Pagoda Blog

11 Ways to Spot a Phishing Email

July 16, 2020

It only takes one person clicking one malicious link to expose your private company data to a cybercriminal. Employee naivete is the primary vulnerability that cybercriminals target because it’s often the most prevalent and lowest hanging fruit. What’s more, phishing emails that target this vulnerability are only becoming more ubiquitous and tougher to spot. 


So what exactly is a phishing email? A phishing email is designed to mimic a trusted company like your bank, phone company, insurance provider, or favorite retail brand in the hopes that you won’t question the email’s legitimacy. The requests contained in these email scams include asking you to click a malicious link, share personal data, or download an embedded file that introduces malware or a virus onto your device. 


11 ways to spot a phishing email 

Learning to spot these crafty phishing emails takes some practice, but if you take the time to double check for the following red flags, you can greatly reduce the risk of falling for a scam. The best way to practice is by using a cybersecurity training program like KnowBe4, but these 11 ways to spot a phishing email will still improve your ability to protect yourself and your company from a cyberattack or data breach. 


1. The sender requests sensitive information

Legitimate companies usually don’t request sensitive information via email. Any email that requests information like passwords, credit card information, or your social security number should not be trusted. If you’re suspicious of an email, you can always call the company making the request to confirm the email’s validity. Just make sure you get the phone number directly from the company’s website, not through the email.


2. The sender’s email address doesn't match the company domain 

Most companies, especially large corporations, will have email addresses that match their company domain. For example, an email address from Nike would look like this: A phishing email from Nike, on the other hand, might come from an address that looks like this:  


3. The email contains spelling errors

Sophisticated phishing attacks do not contain obvious mistakes such as spelling errors which is why it’s critical to run through multiple checks before assuming it’s safe to click a link. With that said, phishing emails are still notorious for containing spelling errors and bad grammar. Legitimate companies (and, of course, sophisticated phishing attacks) typically take the time to spell check and ensure they’re using proper English before pressing send. When an email is just plain sloppy, that’s a telltale sign that it shouldn’t be trusted which is why it’s so important for you to always read through your own company emails before sending! 


4. The email uses a generic greeting

If you have an account with a company they should know your name and will typically use it in an email. Emails that use generic greetings such as ‘Dear valued customer’ could be a red flag and should be treated with caution. 


5. The entire email is a hyperlink 

A surefire way to tell if an email is a scam is when the entire email is a hyperlink. This means that if you click anywhere in the email—on text, a button, an image, even the whitespace—it will force you to a website. 


6. The email contains an unsolicited attachment 

Legitimate companies typically don’t send emails with unsolicited attachments. If a company needs you to download something, they should direct you to their HTTPS secured website first. Keep in mind, we are referring to unsolicited attachments here. If you sign up for a company’s newsletter in exchange for a free download, for example, this download will often be sent to you via email. This email can be trusted since you requested the free download. 


7. The links don’t match the company URL 

Before you click a link in an email, hover your mouse over it to see the URL. If the link doesn’t match the company’s website URL, it may be a phishing scam that’s going to send you to a malicious website. Embedded links to forms requesting sensitive information should also always use HTTPS, otherwise don’t click. 


8. The email has an alarmist tone 

If you receive an email threatening to delete all your data unless you update your payment information or reset your password within 24 hours, it’s probably a scam. This is simply an unrealistic request that a legitimate company wouldn’t make of its customers. 


9. The email is requesting a charitable donation

Not all emails requesting charitable donations are scams, of course. Legitimate nonprofits often send emails requesting donations to support their programs or a specific cause. Do be wary, however, of any email requesting money from an organization whose newsletter you haven’t subscribed to. Phishing scams requesting charitable donations (and cyberattacks in general) rise significantly right after a natural disaster, like the Covid-19 pandemic.  


Related reading: Managing Cybersecurity During a Pandemic and Civil Unrest


10. The company logo is a knockoff

Sometimes the logo in a phishing email appears like the real thing, but when you look closely, the font or design is slightly off. This is a definite red flag and the email should be reported. (See how to report a phishing email below.)


11. Promises that are too good to be true 

We’d all like to assume that we’re not gullible enough to fall prey to a scam promising free money or even just an especially good discount on a favorite product or service. Offering irresistible discounts is a common phishing tactic, however, so if you receive a promotional email that gives you pause, check through the above red flags to see if it could be a scam.  


When good companies send bad emails … 

It’s important to note that some of the above red flags on their own do not necessarily mean an email is a phishing scam. Legitimate companies, especially smaller ones, can be guilty of sending emails that use a generic greeting, include spelling errors, or that contains an unsolicited attachment. You can always contact the company directly by calling the phone number provided on their website. To navigate to the website, do not click any links in the email. Instead, open a new tab or window in your secure browser and type the company name into your search engine. Do not reply to the email or start a new thread as the company’s email address may have been compromised. 


What to do if you respond to a phishing email and how to report it  

So what should you do if you accidentally fall prey to a phishing scam and expose sensitive information? The following information is from the Federal Trade Commission walks you through the steps to take if your information is lost or exposed. They ask you a series of questions to help you determine the necessary action to protect yourself or your company from identity theft.  


If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software and then run a scan.


It’s also important to report phishing scams to help prevent others from falling prey to identity theft. You can report phishing emails by forwarding them to the Anti-Phishing Working Group at If you got a phishing text message, forward it to SPAM (7726). 


Related reading: 


What to Do If You Receive Blackmail in Your Inbox

How to Leverage Cybersecurity as a Competitive Edge for Your Business

5 Virus Protection Tips Beyond Security Software


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing



Want IT to serve you better?





About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn