// Blog

Not Today, Scammer: How to Spot Phishing Emails and Dodge Online Scams

Security Guide · July 2nd, 2025

Zero-Bullshit Guide to Outsmarting Email Scammers

We all get those shady emails: "Your account is in danger! Update now or else!" They land in your inbox looking legit, smelling like panic, and hoping you're too busy or freaked out to notice the red flags. Phishing emails – scam messages pretending to be from trusted companies or people – are everywhere. In fact, email is the top way scammers tried to reach people in 2024. Phishing is basically the cockroach of the internet: a recent report found 86% of organizations dealt with phishing attempts (and over 70% got compromised because someone fell for one). In the UK, phishing was behind 93% of all cybercrimes. Yikes.

But not today, scammers. This guide will show you – in plain, no-bullshit terms – how to spot a phishing email and avoid getting duped. We'll walk through real-life examples, highlight big red flags (urgent tone! typos! sketchy links!), and give you practical tips to safely check suspicious emails before you click on something stupid. Let's dive in.

What Does a Phishing Email Look Like?

Phishing emails are chameleons – they try to look like normal, legitimate emails from a company or person you trust. The scammer might slap a big brand logo on it, use a fake sender name like "Amazon Support" or "Your Bank," and copy formatting from real emails. At first glance, it might look fine. But under the hood it's rotten. Often, these emails have a generic greeting ("Hello User," "Dear Customer") and some alarming message: "We locked your account due to suspicious activity," or "Invoice overdue – payment required immediately." There's always something that creates urgency or fear to push you into clicking their link or opening an attachment without thinking.

Example of a phishing email Example of a phishing email. This scam message pretended to be from a university, claiming the recipient's account deletion was "in progress." Notice the tone of urgency and the big "CANCEL REQUEST IMMEDIATELY" button.

Real companies rarely email you out of the blue with ultimatums like that. And no, a Nigerian prince didn't suddenly choose you as the lucky beneficiary of his fortune. In a nutshell, phishing emails often look "off" if you know what to check. Let's break down those tell-tale signs so you can spot a scam a mile away.

Red Flags to Watch For (Phishing Checklist)

Before you click or respond to any unexpected email, run down this quick no-nonsense checklist. If you answer "YES" to any of these, that email is probably phishy as hell:

  • Sender address looks funky? Check the email address, not just the display name. Is it from a public domain like @gmail.com when it claims to be your bank or a company? Is the domain spelling slightly off, like amaz0n.com instead of amazon.com? Scammers often spoof or alter the sender's address to trick you. (Tip: on your phone, tap the sender's name to see the actual email; 85% of people read email on phones where only the name shows.)
  • Urgent or threatening tone? Does the email scream "Act now or else!" with scary consequences if you don't hurry? Phishing messages love to create panic – "your account will be closed today," "you'll lose access," "your boss is waiting for this". Scammers know if they scare you enough, you might click first and think later. Legitimate organizations almost never threaten you or demand immediate action via email.
  • Requests for sensitive info or money? Is someone asking you to confirm your password, Social Security number, or bank details via email? Or maybe to pay an invoice you don't recognize? Huge red flag. Real companies won't email asking for your password or payment info out of the blue. And if you never signed up for a service (or don't have an account there), why would they be emailing you about "verification" or billing? Exactly.
  • Sketchy links or attachments? Hover over (don't click!) any link in the email. Does the link URL match the site it claims to be? If the text says Login to PayPal but the hover tooltip shows a weird URL (like http://paypal.login.verify.ru/...), do not click. Attachments can be dangerous too – especially if you didn't expect one. A random "invoice.pdf" or "document.zip" from a stranger (or a spoofed colleague) is often malware in disguise. When in doubt, don't download or open attachments from unknown senders.
  • Grammar, spelling, and style "oopsies"? This is a more classic clue – many phishing emails used to be riddled with spelling mistakes and awkward phrasing. If the email reads like it was written by Yoda on a bad day ("Your account suspend we will, unless verify you do"), be very suspicious. However, note that scammers have gotten better at writing; nowadays some phishing emails have perfect grammar and slick graphics. So while bad English is a red flag, lack of mistakes doesn't mean it's safe. Keep an eye out for other signs even if the writing looks professional.

If any of these red flags pop up, pause and do NOT click anything. The email is highly suspect. Next, we'll talk about common scammer tactics and then how to double-check an email safely.

Common Scammer Tactics (and Sneaky Scenarios)

Scammers are creative little rascals. They constantly come up with new stories to lure people in. Here are some of the most common phishing scam scenarios you should know about:

Big Brand Impersonation

This is a favorite. The scammer pretends to be a well-known company you likely use – Amazon, Apple, Google, PayPal, Netflix, you name it. The email might have official-looking logos and say something like "Unusual login attempt" or "Payment issue on your account." Since those brands are so common, they catch a wide net. (Fun fact: the most-phished brands in recent years include Google, PayPal, Apple, and Yahoo!.) Always question unsolicited emails from big companies – especially if they ask you to click a link to "verify" or "update" information. Instead of clicking, log in to your account separately via the real website or app to check if there's actually an issue.

Brand impersonation phishing example Scammers often impersonate trusted brands like Amazon, Apple, or PayPal to trick users into clicking malicious links.

"Your Account is Locked/Expired" Scams

You might see emails like "URGENT: Your banking account is suspended" or "Password Expiry Notice" with a link to reset your password. The urgency is designed to make you act fast. For example, a popular phish is an email claiming to be from your bank or email provider saying "We noticed suspicious activity. Please log in here immediately to secure your account." It's fake – they're after your credentials. Legit providers usually don't threaten to lock you out within hours via a simple email; if unsure, contact the company directly to confirm before doing anything.

Fake Invoices or Receipts

This one preys on confusion or curiosity. You get an email invoice for something you never purchased – maybe a $500 phone, or a subscription renewal notice. It says, "If you didn't authorize this transaction, click here to cancel/refund." Many people will panic and click the link or open the "receipt" attachment to figure out what's going on. Don't fall for it. Scammers often send random fake invoices knowing some recipients will react. If you get an unexpected bill email, do not click the link. Log in to your actual account (e.g. Amazon, PayPal) or check your bank/credit card separately – you'll likely find no such charge.

CEO/Boss Impersonation (Business Email Compromise)

This is a more targeted con seen at workplaces. You get an email that looks like it's from your CEO or manager: "Are you in the office? I need an urgent favor." If you respond, they'll ask you to do something like buy gift cards or wire money for a "confidential deal," etc. They often spoof the boss's email or use a very similar address. The tone is urgent and says not to phone (because, of course, if you called the real boss, the jig would be up). Always double-check any unusual requests for money or info supposedly from higher-ups. It's totally okay (and wise) to call your boss or use an official company contact to verify requests. A real boss won't randomly ask you for thousands in gift cards over email – but scammers hope you won't think twice.

Government or Utility Scams

These play on authority. Examples: an email claiming to be from the IRS about "overdue taxes" or "additional refund," or from your local electric company saying "payment failed, service will be cut off." The government does not email you threats of arrest for unpaid taxes – official communications come via snail mail or official portals, not Gmail addresses with scary language. Similarly, utility companies don't suddenly demand payment via an email link; they'll send proper notices. If you get something like this, it's almost certainly a scam. (In one example, scammers sent fake IRS emails about overdue taxes to scare folks.) When in doubt, contact the supposed organization yourself via their official website or phone number to ask if there's an issue. 99.9% of the time, you'll find out it's bogus.

Those are just a few greatest hits from the scammer playbook. New variations pop up all the time – fake job offers, charity donation scams, tech support scams – but they all rely on similar tricks: impersonate a trusted entity, push your emotional buttons (fear, greed, urgency), and get you to click a link or give up info. Now that you know their tactics, let's go over how to safely handle a suspicious email without falling into their trap.

What to Do If You Smell a Phish (Inspecting Emails Safely)

Alright, you've got a suspicious email in your sights. Something about it just isn't right. Here's exactly what to do (and not do):

  • Stop and take a breath. Literally, don't click anything yet. Don't download attachments. Don't reply. Scammers want to shove you into "panic mode" so you react without thinking. Break that momentum by pausing. Remind yourself: if this is actually important, a five-minute delay to verify won't hurt – and if it's a scam, that pause just saved your butt.
  • Inspect the details (without clicking links). Check the sender's email address in detail. On a computer, hover your mouse over the sender name; on a phone, tap it. Does the address match who they say they are? Often you'll find it's some bizarre address that has nothing to do with the company (e.g. [email protected] claiming to be PayPal). If it's supposedly from someone you know but looks odd, it could be spoofed – call or text that person separately to confirm. Next, hover over links in the email (again, do not click). Most email clients show the URL when you hover. If that link URL looks weird or doesn't match the official site (like an IP address, a misspelled domain, or a completely unrelated site), that's a huge red flag. For example, a link text might say "Verify your account," but hovering shows http://gotcha.scam.org/verify. Nope! Delete that sucker.
  • Search for the content or ask around. A pro-tip: scammers reuse templates. If you copy a distinctive line from the email (like "Your account will be lost in 24 hours") and Google it, you might find others have reported the exact scam. There are forums and websites where common phishing email texts are discussed. This can quickly confirm your suspicion. Alternatively, ask a tech-savvy friend or coworker, or your IT department if you have one, to take a look (forward it to them or, even safer, take a screenshot of the email). Sometimes just getting a second set of eyes helps spot the scam.
  • Verify through official channels. If the email is about something important – your bank, your job, an order you made – don't use any links or info from that email to verify it. Instead, open your web browser and go to the company's official website yourself (or use their official app). Log in as you normally would and see if there are any alerts or messages there. For instance, if "Netflix" emailed that your account is on hold, go to Netflix.com on your own (or open the Netflix app) and check your account status. Nine times out of ten, everything will be fine on the real site – confirming that email was a scam. If it's a message from someone you know that feels off (like that odd request from your "boss"), contact that person through a different method to ask if they really emailed you. Call them, or send a new email/text to the address/number you already have for them. Never trust the contact info provided in the suspicious email – that could go back to the scammer. By reaching out independently, you break the scammer's control of the conversation.
  • When in doubt, throw it out. If you're still unsure about an email and can't verify it, it's safest to just delete it. If it was actually legitimate, chances are the sender will find another way to reach you (or you can call them to double-check, as mentioned). No one ever died from deleting a random email. It's better to miss one real message (you can fix it later) than to click on a fake one and land in a world of hurt.

Remember, "If it seems phishy, it probably is." Trust that instinct – it's usually right.

Now that you've inspected the email and determined it's phony (or at least decided not to risk it), what next? Apart from deleting it, there are a couple more steps you can take to stick it to the scammers.

Fight Back: Report and Block the Phishing Attempt

Simply deleting a phishing email gets it out of your life, which is fine. But if you want to go a step further in protecting yourself and others, you should report it and block the sender. Here's how:

  • Use your email client's report feature. Most email services (Gmail, Outlook, Yahoo, etc.) have a built-in "Report phishing" or "Report spam" option. Use it! When you report a phishing email, it not only filters it out of your inbox, but also sends a signal to the mail provider to flag similar messages in the future. This helps improve filters for everyone. Typically, you can find the report option in the email's menu (often near the reply/forward buttons or in settings). In Gmail, for example, click the three dots and select "Report phishing." In Outlook, there's usually a button in the ribbon to report it. This takes just a second and can prevent that scammer from bothering you (and others) again.
Reporting phishing email Most email clients have built-in options to report phishing attempts, helping to protect both you and other users.
  • Block the sender (if possible). After reporting, you can also outright block the sender's address so any future emails from that source go straight to trash. Keep in mind scammers rarely reuse the same email address (they know it might get blocked), but it doesn't hurt to block anyway. It's like slamming the door in that scammer's face. They might change masks and try again, but you'll be ready for them.
  • Alert others, especially if it's a work or community email. If you got a phishing email to your work address, tell your IT/security team or at least your co-workers. Chances are, the scammer is blasting the whole company or multiple people. A quick heads-up ("Hey team, watch out for an email titled 'Urgent Invoice' – it's fake") can save someone else from clicking it. Similarly, if it's to your personal email and it pretends to be a certain company, you could check that company's website – they often have a security page where you can report phishing attempts (or they may even list known scams). For example, many banks have an email like "reportphishing@[bank].com" where you can forward suspect emails. It might feel like a small step, but every report helps authorities and companies track scammers.
  • Report to authorities if necessary. Did the phishing attempt succeed in tricking you into giving sensitive info or money? First, don't be embarrassed – it can happen to the best of us. Now, you'll want to act quickly: change any passwords you revealed, contact your bank if you gave financial info, and consider freezing credit if needed. Also, do report the incident to authorities. In the U.S., you can file a report with the FTC (Federal Trade Commission) or the FBI's Internet Crime Complaint Center (IC3). In the U.K., you can forward phishing emails to the National Cyber Security Centre's report email ([email protected]). Reporting helps the good guys go after these criminals, and it might help you recover losses if any occurred. Even if you didn't get scammed, you can still report phishing attempts to https://reportfraud.ftc.gov or your country's equivalent, just to throw a wrench in the scammers' game.

Taking these actions makes a difference. At the very least, you're improving your inbox's immune system. And at best, you're contributing to a larger smackdown on cybercrime. Either way, good on you for not taking the bait!

Trust Your Gut and Final Thoughts

The bottom line: trust your gut. If anything about an email raises your suspicions – even just a tiny voice in your head whispering "hmm, this feels off" – listen to it. As a university security team put it, "In general, trust your gut. If anything about any email message doesn't seem right, check it out before you respond." Scammers rely on catching us off guard. Simply pausing and scrutinizing an email can defuse their whole scheme.

And hey, no shame if you ever do get phished. It's not because you're stupid – it's because these scammers are devious and darn good at impersonating and manipulating. They prey on human emotions and mistakes; it's literally their job. If you slip up, you're actually in huge company (remember those stats: even IT pros and large companies get hit). So don't beat yourself up. Focus on what to do next: secure your accounts, learn from it, and report the crime. The blame lies 100% on the criminals, not on you for being human.

Going forward, keep this zero-bullshit checklist in mind whenever your inbox serves up something suspicious. By now, you know the red flags: weird sender, urgent demands, bad links, requests for info, etc. You know to double-check before clicking and to use official sources to verify. With a bit of healthy paranoia and the tips from this guide, you can confidently tell those phishing scammers, "Not today!" Then hit delete, sip your coffee, and carry on with your day scam-free.

Stay safe out there, and may your clicks be ever thoughtful. Remember: the only thing you should be giving these scammers is a one-way ticket to your spam folder. Not today, scammer, not today.

One cookie. Not tasty. Just functional.