How to Spot Phishing Emails

The seven structural red flags every phishing email shares — the framework that lets you spot any phishing attempt regardless of brand.

Last reviewed: 9 May 2026 · ScamSupport research

The Seven Structural Red Flags

Phishing emails vary endlessly at the surface level — brand, story, hook — but they share a small set of structural tells. Internalise these seven and you can spot any phishing attempt regardless of which brand the scammer chose to impersonate this week.

1. The sender domain doesn't match the brand

This is the single highest-signal check. A real Apple email comes from a domain ending @apple.com. A scam impersonating Apple might come from noreply@apple-account-verify.com, support@apple.id-verify.help, or apple@gmail.com. The decisive part of any domain is the bit immediately before the first slash — everything to the left of that can say anything. If the right-most part of the sender domain isn't the brand's actual primary domain, the email is fraudulent.

2. The greeting is generic

"Dear Customer", "Dear User", "Dear Account Holder". Real brands hold your name and use it; bulk phishing campaigns mail thousands of addresses without knowing who's on the other end. There are exceptions — some legitimate marketing is generic, some sophisticated phishing is personalised — but as a 30-second filter the generic greeting catches a large fraction of low-effort phishing.

3. The links don't lead where the text says they do

Hover over any link without clicking. On desktop, your browser or email client shows the real destination at the bottom of the screen. On mobile, long-press the link until a preview appears. If the link says apple.com/account but the real destination is apple-id-verify.help/login, the email is fraudulent. The text of a link is just text — the destination is what matters.

4. The message creates time pressure

"Act within 24 hours or your account will be suspended". "Final notice". "Immediate action required". Real account-management notifications give you reasonable time. Phishing leans on urgency to bypass your verification process — if you stopped to log in via the real website rather than the email link, the scam falls apart.

5. The email asks for credentials, codes, or banking details

No legitimate company asks for your password, security codes, multi-factor authentication codes, or full banking details by email. Real password resets work via a link to a page where you choose a new password — they never ask you to send the old one. Real fraud-prevention checks happen inside your bank's app or on the bank's real website, never via email reply.

6. There's an unexpected attachment

An email that opens with "Please review the attached invoice" or "Document for your records" with a PDF, Word file or ZIP attachment from a sender you weren't expecting documents from is the most common malware delivery vector. The attachment may be a credential-harvesting form, a malicious macro, or a remote-access trojan installer. Default to not opening any unexpected attachment until you have verified its legitimacy with the sender via a separate channel.

7. The grammar, formatting, or branding is subtly wrong

This is a softer signal than the others, but still useful. Phishing emails often have small inconsistencies — the brand logo is the wrong shape or colour, the spacing is off, an apostrophe is the wrong style, the copyright year is last year, or the footer address doesn't match the brand's real registered office. AI-generated phishing has improved dramatically in 2026 and these tells are weakening, but they're still worth a 5-second scan.

The 30-Second Verification Procedure

If you've checked an email against the seven flags and you're still uncertain, the verification procedure is the same regardless of brand:

  1. Don't click any link in the email. Open a fresh browser tab.
  2. Type the brand's real address yourself — not from the email, not from a search result, not from autocomplete. amazon.co.uk, paypal.com, hsbc.co.uk, apple.com, etc.
  3. Log in normally and check whether the message's claim is reflected in your account. If a real "your payment failed" notification was sent, the same alert will be visible inside your account.
  4. If nothing matches, the email is fraudulent. Report it (next section) and delete it.

This procedure costs you 30 seconds. The cost of falling for the email is sometimes thousands of pounds. The maths is straightforward.

Where to Report Phishing Emails

  1. Forward to report@phishing.gov.uk — the National Cyber Security Centre's Suspicious Email Reporting Service. The NCSC has actioned hundreds of thousands of takedowns from forwarded reports.
  2. Forward suspicious SMS to 7726 (free across all UK mobile networks — the digits spell SPAM).
  3. Forward brand-impersonation emails to the brand's own abuse address. spoof@paypal.com, stop-spoofing@amazon.com, reportphishing@apple.com, phish@office365.microsoft.com, phishing@hmrc.gov.uk.
  4. If you clicked the link or submitted information, report to Report Fraud — the UK's national fraud and cybercrime reporting service.
  5. Mark as phishing/spam in your email client. This trains your provider's filter and helps protect other recipients.

The 2026 AI-Phishing Adjustment

The two universal phishing tells used to be (a) bad grammar and (b) generic copy. Both have weakened sharply with AI-generated phishing. Modern phishing emails read fluently, use proper UK English, and can be lightly personalised using leaked data (your name, your address, your bank, sometimes the last four digits of your card from a breach). The seven structural flags above are still valid — the sender domain, the link destination, the credential request — but the writing-quality tells are no longer reliable. The defence is to lean harder on the procedural rules: never click links, always verify on the real website, never share credentials by email regardless of how convincing the message reads.

Additional Resources

Protect Your Data with VPN

Use NordVPN to encrypt your connection when accessing sensitive accounts online, protecting your data from interception.

Affiliate disclosure: as a NordVPN partner, ScamSupport may earn a commission if you sign up via this link — this doesn't change our recommendation or the price you pay. Full affiliate policy →

Get NordVPN Protection

Related scam guides

Use the Scam Message Scanner →