Check the sender’s email address for mismatches or unusual characters
Verify the display name doesn’t hide a different or lookalike domain
Look for links that use unexpected domains or misspellings
Hover over links to preview the real destination URL
Avoid clicking shortened URLs or links with suspicious query strings
Watch for urgent or threatening language demanding immediate action
Be cautious of emails asking for passwords, verification codes, or full payment details
Verify requests for sensitive information through official channels
Check for generic greetings or incorrect personal details
Look for poor grammar, spelling mistakes, or awkward wording
Review the email formatting for inconsistencies (logos, fonts, layout)
Confirm attachments are expected; avoid opening unexpected files
Be wary of attachments that are executable or unusual formats (e.g., .exe, .scr, .js)
Confirm the request matches your relationship with the organization
Check for unexpected account alerts or login prompts
Look for “reply-to” addresses that differ from the sender domain
Verify the company’s contact details separately from the email
Use official apps or bookmarks to access accounts instead of email links
If unsure, report the message using your organization’s phishing reporting process