Spot a phishing email in 30 seconds
The four signals that sort real email from phishing — and the one trap that catches everyone.
Phishing doesn't look like Nigerian princes anymore
Modern phishing is boring-looking. A "shared Google Doc". A "DHL delivery notice". An "unusual sign-in from Chennai". That's the point — it blends in.
Four signals, in order
- Sender domain mismatch. The display name says "ICICI Bank" but the address is
secure-update@icici-verify.co. Always read the domain, not the name. - Urgency + consequence. "Your account will be locked in 2 hours." Real banks do not do this over email.
- Link vs. label. Hover over any link before clicking. If the underlying URL doesn't match the visible text, leave.
- Unsolicited attachments. Especially
.zip,.html, and office docs asking you to enable macros.
The one trap that catches everyone
Reply-to hijacking inside a real thread. An attacker compromises a colleague's mailbox and replies inside an existing conversation you trust — correct subject line, correct signature, correct context. The only tell is a sudden request to pay / forward / click.
Rule: any financial or credential ask inside an existing thread gets a phone-call confirmation. Always.
What to do if you clicked
- Disconnect from Wi-Fi / cellular immediately.
- Change the password of the account the email claimed to be from, on a different device.
- Turn on MFA everywhere, starting with email and bank.
- If it was a work device, tell IT within the hour, not the day. Early notification is the difference between a close call and a breach.
