Imagine you're working through a full inbox on a Tuesday morning when an email arrives from what appears to be your IT department, asking you to verify your login credentials before a system update.
The branding looks right, the email address seems close enough, and with a dozen other things waiting for your attention, you click through without giving it much thought.
Phishing attacks are designed for exactly that situation: someone moving fast and not reading carefully. And the risk is real. A 2024 study from Harvard Kennedy School found that AI-generated phishing emails now achieve a 54% click-through rate, matching the performance of emails crafted by human security experts. A generic phishing email achieves around 12% by comparison.
The tactics are getting sharper, but the signals are still there if you know what to look for. For anyone managing a busy inbox with dozens of emails arriving daily, the volume pressure alone makes it easier to miss something. According to the 2026 Fyxer Admin Burden Index, email is the single biggest source of avoidable admin drain in the working day. A full inbox is exactly the environment where phishing attacks are more likely to succeed.
Knowing how to spot a phishing email comes down to a short set of checks: sender address verification, link destination review, and a gut-check on whether the request makes sense. This guide covers each one.
What is a phishing email, exactly?
Phishing is when an attacker poses as a trusted person or organization to get you to hand over information or click a link. That information is usually login credentials, financial details, or access to a company account. The link usually leads to a fake login page or silently installs malware.
The term covers a lot of ground. Generic phishing targets whoever happens to open it. Spear phishing is personalized to the specific recipient. "Whaling" goes after executives. Business email compromise (BEC) impersonates colleagues or vendors to request wire transfers or sensitive data.
What they all have in common: they rely on a moment of inattention or misplaced trust.
A quick checklist: Warning signs to look for
Before going into detail, here are the most reliable signals that an email may be a phishing attempt.
The sender's display name and email address don't match. Look past the name to the actual address in full.
The domain differs slightly from the real one: a zero instead of an O, an extra hyphen, or a different suffix (.net instead of .com).
The email creates urgency: "Act now," "Your account has been suspended," "Verify immediately or lose access."
There's a link, but hovering over it reveals a destination different from the visible text.
It asks for something you wouldn't normally send over email: passwords, financial details, or login credentials.
An attachment arrived that you weren't expecting, particularly from someone you rarely hear from.
The request would be slightly unusual, even if it came from that person or organization, given that everything else looks legitimate.
The email came from a free webmail address (Gmail, Yahoo, Outlook.com) but claims to be from a company or institution.
That last point is easy to overlook. A convincing logo and matching font can pass a quick visual scan. What's harder to fake is whether the request actually makes sense given who sent it and when.
Why spelling errors are no longer a reliable signal
A few years ago, the standard advice was to look for poor grammar and awkward phrasing. That's less reliable now.
The same Harvard Kennedy School study found that AI-automated phishing emails performed on par with those written by human security experts, achieving a 54% click-through rate versus 12% for a generic control group. The tool scraped each target's digital footprint, built a personalized vulnerability profile, and drafted a tailored message with no spelling mistakes and no obviously off-putting phrasing.
There has also been a shift toward trusted platforms. In 2024, 96% of phishing emails targeting businesses used legitimate domains such as SharePoint and Zoom to bypass security filters and appear credible. Microsoft was impersonated in over half of all phishing scams that year. These aren't obscure domains. Most corporate email filters are configured to expect traffic from them, which is exactly why attackers use them.
New employees are a particular target. Research from Egress found that new hires face phishing attacks impersonating senior colleagues within an average of three weeks of starting. They're less likely to recognize an unusual request for what it is.
A few more checks that are worth building into habits
The checklist covers most of it, but there are a few additional habits worth adding on top.
Read the domain slowly: Lookalike domains are designed to be missed at normal reading speed. Taking two seconds to read a sender's full email address carefully is a small habit with a real return.
Be skeptical of HTTPS: The padlock in a browser means the connection is encrypted, not that the site is trustworthy. Phishing sites now routinely use HTTPS. A convincing-looking fake login page with a padlock is still a fake login page.
Be cautious with QR codes in emails: QR code phishing has grown because the destination URL isn't visible before you scan it. If an email asks you to scan a code rather than click a link, that's an unusual choice for most legitimate organizations and worth questioning.
When in doubt, go directly to the source: If an email claims your account is at risk, don't use the link it provides. Open a browser, navigate directly to the site, and check your account there. This habit eliminates most of the risk, regardless of the email's form. It's also worth reading up on how to manage email overload more generally, since a cleaner inbox makes it easier to catch things that look out of place.
What to do if you've already clicked
The first thing to do is try not to panic. Even security professionals get caught out from time to time.
If you clicked a link but didn't enter any information, you may be okay. Close the tab, run a malware scan, and change the password for the targeted account as a precaution.
If you entered credentials, act immediately. Change your password on the real site. Enable two-factor authentication if it isn't already active. Tell your IT team, especially if this is a work account. The sooner access is locked down, the less damage there is.
If you opened an attachment, assume something may have been installed. Disconnect from the network, alert your IT security team, and let them run checks. The instinct to stay quiet about a mistake like this is understandable, but reporting quickly is almost always the right call. Security teams would much rather know early.
Staying one step ahead of phishing for good
The harder phishing emails are to distinguish from legitimate ones, the more it matters to have a clear view of what's actually in your inbox. For anyone handling a high volume of email daily, noise is the enemy: when there's too much to process, something suspicious can slip through without triggering a second look. Phishing works because inboxes are busy and attention is scarce. The best defense is both a sharper eye and a cleaner inbox.
Keeping your inbox organized by priority directly reduces the surface area where phishing can go unnoticed. Tools like Fyxer surface the emails that actually need your attention by organizing your inbox by priority, which means the volume pressure that makes phishing easier to miss is reduced. You stay in control of what gets acted on.
Phishing emails FAQs
What is the difference between phishing and spear phishing?
Phishing is a broad attack cast at a large number of people at once, with no personalization. Spear phishing is targeted: the attacker has researched the recipient and built the email around specific details, like their name, role, company, or recent activity. Spear phishing emails are significantly harder to catch because they don't carry the obvious red flags of a mass phish. The sender might reference a real project, a real colleague, or a tool you actually use. The tell is usually the request itself, not the email's appearance.
Can phishing emails come from someone I know?
Yes. One of the most common attack patterns is business email compromise, where an attacker either spoofs a colleague's address or gains access to a real account and sends from it directly. If an email from a known contact asks for something unusual, like a wire transfer, login credentials, or access to a shared document, that's worth a second look regardless of the sender. Call or message the person through a separate channel to verify before acting.
Is it safe to open a phishing email if I don't click anything?
Generally, yes. Simply opening an email in a modern client is unlikely to cause harm in most cases. The risk comes from clicking links, downloading attachments, or entering information on a linked page. That said, some sophisticated attacks use tracking pixels or exploits that trigger on open, so if you suspect an email is malicious, it's better to delete it without opening. When in doubt, report it to your IT team first.
What should I do if I reported a phishing email but my IT team hasn't responded yet?
Change your password for the affected account now rather than waiting. If you entered credentials on a suspicious site, enable two-factor authentication immediately. If you opened an attachment and aren't sure what ran, disconnect from the network as a precaution. Don't wait for confirmation before taking these steps. The potential downside of acting early is minimal. The potential downside of waiting is not.
Does two-factor authentication protect me if I fall for a phishing attack?
It significantly reduces the risk, but it doesn't eliminate it entirely. Standard two-factor authentication stops an attacker from accessing your account with a stolen password alone. However, some phishing attacks use real-time relay methods that capture both your password and your authentication code as you enter them. This is less common, but it happens. Two-factor authentication is still one of the most effective defenses available, and any account that doesn't have it enabled is considerably more exposed. Use it everywhere you can.
