Phishing emails cost Americans over $12 billion in losses in 2024. The terrifying part? Most of them look completely legitimate at first glance.

You've probably been trained to "just use common sense." Attackers have gotten too good for that to work. Modern phishing emails copy real company logos, use official-looking email addresses, and create panic so you stop thinking clearly and just click.

This guide gives you a systematic 10-point checklist you can use on any suspicious email in under 60 seconds. Bookmark it. It will save you.

Why Phishing Emails Are So Effective

Before the checklist, it helps to understand why smart people fall for phishing. Attackers exploit three psychological triggers:

Urgency — "Your account will be closed in 24 hours!" forces you to react before you think.

Authority — An email that looks like it's from your bank, Amazon, or the IRS immediately earns trust.

Fear — "Suspicious login detected" or "Your package couldn't be delivered" triggers anxiety that bypasses critical thinking.

Knowing these triggers is your first defense. When you feel that spike of urgency or alarm from an email, that's exactly when to slow down and run through this checklist.

The 10-Point Phishing Checklist

1. Check the Sender's Actual Email Address (Not Just the Display Name)

This is the single most important check. Email display names are completely fake-able. Anyone can make an email say "PayPal Security Team" while the actual address is noreply@paypal-support-team.ru.

How to check: On mobile, tap the sender's name to expand the full address. On desktop, hover over or click the name in the From field.

Red flags to watch for:

  • Domain doesn't match the company (e.g., @paypal-secure.com instead of @paypal.com)
  • Random strings of letters or numbers (e.g., support@a4j2k.com)
  • Slight misspellings: @amazon-amazon.com, @netfl1x.com, @apple-id-support.com
  • A legitimate-looking name but a totally unrelated domain (e.g., apple@gmail.com)

Legitimate companies always email from their own official domain. PayPal emails come from @paypal.com. Your bank emails come from @[yourbank].com. No exceptions.

2. Look for Generic Greetings

Real companies that have your account know your name. Phishing emails often use:

  • "Dear Customer"
  • "Dear User"
  • "Dear Account Holder"
  • "Hello,"

Your bank, Netflix, or Amazon will address you by your first name. If an email claiming to be from your bank starts with "Dear Valued Customer," treat it as suspicious.

Note: Some legitimate mass emails do use generic greetings, so this alone isn't proof. Combined with other signals, it matters.

3. Hover Over Every Link Before Clicking

Never click a link in a suspicious email without checking where it actually goes first.

On desktop: Hover your mouse over the link (don't click). The real destination URL appears in the bottom-left corner of your browser or email client.

On mobile: Press and hold the link. A preview of the full URL should appear.

What to look for:

The link should go to the official website domain. If an email claims to be from Amazon, the link should go to amazon.com (specifically, a subdomain like account.amazon.com).

Red flags:

  • The visible link text says one thing, but the hover URL shows something different
  • Strange domains: amazon-account-verify.net, secure-amazon.support.com
  • URL shorteners: bit.ly/..., t.co/... — these hide the real destination
  • IP addresses instead of domain names: http://185.234.219.11/amazon/login

A common trick: paypal.com.account-verify-login.xyz: the PayPal part is just a subdomain, the actual domain is account-verify-login.xyz.

4. Inspect the Email for Spelling and Grammar Errors

Legitimate companies have copywriters and editors. Phishing emails often have:

  • Misspelled words ("Securety team")
  • Awkward phrasing ("Your account have been compromise")
  • Inconsistent formatting
  • Odd capitalization ("You Must VERIFY your Account Immediately")

That said, AI has dramatically improved the quality of phishing emails. Don't use this as your only check. Modern phishing emails can be grammatically perfect. But sloppy language is still a reliable red flag when present.

5. Check the Urgency and Tone

Step back and ask: Why is this email creating pressure?

Legitimate companies rarely demand you act within hours or your account will be permanently deleted. Real account security alerts give you time to respond and offer multiple ways to verify.

Phishing phrases to watch for:

  • "Act now or your account will be suspended"
  • "You have 24 hours to verify your information"
  • "Immediate action required"
  • "Your account has been compromised — respond NOW"
  • "You've been selected — claim your reward before it expires"

When you feel the urge to click immediately, that's a signal to pause and verify through official channels instead.

6. Be Suspicious of Unexpected Attachments

Did you request anything? Are you expecting a document, invoice, or update from this sender?

Never open attachments from:

  • Senders you don't recognize
  • Companies you don't have accounts with
  • Emails with urgent subject lines like "Invoice Overdue" or "Legal Notice"

Common dangerous attachment types: .exe, .zip, .docm, .xlsm, .js, .iso, .pdf (yes, even PDFs can be malicious).

When in doubt, contact the company directly through their official website (not through any contact info in the suspicious email) to confirm they sent it.

7. Verify Requests for Personal Information

No legitimate company will ever ask you to provide your password, Social Security Number, credit card number, or bank account details via email.

Full stop. This doesn't happen.

If an email asks you to "confirm" this information or click a link to re-enter it, it's a phishing attempt. Even if the email looks completely real.

If you're unsure whether your account actually has an issue, open a new browser tab and go directly to the company's website by typing the address yourself. Log in there and check.

8. Check the Email Header (Advanced but Worth It)

Email headers contain technical routing information that's difficult to fake. Most email clients let you view the full header:

  • Gmail: Click the three dots (⋮) next to Reply → "Show original"
  • Outlook: File → Properties → Internet headers
  • Apple Mail: View → Message → All Headers

Look for the "Received: from" fields and the SPF/DKIM/DMARC results. If you see dkim=fail, spf=fail, or dmarc=fail, the email failed authentication, a strong indicator it's spoofed.

This sounds technical, but Google "check email header SPF DKIM" and you'll find free tools where you can paste the header and get a plain-English verdict.

9. Search for the Exact Subject Line or Text

When you receive a suspicious email, take 30 seconds to Google a snippet of the text or the subject line.

If it's a phishing campaign, others have already reported it. Sites like:

  • Google (just search the subject line in quotes)
  • Reddit (r/Scams)
  • ScamAdvisor.com
  • PhishTank.com

...will often have documentation of exactly that scam, sometimes within hours of a campaign launching.

10. Trust Your Gut — Then Verify

If something feels off about an email, honor that feeling. You don't have to definitively prove it's phishing before deciding not to click.

The safest rule: When in doubt, go directly to the source. Don't use any links, phone numbers, or contact information from the suspicious email. Go to the company's official website yourself, log in, and check if there's actually an issue with your account.

Real problems will be reflected in your actual account. Phishing problems only exist in the email.

What to Do If You Already Clicked

Don't panic. Here's what to do:

If you clicked a link but didn't enter anything:

  1. Close the browser tab immediately
  2. Run a malware scan on your device
  3. Clear your browser cache
  4. Monitor your accounts for unusual activity for the next few weeks

If you entered your password:

  1. Change your password on that account immediately (use a different device if possible)
  2. Change your password on any other accounts where you use the same password
  3. Enable two-factor authentication on that account right now
  4. Check whether the account shows any recent suspicious activity or logins

If you provided financial information:

  1. Contact your bank or card provider immediately; they have fraud departments available 24/7
  2. Place a fraud alert with the major credit bureaus (Equifax, Experian, TransUnion)
  3. File a report at IdentityTheft.gov
  4. Consider a credit freeze

If you opened an attachment:

  1. Disconnect from WiFi immediately
  2. Run a full malware scan with updated antivirus software
  3. If you're on a work computer, contact your IT department right away

Your Quick Reference: 10-Point Phishing Checklist

  1. ✅ Sender's actual email address matches the official domain
  2. ✅ Email addresses you by name (not "Dear Customer")
  3. ✅ Hover reveals links go to the real official domain
  4. ✅ No unusual spelling or grammar errors
  5. ✅ No extreme urgency or pressure to act immediately
  6. ✅ No unexpected attachments
  7. ✅ Not asking for passwords, SSN, or financial details by email
  8. ✅ Email header passes SPF/DKIM/DMARC checks
  9. ✅ No results for the subject line/text on scam reporting sites
  10. ✅ Your gut says something isn't off

If an email fails two or more of these checks, treat it as phishing and verify through official channels before doing anything else.

The Bigger Picture

Knowing how to spot a phishing email is one skill. But protecting your digital identity also means having strong, unique passwords, using multi-factor authentication, and keeping your devices clean. These skills work together.

For a full breakdown of how phishing works and how to protect yourself end-to-end, read our Email Phishing: Complete Guide to Prevention (2026).

That's exactly what SurfSafe teaches. Short, practical videos you can apply immediately.

Read next: