Phishing emails

A message that impersonates someone you trust to get a password, a payment, or a click. Modern phishing is clean, well-written, and personal — the old "look for typos" advice no longer protects you.

~90%of data breaches still begin with a phishing message. It remains the single most common way attackers get in.

How it works

Phishing tries to get you to hand over information or click a harmful link by pretending to be a bank, a delivery service, an employer, or a friend. The message looks professional because attackers now draft them with the same tools everyone else uses.

Almost every phishing email runs on the same engine: a trusted name, a problem, and a link. Your account is locked, a payment failed, a package is held — and the fix is one tap away. That pressure is engineered to move you past the moment where you'd normally stop and check.

Common forms

Spear phishingTailored to you using real details — your name, employer, or a recent purchase — so it feels legitimate.

The "account limited" noticeA warning that your account is locked or suspended, with a link to "restore" it.

Fake invoice or receiptA charge you don't recognize, pushing you to "dispute" it through their link or phone number.

Delivery alertA package can't be delivered until you confirm details or pay a small "redelivery" fee.

Red flags

The sender address doesn't match the real organization — e.g. support@account-verify.co instead of the company's actual domain

A link whose visible text differs from where it actually points (hover to see the real destination)

Requests for a password, full card number, or a verification code — real companies don't ask for these

A hard deadline: "within 24 hours or your account is suspended"

A greeting that's oddly generic, or oddly specific in a way that feels scraped together

Spot it in the wild

FromPayPaI Service <service@paypal-secure-alert.com>

SubjectYour account has been limited

We noticed unusual activity and have temporarily limited your account. Confirm your information within 24 hours or it will be permanently suspended.Restore my account

What gives it away

Three tells in one message: the sender reads PayPaI with a capital i and the domain only looks official; the 24-hour deadline is manufactured pressure; and the button bypasses the real site instead of sending you to it. Going to the app directly — never the link — sidesteps all three.

What to do instead

The right response

Don't use the link. Go to the organization directly through its real website or app. If you're unsure, contact them using a number or address you find on your own — never the one in the message.

If you fell for it

1Don't click anything further, and don't reply.
2If you entered a password, change it immediately — and anywhere else you reused it.
3If you shared card details, contact your bank or card issuer to freeze the card.
4Report it to the impersonated company and forward the email to your provider's abuse address.
5Turn on two-factor authentication on the affected account.

Test your judgment

See if you can spot scams like this one in our quiz.

Take the Quiz