Phishing works through urgency, not technical genius. Three checking habits - sender, link, and going direct instead of clicking - defeat essentially all of it.
Quinn Yoo
Email display names are free text - anyone can call themselves 'PayPal Support'. The address behind the name is the real identity: tap or click the sender name to expand it. 'service@paypal.com' and 'service@paypa1-secure.com' are different planets, and the second kind - lookalike domains with swapped letters, extra words ('paypal-billing-help.com'), or wrong endings - is the signature of phishing.
Caveats in both directions: a plausible-looking sender can still be spoofed, and legitimate companies sometimes mail from weird subdomains - so the sender check is a strong filter, not a verdict. A wrong sender is damning; a right-looking one earns the email the next two checks, not your trust.
On a computer, hovering over a link shows its true destination in the corner of the window; on a phone, a long-press shows it without opening. Read the domain - the part just before the first single slash. 'amazon.com/account' is Amazon; 'amazon.account-verify.net' is not Amazon, no matter how perfect the logo above it looks.
Attackers hide destinations behind URL shorteners, lookalike characters, and HTML buttons that say one thing and link another - which is why the hover habit must be unconditional. And know what a click costs: merely opening a page is usually survivable; entering credentials on it is the breach. If you clicked and then stopped, you are almost certainly fine - but anything typed is gone.
Nearly every phishing email contains a clock: account suspended in 24 hours, package held pending a fee, unauthorized charge - review immediately, boss needs gift cards before the meeting. The urgency is functional: it is there to make you act before you think, because the scam fails against ten seconds of reflection.
Treat manufactured deadline pressure in email or text as a red flag in itself, whatever the topic. Real institutions overwhelmingly do not operate this way - your bank does not close accounts via countdown email, tax authorities do not demand gift cards, and any legitimate issue this severe will also be visible inside your actual account. The 'too good' versions count too: refunds you did not expect, prizes, jobs paying suspiciously well for nothing.
Here is the habit that defeats even the perfect phishing email: never act through the message itself. If 'your bank' emails about a problem - close the email, and go to the bank through your own bookmark, typed address, or official app. If the problem is real, it is waiting in your account. If it is not there, the email was the attack.
The same rule handles the hard cases that visual inspection cannot: a compromised colleague's real account, a perfect clone of an invoice, a text 'from your kid's new number' asking for money. Verify through a different channel you initiate - call the known number, message the old thread. Out-of-band verification costs thirty seconds and has no known counter.
Entered a password? Change it immediately on the real site, and everywhere it was reused; enable 2FA on that account now. Entered card details? Call the bank, freeze or replace the card, and watch statements. Just clicked, typed nothing? Close the tab, run a security scan for peace of mind, and forgive yourself - the click alone is rarely the breach.
Then report and delete: the 'report phishing' button trains your provider's filters, your employer's IT wants work-account phish forwarded, and impersonated companies run abuse inboxes (e.g., reportphishing@apple.com, phishing@paypal.com). Reporting is not just hygiene - it burns the campaign for the next thousand targets.
The out-of-band rule: never act through the message - go to the site or app directly through your own bookmark and see if the issue exists there. It works even against perfect-looking emails sent from genuinely compromised accounts.
In modern mail clients, essentially no - opening and reading is safe; images are sandboxed and usually blocked. The danger lives in links you click and credentials you type, and in attachments you open and grant permissions to.
Same playbook, smaller screen: 'package held' fees, fake bank alerts, 'hi mum, new number' family scams. Long-press to inspect links, never pay or send codes from a message, and verify family emergencies by calling the number you already had.
Some are sloppy; some are deliberately filtered - an email that only fools inattentive readers selects for victims who will follow through. Either way, the absence of typos proves nothing: AI-written phishing is grammatically perfect, which is why sender, links, and the out-of-band rule are the real checks.
