How to Spot a Phishing Email Before It Reels You In

How to Spot a Phishing Email Before It Reels You In

Every day, roughly 3.4 billion phishing emails are sent worldwide. That's not a typo — billion, with a B. And while most of them are obvious enough that your spam filter catches them, the ones that actually reach your inbox? Those are the ones that are getting frighteningly good.

Here's how to spot them.

1. Check the sender's email address (not just the name)

This is the big one. Scammers are very good at making the display name look legitimate. You might see "NAB Bank" or "Australian Taxation Office" in bold — but if you click on the name or hover over it, the actual email address behind it often tells a different story.

Look for things like `nab-support@nab-secure-alerts.com` instead of `@nab.com.au`, or subtle misspellings like `@australian-taxoffice.gov`. Legitimate Australian government agencies will always email from `.gov.au` domains.

2. Look for urgency or threats

"Your account will be suspended in 24 hours." "Immediate action required." "You have an outstanding fine — pay now to avoid prosecution."

Sound familiar? That's because scammers use urgency deliberately to short-circuit your brain's critical thinking. When you're stressed, you're more likely to click without pausing to think. Take a breath. Real organisations give you reasonable time to respond.

3. Hover over links before clicking them

Before you click any link in an email, hover your mouse over it (or press and hold on mobile) to see where it actually goes. The URL that pops up might be completely different from what's displayed in the email text.

Watch out for links that:

• Have misspelled domain names (like `amaz0n.com` or `paypa1.com`)
• Use random subdomains (like `login.yourbank.suspicious-site.com`)
• Use URL shorteners like `bit.ly` when the email is supposedly from a bank

4. Watch for generic greetings

Legitimate businesses that have your details will usually address you by name. "Dear Customer," "Dear Account Holder," or "Dear User" are classic signs that the email was sent in bulk to millions of people and the scammer has no idea who you are.

5. Look for unexpected attachments

Did you request any files? No? Then why is someone sending you an "invoice," "document," or "photo" out of nowhere? Unexpected attachments — especially .zip, .exe, .pdf, or .docx files — are a favourite delivery mechanism for malware.

If you weren't expecting an attachment, don't open it. Even if it looks like it came from someone you know (their account might be compromised).

6. The email asks for personal or financial information

Legitimate organisations — banks, government agencies, utilities — will never ask you to confirm passwords, PINs, credit card numbers, or other sensitive details via email. Full stop. If an email is asking for this, it's a scam.

7. Trust your gut

Something just feels… off. The language is slightly weird. The logo looks a bit wrong. The formatting is inconsistent. These are legitimate signals. Your intuition has pattern-matched something suspicious even if you can't articulate exactly what.

When something feels off, treat it as suspicious until proven otherwise.

What to do if you're unsure

Don't click anything. Instead:

• Go directly to the organisation's website by typing the URL into your browser
• Call them using a number from their official website (not a number provided in the email)
• Forward the email to your IT team or managed service provider

Practise makes perfect

Reading tips is one thing. Actually training your eye is another. Phishbate's free phishing quiz puts you in the hot seat with real-looking emails and tests whether you can spot the red flags under pressure.

Spoiler: most people are more susceptible than they think — until they've practised.

Test yourself at Phishbate — it's free →