Reporting helps protect others.

Delete or Move to Spam

Once reported, delete the email or let the spam filter move it. Don't leave phishing emails sitting in your inbox where you might accidentally interact with them later.

If you already clicked

Don't panic. Immediately change the password for any accounts you may have entered credentials for. Enable 2FA if not already active. Run an antivirus/antimalware scan. Notify your IT team if this happened on a work device. Check your accounts for suspicious activity over the following days.

05 Prevention Best Practices

Knowing the red flags is essential — but layering these habits and tools on top makes you significantly harder to compromise even if you're caught off guard.

Enable 2FA/MFA on everything — even if a phisher steals your password, 2FA means they still can't access your account. See our 2FA setup guide for full instructions.
Use a password manager with strong, unique passwords — reused passwords mean one breach exposes all your accounts.
Keep software updated — antivirus, antimalware, browsers, and your OS all include phishing protections that only work when they're current.
Use browser security warnings — modern browsers flag known phishing and malicious sites. Don't override these warnings.
Enable email filters — most email providers have spam and phishing detection. Make sure it's enabled and check your spam folder occasionally to understand what's being caught.
Train yourself and your team — awareness is the most effective defence. Share this guide with colleagues, family, and friends who may be less security-aware.
When in doubt, throw it out — if an email feels off even slightly, don't engage with it. Verify through official channels instead.

06 Mobile, SMS & Voice Phishing

Phishing isn't limited to email. The same principles apply across other channels — and mobile users are often caught off guard because the interface makes it harder to inspect links.

SMS Phishing (Smishing)

Fake bank alerts, package delivery notices, or government messages via text
Links are harder to inspect — long-press to preview before tapping
Shortened URLs are especially common in SMS — be extra cautious
Never reply "STOP" to unknown numbers — confirms your number is active

Voice Phishing (Vishing)

Callers impersonate banks, telcos, tax authorities, or "IT support"
Caller ID can be spoofed to show legitimate-looking numbers
Hang up and call back on the official number if you're unsure
Never read out your 2FA/OTP code to anyone on the phone

Mobile tip

On iPhone and Android, long-pressing a link shows a preview of the real URL before you commit to opening it. Make this a habit before tapping any link in email or SMS.