Sender address is unusual, misspelled, or not the same as the official domain
Email is from a display name that doesn’t match the actual sender address
Urgent or threatening language pressures you to act immediately
Requests for password, one-time codes, account verification, or payment information
Links direct to unfamiliar domains or look different from the real company site
URL uses odd characters, extra subdomains, or shortened/redirected links
Hover text over links shows a different destination than the visible text
Attachments are unexpected, executable (.exe/.js/.scr), or have mismatched file types
Message contains generic greetings (e.g., “Dear Customer”) instead of your name
Poor grammar, spelling errors, or awkward phrasing
Requests to bypass normal login methods (e.g., “log in via the link below”)
Claims of account issues that don’t match your recent activity
Email asks you to enable macros or “view content” from an attachment
Phone number or contact details differ from those on official websites
Signatures lack proper company details or include unverified contact info
“Unsubscribe” or “confirm” links lead to suspicious pages
Images or branding are low quality, inconsistent, or don’t match the organization’s typical style
Multiple links within the email point to unrelated or inconsistent domains
Social engineering cues: “You have been selected,” “final notice,” or “unusual activity” without specifics