AboutResourcesBlogFree quiz →

How to Spot a Phishing Email in 10 Seconds (With Real Examples)

Phishing emails have become nearly indistinguishable from legitimate communications. The typo-filled foreign prince is gone. But there are still tells — and most of them are not where people look.

The conventional advice — "look for typos," "check the grammar," "be suspicious of foreign senders" — was calibrated for a previous era of phishing. In 2025–2026, generative AI ensures that phishing emails are grammatically perfect, tonally accurate, and formatted to match exactly the brand they are impersonating. The old tells are dead.

What remains are structural and behavioral tells — things about the situation and the request that reveal the scam regardless of how polished the email looks.

A Real Example, Annotated


Dear Customer,

Your Netflix account has been temporarily suspended due to a billing issue. Please update your payment information within 24 hours to avoid permanent suspension.

[Update Payment Method]

Netflix Support Team

Three tells in under 10 seconds: the sender domain contains "netfliix" with a doubled letter. The subject creates urgency. The 24-hour deadline is manufactured pressure to prevent careful examination.

The 7 Tells That Still Work

01
The sender domain, not the sender name. Email display names can say anything. The actual sending address cannot be faked without detection. Look for misspellings, added words (support-, billing-), wrong TLDs, or completely unrelated domains.
02
Artificial urgency with a countdown. Legitimate companies do not threaten account closure within 24 or 48 hours by email with no prior warning. Any urgency framing is a signal to slow down, not speed up.
03
Generic greetings. Real service providers address you by name. "Dear Customer" or "Dear User" is a sign the sender doesn't actually know who you are — they are emailing thousands of people.
04
The link doesn't match the brand. Hover your cursor over any link before clicking. If the displayed text says "netflix.com" but the actual URL is "secure-billing-update.net/netflix" — it's phishing.
05
An attachment you didn't request. PDFs, Word documents, and ZIP files sent unexpectedly are a primary malware delivery mechanism. If you didn't request a document, do not open it.
06
A request for credentials or payment via email. Legitimate financial institutions do not request your password, full card number, or CVV by email. Ever.
07
The "CEO email" pattern. A documented corporate tactic involves email impersonating a company's CEO, requesting an urgent wire transfer to a new vendor while the executive is "in a meeting."

The URL double-take: In documented phishing cases, victims describe a consistent moment of realization — often 30 seconds after entering their credentials — when they notice the URL was subtly wrong. "wellsfarg0.com" instead of "wellsfargo.com." By then, the credentials are gone. The 10-second check is the one that changes the outcome.

SMS Phishing (Smishing): The Same Attack by Text

USPS: Your package is held at our facility due to an incorrect address. Verify your address here: usps-delivery-update.com/verify

The link is not usps.com. The message does not know your name. There is no tracking number you actually recognize. The urgency ("held") drives clicks before those observations register.

The Universal Defense

Do not use the links in the communication. Go directly to the official website yourself.

If you receive an email claiming your Netflix account has a billing issue, open a new browser tab, type netflix.com, log in, and check your account directly. If there is a real issue, it will appear there. Legitimate companies survive you typing their URL yourself. Phishing links do not.

If You Have Already Clicked

"In phishing, it's often 30 seconds after entering credentials when the victim notices the URL was 'wellsfarg0.com' instead of 'wellsfargo.com.'"

— Fraud Investigation Report, Behavioral Psychology Division

The quiz includes a phishing email scenario.

See exactly how you respond when a time-pressured email lands in your inbox — and what the psychology behind your reaction reveals.

Take the free quiz →
← Shame and silenceBack to all posts →