← Back to BlogPhishing Basics

The 5 Red Flags in Every Phishing Email (And How to Spot Them)

The 5 Red Flags in Every Phishing Email (And How to Spot Them)

Despite getting smarter and more polished, most phishing emails still follow a predictable formula. Once you know the formula, you'll start seeing it everywhere — and you'll wonder how you ever fell for it.

Here are the five red flags that appear in virtually every phishing email.

Red Flag #1: A dodgy sender address

The display name might say "ANZ Bank" but the actual email address says `security@anz-alerts-noreply.com.au` (note: not `@anz.com.au`). Scammers craft domains that look similar at a glance but are controlled by them.

How to check: Click or hover on the sender name to reveal the actual address. Look for the real domain — anything after the @ symbol. For Australian banks, government agencies, and major companies, you should know their real domains.

Red Flag #2: Artificial urgency

"Your account will be closed in 24 hours." "Immediate action required." "FINAL WARNING." These messages are designed to make you panic and act without thinking.

Real organisations don't communicate this way. Your bank might send a reminder. The ATO might follow up. But they allow you reasonable time and they have official processes — they don't threaten you over email.

How to check: Take a breath. If the urgency doesn't feel right, it probably isn't. Google the organisation's official contact details and call them to verify.

Red Flag #3: Suspicious or mismatched links

The link in the email might say `www.mybank.com.au` but actually go to `www.mybank-secure-login.net`. Always check where a link actually goes before clicking.

How to check: Hover your cursor over any link in the email (on desktop). The actual URL appears in the status bar at the bottom of your browser. On mobile, press and hold the link to see a preview.

Red Flag #4: Requests for personal information

"Please confirm your account details." "Enter your password to proceed." "We need your tax file number to process your refund."

Legitimate organisations do not ask for sensitive personal information via email. Not your bank. Not the ATO. Not Medicare. Ever.

How to check: If any email asks you to provide personal details, login credentials, or financial information — that's your cue to stop and verify through a separate channel.

Red Flag #5: Unexpected attachments

An invoice for something you didn't order. A document from someone you don't recognise. A "photo" from an unknown address. Unexpected attachments are one of the most common malware delivery methods.

How to check: Did you expect this attachment? Do you know the sender? If the answer to either is no — don't open it.

The golden rule

When in doubt, go directly to the source. Don't click the link in the email. Open a new browser window, navigate to the official website, and check from there. Two minutes of caution can save thousands of dollars.

Put your phishing radar to the test at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →