What should I do if I accidentally clicked a phishing link?

Immediately disconnect from the internet, run a full antivirus scan, change your passwords from a different device, and monitor your accounts for suspicious activity. If you entered financial information, contact your bank immediately.

Can phishing emails bypass spam filters?

Yes, sophisticated phishing emails often bypass spam filters by mimicking legitimate senders, using clean HTML, and avoiding obvious spam trigger words. That's why learning manual detection skills remains essential even with filtering enabled.

How do I report a phishing email?

Forward phishing emails to reportphishing@apwg.org. If it impersonates a specific company, also forward it to that company's security team (e.g., spoof@amazon.com, phishing@google.com). You can also report it to the FTC at reportfraud.ftc.gov.

How to Spot Phishing Emails: 5 Red Flags You Should Never Ignore

Phishing emails remain the number one entry point for data breaches and identity theft. This post covers five telltale signs that separate legitimate messages from social engineering traps—knowing these red flags can save your accounts, your money, and your peace of mind.

How Can You Tell If an Email Is a Phishing Attempt?

The sender's address rarely matches the claimed identity. A message claiming to be from PayPal might show an address like "service@paypa1-security.net" instead of paypal.com. That slight misspelling is deliberate. Check the actual email address—not just the display name.

Hover over links before clicking. The real destination appears in your browser's corner (usually the bottom-left). If a Chase Bank email links to "chase-secure-update.tk," close it immediately. Legitimate institutions don't use random top-level domains for security alerts.

What Are the Most Common Signs of a Phishing Email?

Urgency is the attacker's favorite tool. "Your account will be suspended in 24 hours!" creates panic—and panicked people click without thinking. Real companies (Amazon, your bank, the IRS) don't threaten immediate account closure via email. They have proper channels and verified contact methods.

Here are five red flags to watch for:

Red Flag	What It Looks Like	Legitimate Alternative
Urgent threats	"Act now or lose access!"	Neutral language with account-specific details
Generic greeting	"Dear Valued Customer"	Your actual name from their records
Suspicious attachments	.zip, .exe, or unexpected .pdf files	Links to secure portals (never attachments for sensitive data)
Grammar errors	Awkward phrasing, odd capitalization	Professional copyedited text
Requests for sensitive data	"Confirm your password here"	Never asking for passwords via email—ever

Worth noting: some phishing emails are shockingly polished. Attackers use AI writing tools and steal real branding. The grammar test alone isn't enough anymore.

What Should You Do If You Suspect a Phishing Email?

Don't click. Don't reply. Don't download attachments. Report it through your email provider's built-in tools—Gmail's "Report phishing" button and Outlook's "Junk" options both flag messages for security teams. Forward suspicious emails claiming to be from banks to their actual fraud departments (find these addresses on their official websites, not the suspicious email).

The catch? Reporting matters beyond your inbox. The Federal Trade Commission tracks phishing campaigns, and your report helps identify larger attack patterns. For workplace emails, notify your IT security team immediately—they need to know about targeted attacks against your organization.

Enable two-factor authentication on every account that offers it. Even if credentials leak through a phishing site, attackers still can't access accounts protected by multi-factor authentication. Authy and Google Authenticator work across most services; hardware keys like YubiKey provide the strongest protection for high-value accounts.

Phishing evolves constantly. Stay skeptical. Trust your gut when something feels off—and verify through direct contact, never through the email itself.