How to Spot and Report Phishing Emails

Phishing emails are among the most common cyber threats today. Designed to trick recipients into giving up sensitive information or downloading malware, they account for over 90% of successful cyberattacks. These emails exploit human behavior rather than technical flaws—making awareness your best defense.

This guide covers real phishing email examples, how to recognize common red flags, and what steps to take when you encounter one.

What Is Phishing?

Phishing is a form of cyberattack where scammers pose as trusted sources to:

• Steal login credentials or financial information

• Install malware via links or attachments

• Trick users into transferring money or data

While email is the most common medium, phishing now also includes text (smishing) and voice calls (vishing).

Common Phishing Email Examples

1. Fake Account Alerts (e.g., PayPal)

Example:

From: security@paypa1.com
Subject: Your account is limited – verify now

“We detected suspicious activity. Click here to verify or risk suspension.”

Red Flags:

• Misspelled domain

• Generic greeting

• Threats and urgency

• Suspicious links

2. Fake Delivery Notices

Example:

From: delivery@fedex-alert.com
“We couldn’t deliver your package. Download the form to reschedule.”

Red Flags:

• Fake domain

• Vague package details

• Malicious attachment

3. Tech Support Scams

Example:

From: microsoft365@secure-outlook.com
“Your account was accessed from an unknown device. Act now.”

Red Flags:

• Suspicious sender

• Urgent language

• Link to non-Microsoft domain

4. Fake Shared Documents

Example:

From: noreply@googledoc-share.com
“A file has been shared with you. Sign in to view.”

Red Flags:

• Spoofed domain

• Vague content

• Fake login page

5. HR or Executive Impersonation

Example:

From: jennifer.smith@benefits-update.com
“Urgent: Review changes to your healthcare plan.”

Red Flags:

• Non-company domain

• Impersonated internal contact

• Urgency to log in

How to Spot a Phishing Email

Check for these common warning signs:

1. Sender’s Address

• Look past the display name

• Watch for slight domain changes or unusual suffixes

2. Generic Greetings

• “Dear Customer” instead of your actual name

• Misspelled names or strange formality

3. Suspicious Links/Attachments

• Hover to preview URLs before clicking

• Watch for shortened links or unexpected file formats (.exe, .zip, .doc with macros)

4. Urgency or Pressure

• Threats (“Act now or lose access”)

• Limited-time offers or scare tactics

5. Poor Formatting or Grammar

• Spelling errors

• Odd layouts, inconsistent fonts, or broken logos

How to Report Phishing

1. Internal Reporting

• Forward the email to your IT/security team

• Use your company’s reporting tools

2. Email Providers

• Gmail: Click the three-dot menu > “Report phishing”

• Outlook: Right-click > “Mark as phishing”

3. Authorities

• Forward to reportphishing@apwg.org

• Report to the FTC at reportfraud.ftc.gov

• Notify the impersonated brand via their website

4. If You Clicked or Responded

• Change your passwords immediately

• Enable two-factor authentication

• Monitor financial and email accounts

• Alert your bank if financial data was shared

Advanced Phishing Tactics

As awareness increases, attackers are getting smarter. Be on alert for:

• Spear Phishing: Personalized attacks using real data

• Business Email Compromise (BEC): Impersonating executives to request wire transfers

• Clone Phishing: Copying real emails and inserting malicious content

• Multi-Channel Attacks: Email scams followed by phone calls to build credibility

Conclusion

Phishing emails are evolving, but so can your defenses. By understanding the signs, you can avoid being tricked and help others do the same.

Stay safe by remembering:

• Verify the sender before acting

• Don’t click unfamiliar links or attachments

• Report suspicious emails to your team and authorities