Why phishing is hard to spot
Modern phishing is convincing on purpose. Attackers copy real logos, real wording, and real sender names, and they increasingly use AI to write clean, error-free messages in your language. According to European incident-response reporting, phishing is the most common way attackers gain initial access, which means a single believable email can be enough to start a breach.
It is also a numbers game combined with timing. A message that lands while you are busy, distracted, or expecting a parcel, an invoice, or a Microsoft 365 password reset is far more likely to work. The attacker only needs you to act on autopilot for a few seconds.
If you want the bigger picture first, it helps to understand what phishing is and the different types of phishing, from email and smishing to vishing and QR-code attacks. Recognition becomes much easier once you know the shapes these attacks take.
Phishing red flags: the checklist
No single sign proves a message is malicious, but several together should make you stop and verify. Run any unexpected message through this quick checklist.
- Unexpected or out of context: a message you did not ask for, about an account, delivery, or invoice you do not recognize.
- Urgency and pressure: "act now", "account will be suspended", "final notice", or threats of fees or legal action.
- Emotional triggers: fear, curiosity, greed, or authority (a request that seems to come from a boss or executive).
- Generic greeting: "Dear customer" or "Dear user" instead of your name, when the real sender would know it.
- Mismatched or odd sender address: a display name you trust paired with a strange or look-alike domain.
- Links that do not match: the visible text says one thing, but the real destination is different.
- Unexpected attachments: invoices, receipts, or "secure documents", especially ZIP, HTML, or files asking you to enable content.
- Requests for credentials or codes: any page or person asking for your password, MFA code, or payment details.
- Language and formatting errors: awkward phrasing, wrong branding, or layout that is slightly off.
Check the sender and the domain
Attackers rely on the fact that most people read only the display name. The display name can say anything; the part that matters is the actual email address and, specifically, the domain after the @ symbol.
Watch for look-alike domains
A favourite trick is a domain that looks almost right. Attackers swap or add a character, use a different ending, or hide the real brand inside a longer address. For example, a message claiming to be from your bank or from Slovenská pošta might come from a domain that is close to the genuine one but not exactly it. Compare it carefully against an address you already trust.
- Expand the sender to see the full address, not just the display name.
- Read the domain right after the @ and compare it letter by letter to the real one.
- Be suspicious of subdomains that bury the brand, such as a trusted name placed before an unrelated domain.
- Remember that a real-looking address can still be spoofed or sent from a compromised account, so the sender alone is never full proof.
How to check a link safely
The goal is to see where a link really goes without actually opening it. The safest habit is simple: do not click first, inspect first.
- On a computer, hover your mouse over the link (do not click) and read the real URL that appears at the bottom of the window or in a tooltip.
- On a phone, press and hold the link to preview the destination instead of tapping it.
- Compare the domain in that URL to the official one you know. If they do not match, do not proceed.
- Be wary of shortened or unusual links that hide the destination, and of links that lead to a login page you reached unexpectedly.
- When in doubt, do not use the link at all: open a new browser tab and type the official address yourself, or use a bookmark.
Never enter your password or an MFA code on a page you arrived at through a link in a message. Legitimate services do not need you to confirm credentials this way, and entering them on a fake page is exactly what the attacker wants.
Watch for unusual requests
Some of the most damaging attacks contain no malware and no obvious bad link. They simply ask you to do something. This is the heart of business email compromise, where an attacker impersonates an executive, a colleague, or a supplier to trigger a payment or a data transfer.
- A sudden request to pay an invoice or change bank account details for a supplier.
- A "quick favour" from a manager who is conveniently unreachable by phone.
- Pressure to keep a transaction confidential or to bypass the normal approval process.
- A request to buy gift cards, move funds urgently, or share employee or payroll data.
- Anyone, internal or external, asking for your password, MFA approval, or a one-time code.
No legitimate IT department, bank, or service provider will ever ask you to reveal your password or approve an MFA prompt you did not start. If you receive an MFA request you were not expecting, deny it and report it, because it may mean someone already has your password.
What to do if you suspect phishing
If a message trips any of these warning signs, you do not need to be certain it is malicious. The right response is the same either way: do not interact, report, and let your security team decide.
- Do not click links, open attachments, scan codes, or reply.
- Do not enter credentials, codes, or payment details anywhere the message sent you.
- Report it using your organization's report button or by forwarding it to IT or security, ideally before deleting.
- If you already clicked or entered details, report it immediately and change the affected password, then approve any required steps with IT. Speed limits the damage and is never something to be embarrassed about.
- Once reported, delete the message so you do not interact with it later by mistake.
Recognizing phishing is a skill that improves with practice. Organizations build measurable resilience by pairing this awareness with regular, realistic phishing simulations and short in-the-moment training, an approach used by platforms such as PhishGun, so the right reaction becomes a reflex. To go further, see how to prevent phishing for the layered controls that back up alert employees.
Frequently asked questions
What are the most common signs of a phishing email?
The most common phishing red flags are an unexpected message, a sense of urgency or threat, a generic greeting, a sender address or link that does not quite match the real one, requests for passwords or payment, and small language or branding errors. No single sign is proof, but several together mean you should stop and verify.
How can I check if a link is safe without clicking it?
Hover over the link with your mouse on a computer, or press and hold it on a phone, to preview the real destination. Compare that domain to the official one. When in doubt, do not use the link at all, type the official address into your browser or use a saved bookmark instead.
What should I do if I receive a phishing email?
Do not click, reply, open attachments, or enter any details. Report it using your report button or to IT or security, then delete it. If you already clicked or entered credentials, report it immediately and change the affected password, fast action limits the damage.
Can a phishing email come from a real, trusted email address?
Yes. Addresses can be spoofed, and attackers often send phishing from genuine accounts they have already compromised, so a familiar sender is never full proof on its own. Always weigh the sender alongside the other warning signs, and verify unusual requests on a separate, known channel.
Why is phishing so hard to recognize now?
Attackers copy real branding and wording and increasingly use AI to write fluent, error-free messages in your language. They also time messages to arrive when you are busy or expecting something. That is why a deliberate pause and a quick check of the sender and links matter more than ever.