Phishing 101: How to Spot a Fake Email Before It Costs You
Phishing works because it looks boring and legitimate, not because it looks scary. Here is how to dissect a suspicious email, inspect a link without clicking it, and recover fast if you already took the bait.
EvilMail TeamMay 26, 202612 min read
# Phishing 101: How to Spot a Fake Email Before It Costs You
The most dangerous phishing email you will ever receive does not have a subject line screaming URGENT ACTION REQUIRED in red capitals. It looks like a shipping notification. It looks like a shared document from a coworker whose name you recognize. It looks, in other words, boring. That is the whole point. The Nigerian-prince era is over; modern phishing is a craft, and the people writing these messages have read the same advice you have about spotting fakes. They know what a clumsy scam looks like, and they have stopped making those mistakes.
I have spent enough time reading email headers and hovering over links to tell you that the difference between a safe click and a compromised account almost always comes down to thirty seconds of attention you did not spend. This is a guide to spending those thirty seconds well. We will take apart the machinery of a phishing email piece by piece, look at two realistic examples, and go through exactly what to do if you have already clicked something you regret.
The two lies in every From line
Every email you receive carries a sender identity, and that identity is made of two separate parts that scammers manipulate in two completely different ways. Understanding the split is the single most useful thing in this entire article.
The first part is the display name — the friendly label your mail client shows, like PayPal Support
or
Sarah from Accounting
. This field is pure decoration. It is typed in by whoever sent the message, and there is no verification of any kind. I can send you an email tomorrow with the display name
Your Bank
as easily as I can name it after my cat. When you see mail clients showing only the display name and hiding the actual address, that is a design decision made for readability that phishers exploit relentlessly.
The second part is the envelope and header address — the real [email protected]. This is harder to forge convincingly, though not impossible. Two distinct tricks live here:
Display-name spoofing: the address is honest but the name lies. You get mail from [email protected] displaying as Apple Billing. The address is right there if you look, but you have to look.
Domain spoofing: the address itself is forged to appear to come from a real domain. This is the one that email authentication — SPF, DKIM, and DMARC — was invented to stop, and it is why a bank with proper DMARC enforcement is genuinely hard to impersonate at the domain level.
Always expand the actual address. On desktop, hover or click the sender name to reveal the full local@domain. On mobile, tap it. If your client will not show you the raw address without three taps, that friction is working against you, and it is worth changing that setting.
Lookalike domains: the art of the almost-right
When attackers cannot spoof a domain outright — because DMARC stops them — they buy one that looks close enough to survive a glance. This is where reading skills matter more than security knowledge.
The classic techniques, roughly in order of how often I see them:
| Technique | Real | Fake | |---|---|---| | Character swap | paypal.com | paypa1.com (digit one for L) | | Added word | apple.com | apple-support.com | | Subdomain trick | login.microsoft.com | microsoft.login-verify.com | | Extra letter | netflix.com | netfllix.com | | Different TLD | amazon.com | amazon.co or amazon.shop | | Homoglyphs | google.com | Cyrillic а replacing Latin a |
The subdomain trick deserves special attention because it fools smart people. In microsoft.login-verify.com, the actual registered domain is login-verify.com — everything to the left is just a subdomain the attacker controls. The real domain is always the two labels immediately before the first single slash: read a URL from the right, not the left. secure-account.paypal.com.evil.io belongs to evil.io, full stop.
Homoglyph attacks are the nastiest because they can be literally invisible. A Cyrillic small letter a renders identically to a Latin a in most fonts, so аpple.com can look pixel-perfect while pointing somewhere else entirely. You cannot eyeball your way out of these; the defense is to never navigate from the email at all — open a new tab and type the address you already know, or use your own bookmark.
Urgency, authority, and the other levers
Phishing is social engineering with a keyboard, and social engineering runs on a small set of emotional levers that have not changed since the confidence tricksters of the nineteenth century. Recognizing the lever being pulled is often faster than analyzing the technical details.
Manufactured urgency: "Your account will be suspended in 24 hours." Deadlines short-circuit the deliberation that would otherwise catch the scam. Real companies move at the speed of bureaucracy; they do not delete your account overnight.
Borrowed authority: the message impersonates your bank, the tax office, IT support, or your own CEO. We are trained to comply with authority quickly, and attackers rent that reflex.
Fear and consequence: unpaid invoice, suspicious login, legal action. Fear narrows your attention to the threat and away from the mechanics.
Curiosity and reward: a refund waiting, a package you did not order, a voicemail transcript. Curiosity gets you to click before you think.
Familiarity: the message references a real vendor you use or a real colleague, often scraped from a previous breach or your public LinkedIn. Relevance lowers your guard.
A useful mental habit: when an email makes you feel something — panic, greed, urgency — treat that feeling itself as a warning light. The emotion was engineered. Slow down precisely when the message wants you to speed up.
Inspecting a link without pulling the trigger
Here is the practical skill that prevents most disasters. You can examine exactly where a link goes without visiting it.
On a computer, hover your mouse over the link and read the destination that appears in the status bar at the bottom of the window or in a small tooltip. Do not click — just hover. Compare what you see against the visible link text. The oldest trick in the book is text that reads https://www.yourbank.com while the underlying href points to http://192.0.2.14/login. The two have nothing to do with each other.
On mobile, press and hold the link (do not tap) until a preview menu appears showing the full URL. Read it before you dismiss the menu.
What to look for once you can see the real destination:
The domain, read right-to-left, is not the company's actual domain.
A raw IP address instead of a domain name (http://185.220.101.5/...). Legitimate businesses do not send you to numbered addresses.
Excessive subdomains and hyphens designed to bury the real domain far to the right.
URL shorteners (bit.ly, tinyurl) hiding the final destination. Not automatically malicious, but a shortener in a security or payment email is a red flag; expand it with a preview service before trusting it.
http:// instead of https:// on anything asking for a login. Note the reverse is not safety: plenty of phishing sites now have valid HTTPS certificates because certificates are free. HTTPS means the connection is encrypted, not that the site is honest.
Attachments follow the same discipline. Be deeply suspicious of .html attachments (a favorite for hosting fake login pages locally, sidestepping domain checks entirely), Office documents that demand you "Enable Macros" or "Enable Content," and anything double-extensioned like invoice.pdf.exe. When in doubt, do not open it inside the email; save it and scan it, or better, confirm through another channel that it was really sent.
Dissecting two realistic examples
Abstract advice is forgettable, so here are two messages built to look convincing. Both are fictional; both use techniques I see constantly.
Example 1 — the delivery notice
From: DHL Express <[email protected]>
Subject: Your package could not be delivered (Ref #DE8841920)
Dear Customer,
We attempted to deliver your parcel today but were unable to
complete delivery due to an unpaid customs fee of 1.99 EUR.
To reschedule delivery, please confirm your details within
24 hours or your package will be returned to sender:
[ Reschedule My Delivery ]
DHL Express Customer Service
What gives it away: the display name says DHL, but the domain is dhl-parcel-notice.com — an added-word lookalike, not dhl.com. The fee is trivially small (1.99 EUR), a deliberate choice: too small to argue about, large enough to justify entering a card number, and the real goal is the card details, not the two euros. The 24-hour deadline is manufactured urgency. And it addresses you as "Dear Customer" because it was blasted to a list and has no idea who you are. Real carriers reference a tracking number you can independently verify on their actual site. The tell is not any single element; it is the stack of them.
Example 2 — the internal document share
From: Microsoft <[email protected]>
Subject: Daniel Okoro shared "Q3 Budget Review" with you
Daniel Okoro has shared a document with you.
[ Open in SharePoint ]
This link will work for anyone in your organization.
Microsoft respects your privacy.
This one is more dangerous because it targets the workplace, where clicking shared documents is routine. It borrows a real colleague's name (scraped from a company page), mimics a workflow you perform ten times a day, and the domain sharepoint-onlinedocs.com sounds plausible if you never learned that real SharePoint lives on sharepoint.com and microsoftonline.com. The "Open" button leads to a pixel-perfect fake Microsoft login that harvests your credentials and, increasingly, your multi-factor code in real time. The defense here is not eagle eyes; it is a habit — verify unexpected shares with the sender over chat before opening, and reach your login pages through bookmarks, never through email buttons.
What legitimate companies never do
Knowing the negative space helps as much as spotting the positives. Real organizations, as a matter of policy, do not:
Ask for your password by email. Ever. Support staff cannot see it and do not need it.
Ask you to "verify" full card numbers, PINs, or your complete national ID over email or a linked form.
Demand payment in gift cards, wire transfers, or cryptocurrency. This is the unofficial signature of fraud.
Send a login link and pressure you to use it immediately or lose access.
Attach an invoice for a purchase you have no memory of and tell you to open the file to dispute it.
Threaten instant account deletion, arrest, or legal action within hours.
When a message asks for something on this list, the request itself is the evidence. You do not need to inspect the headers.
One underrated defense worth a mention: stop handing your primary address to every site that demands one. A large share of phishing lands in your inbox only because your address leaked from some breached forum or shopping site you forgot you signed up for. Using a disposable address — the kind of throwaway inbox a service like EvilMail provides — for signups, trials, and one-time downloads means the low-trust half of your online life never touches the inbox that holds your bank and your job. When a throwaway address starts getting "security alerts," you know instantly it is noise.
Your pre-click checklist
When a message asks you to do anything — click, download, log in, pay, reply with information — run this list first. It takes half a minute.
[ ] Do I actually recognize the real email address, not just the display name?
[ ] Does the sender's domain exactly match the real company (read right-to-left)?
[ ] Was I expecting this message, or did it arrive out of nowhere?
[ ] Is it manufacturing urgency, fear, or a too-good reward?
[ ] When I hover the link, does the destination match the visible text and the real domain?
[ ] Is it asking for a password, card details, or a payment method fraudsters love?
[ ] Does the greeting use my real name, or a generic "Dear Customer"?
[ ] Are there attachments I did not ask for, especially .html, macro-enabled docs, or executables?
If anything on that list trips, do not act inside the email. Go to the company through a bookmark or by typing the address yourself, and verify from there.
If you already clicked
Everyone slips eventually, often when tired or rushed. Panic wastes the minutes that matter most. Work the problem in order.
1. Disconnect if you ran something. If you opened an attachment or downloaded a file, take the device off the network — turn off Wi-Fi or unplug the cable — to cut a malware payload off from its command server. If you only visited a page and typed nothing, the risk is far lower. 2. Change the password immediately, from a different device you trust. If you entered a password, assume it is compromised now. Change it wherever it was used, and everywhere you reused it — this is the moment you learn why reuse is dangerous. 3. Revoke sessions and turn on multi-factor authentication. Most services let you sign out all active sessions; do it to kick out an attacker who logged in with your stolen password. Then enable MFA if it was not already on. Prefer an authenticator app over SMS. 4. If you entered card details, call your bank now. Freeze or reissue the card. The sooner you flag it, the more fraudulent charges you can reverse. 5. Watch for the follow-up. Attackers who catch one credential often come back posing as "support" to help you "secure your account" — a second phish riding the first. Treat unsolicited follow-ups with extra suspicion. 6. Report it. Forward the message to your IT or security team if it hit a work account; use your mail provider's "Report phishing" button so the pattern gets blocked for the next person. Reporting is not busywork — it shortens the campaign's life.
Phishing survives on speed and volume: it needs you rushed and it needs enough targets that a small success rate still pays. Both weaknesses are yours to exploit. Slow down when a message pushes you to hurry, look at the real address instead of the friendly name, and hover before you click. That is not paranoia. It is the same thirty-second habit that, repeated a few thousand times over a career, is the difference between the people who get compromised and the people who forward the scam to their coworkers with a note that just says: nice try.