Skip to main content
Back to all posts

Phishing 101: How to Spot a Fake Email Before It's Too Late

โ€ขSnapSend Team

It almost always starts with a jolt of urgency. "Your account has been locked." "A payment failed โ€” confirm your details now." "Unusual sign-in detected." The goal is to spike your adrenaline so you act before your slower, more skeptical brain catches up. Phishing is social engineering aimed at your inbox: it hacks the human, not the server. And it works because a rushed human is a predictable one.

The good news is that almost every phishing email leaks tells. Once you know where to look, spotting them becomes muscle memory. This is a field guide to those tells โ€” and what to actually do when one slips through.

Read the real sender, not the display name

The name your mail client shows is a label the sender picks. Anyone can set the display name to "PayPal Security" or your CEO's full name. What they can't fake as easily is the actual address behind it.

Expand the header and read the domain to the right of the @:

  • Lookalike domains. support@amazoni.com, secure-paypal.com, microsoft-account-team.net. The brand name is there, bolted onto a domain the company doesn't own.
  • Subdomain tricks. paypal.com.account-verify.io is not PayPal. The real domain is the last two labels before the first slash โ€” here, account-verify.io.
  • Homograph tricks. Cyrillic and Latin letters can look identical. ะฐpple.com (with a Cyrillic ะฐ) renders almost exactly like apple.com. If a domain looks right but feels off, paste it into a plain-text editor and inspect it.

Legitimate transactional mail is almost always signed with SPF, DKIM, and DMARC. Most webmail clients let you view "authentication results" in the raw headers. A dmarc=fail on an email claiming to be from your bank is a loud alarm.

The hover test, every time

Never click a link based on the text you see. The visible text can say https://yourbank.com while the underlying href points anywhere. On desktop, hover and read the real destination in the status bar. On mobile, long-press to preview the URL before you commit.

Watch for:

  • Link text and destination that disagree.
  • Shorteners (bit.ly, t.co) standing in for a login page โ€” a real bank never shortens its own domain.
  • A login form hosted on a domain that isn't the service you think you're signing into.

When in doubt, don't click at all. Open a fresh tab, type the address yourself, or use a bookmark you already trust.

Content tells

  • Generic greetings. "Dear Customer" or "Dear Valued User." A company that holds your money usually knows your name.
  • Manufactured deadlines. "Within 24 hours or your account will be deleted." Real companies rarely nuke accounts on a countdown timer.
  • Unexpected attachments. A .zip, an .html file, or a macro-enabled .docm you didn't ask for is a payload, not a document.
  • Mismatched tone or formatting. Off-brand colors, a slightly wrong logo, awkward phrasing. Grammar has improved in the AI era, so weight the structural signals more heavily than a stray typo.

Spray-and-pray vs. spear phishing

Not all phishing is equal, and the dangerous kind often doesn't look like phishing at all.

  • Spray and pray. A million identical emails hoping a handful bite. Usually easy to spot: generic, off-brand, clumsy.
  • Spear phishing. A message crafted for you. The attacker has done homework โ€” your name, your role, your manager, a project you're on. It might reference a real invoice or a real vendor.
  • Business email compromise (BEC). The most expensive variant, and the hardest to catch. A message that appears to come from your CEO or CFO asking for an urgent wire transfer or a batch of gift cards. No malware, no bad link โ€” just authority plus urgency. The defense here is process, not perception: verify any money or credential request through a second channel (a phone call, or a chat message you initiated) before you act.

A useful instinct: the harder a message pushes you to bypass your normal process, the more suspicious it should make you.

MFA won't save you if you hand over the code

Attackers know two-factor authentication is common now, so modern phishing kits target the second factor too. A fake login page can relay your password and your one-time code to the real site in real time. Two defenses matter most:

  • Never type an MFA code into a page you reached from an email link. That code is only for sites you navigated to yourself.
  • Prefer phishing-resistant factors. Passkeys and hardware security keys (FIDO2/WebAuthn) are bound to the real domain, so they simply won't authenticate on a lookalike site. Push-based "approve this login" prompts are weaker โ€” beware "MFA fatigue," where an attacker spams approvals hoping you tap yes just to make the buzzing stop.

What to do if you clicked

Panicking wastes the minutes that matter. Work the list instead:

  1. Don't enter anything more. If a form loaded, close the tab. If you already submitted, keep going down this list.
  2. Change the password from a different, trusted device. Assume the machine you clicked on may be logging keystrokes. Use a manager to set a fresh, unique password โ€” a password generator gives you a strong one in a second.
  3. Revoke active sessions. Most services have a "log out of all devices" control and an "active sessions" view. Kill anything you don't recognize.
  4. Check MFA and recovery settings. Attackers often add their own phone number or authenticator so they can get back in later. Remove anything unfamiliar.
  5. Track reuse. If that password was used anywhere else, change it there too. This is exactly why a unique password per site contains the blast radius.
  6. Report it. Forward the email to your IT or security team, or to the provider's phishing address. One report often protects a hundred colleagues.

A 30-second checklist

  • Does the real sender domain exactly match the brand?
  • Does authentication (DMARC) pass?
  • Do link text and destination agree on hover?
  • Is it leaning on urgency, secrecy, or authority?
  • Would I act on this if it had arrived by phone instead?

If any answer is off, slow down and verify through a channel you control.

A quieter way to share sensitive things

Part of what makes phishing work is that inboxes are already full of real sensitive links โ€” password resets, invoices, document shares โ€” so a fake one blends right in. You can help break that pattern. When you need to send a credential or a file, don't paste it into an email body where it lives forever and trains the recipient to click strange links. Send a self-destructing, end-to-end encrypted link instead. It signals that you take security seriously, and it means there's no plaintext secret sitting in an archive waiting for the next breach.

SnapSend is built for exactly this: the data is encrypted in your browser, the key rides in the URL fragment (so the server only ever stores ciphertext), and the link burns after a single read. Next time you need to hand someone a password or key without adding to the clutter attackers hide behind, share it as a one-time link โ€” no account, nothing left behind.