How to Spot a Phishing Email in 60 Seconds
How to Spot a Phishing Email in 60 Seconds
Phishing emails are responsible for over 91% of all cyberattacks, yet most people still fall for them. The good news? With a structured 60-second check, you can identify the vast majority of phishing attempts before they cause any damage.
Why Speed Matters
Attackers rely on urgency. A phishing email is designed to make you act before you think β "Your account will be suspended in 24 hours," or "Urgent: Invoice attached." The moment you slow down and apply a systematic check, you dramatically reduce your risk.
The 10-Point 60-Second Check
1. Check the Sender's Email Address (10 seconds)
Look at the actual email address, not just the display name. Attackers frequently spoof display names to appear legitimate. A message appearing to come from "PayPal Security" may actually originate from [email protected].
Red flags:
- Domain does not match the organisation (e.g.,
@paypa1.cominstead of@paypal.com) - Free email provider (Gmail, Outlook) for a corporate sender
- Random characters or numbers in the domain
2. Hover Over Every Link (10 seconds)
Before clicking any link, hover over it to reveal the actual destination URL in your browser's status bar. The displayed text and the actual URL are frequently different in phishing emails.
Red flags:
- URL does not match the claimed organisation's domain
- URL uses an IP address instead of a domain name
- URL contains unusual subdomains (e.g.,
paypal.com.login.malicious.com) - Shortened URLs (bit.ly, tinyurl) that hide the real destination
3. Inspect the Greeting (5 seconds)
Legitimate organisations that have your details will address you by name. Generic greetings are a significant indicator of mass-phishing campaigns.
Red flags:
- "Dear Customer" or "Dear User"
- "Hello [your email address]"
- No greeting at all
4. Assess the Urgency and Emotional Pressure (5 seconds)
Phishing emails are engineered to trigger an emotional response β fear, greed, or curiosity. Legitimate organisations rarely demand immediate action under threat of consequences.
Red flags:
- "Act immediately or your account will be closed"
- "You have won a prize β claim within 24 hours"
- "Urgent security alert β verify now"
5. Look for Spelling and Grammar Errors (5 seconds)
While sophisticated phishing campaigns have improved significantly, many still contain subtle errors that a native speaker would not make. These can include unusual phrasing, inconsistent capitalisation, or awkward sentence structure.
6. Check for Unexpected Attachments (5 seconds)
Were you expecting this attachment? Unsolicited attachments β particularly .exe, .zip, .doc, .pdf, or .xls files β are a primary malware delivery mechanism.
Red flags:
- Attachment you were not expecting
- Password-protected ZIP files (used to bypass email scanning)
- Office documents requesting you to "Enable Macros"
7. Verify the Request Makes Sense (5 seconds)
Ask yourself: would this organisation actually contact me this way? Banks do not ask for your password via email. IT departments do not request credentials through an email link.
8. Check the Email Headers (10 seconds)
For a more technical check, view the raw email headers. Look at the Return-Path and Reply-To fields β if they differ from the From address, this is a strong indicator of spoofing.
Most email clients allow you to view headers via "Show Original" or "View Source."
9. Verify with the Sender Through a Separate Channel
If an email requests action on something sensitive (a payment, credential reset, or data transfer), verify the request by calling the sender directly using a phone number from your records β not one provided in the email.
10. Use a Free Analysis Tool
Tools like the https://www.cyber121.com/analyser can check the sender domain against DNS blacklists, verify SPF/DKIM/DMARC records, and provide an AI-powered verdict in seconds.
The 60-Second Checklist at a Glance
| Check | Time | What to Look For |
|---|---|---|
| Sender email address | 10s | Domain mismatch, free provider |
| Link destinations | 10s | URL does not match claimed sender |
| Greeting | 5s | Generic "Dear Customer" |
| Urgency / pressure | 5s | Threats, deadlines, prizes |
| Spelling / grammar | 5s | Unusual phrasing or errors |
| Unexpected attachments | 5s | Unsolicited files, macros |
| Request logic | 5s | Would they really ask this? |
| Email headers | 10s | Return-Path / Reply-To mismatch |
What to Do If You Suspect a Phishing Email
- Do not click any links or open any attachments.
- Report it to your IT/security team using your organisation's reporting mechanism.
- Delete the email from your inbox and trash.
- If you already clicked, change your passwords immediately and notify your security team.
Go Deeper: Free Phishing Investigation Resources
If you want to build a structured investigation process for your team, the Cyber121 Phishing Investigation Toolkit provides a 52-page playbook, Excel investigation log, and quick reference card β built by practitioners and referenced against NIST SP 800-61 and MITRE ATT&CK.
You can also download our free phishing investigation cheat sheet β a one-page desk reference covering the 10 most critical phishing indicators.
Published by the Cyber121 team. Cyber121 is a cybersecurity community platform providing free security tools, CVE intelligence, and professional training resources.
The Cyber121 team is a group of cybersecurity practitioners building community tools, training resources, and threat intelligence for security professionals.