The 7 Red Flags of Phishing
The 7 Red Flags of Phishing

Photo by Jan van der Wolf on Pexels
Every phishing email exhibits at least one of seven telltale signs. You do not need to memorize every phishing example — instead, internalize these seven patterns. When you see any one of them, slow down and investigate before acting.
Red Flag 1: Urgency or Threat
Phishing emails create artificial time pressure to make you act without thinking. "Your account will be suspended in 24 hours," "Final notice: Immediate action required," or "You must verify your identity now." Legitimate organizations do not create this kind of pressure for security-sensitive actions. When you feel urgency, that is your signal to stop and verify independently.
Red Flag 2: Generic Greetings
Mass phishing emails cannot personalize because the attacker does not know your name. "Dear Customer," "Dear User," or "Hello" instead of your actual name is suspicious. However, spear phishing will use your name — so the absence of a generic greeting does not guarantee safety. Combine this flag with others.
Red Flag 3: Mismatched or Suspicious Links
The displayed link text and the actual URL do not match. An email says "Click here to access your account" and the link points to "login-verify-secure.com" instead of your bank's domain. Hover over every link before clicking. On mobile, long-press the link to see the URL. If the domain does not match the organization, do not click.
Red Flag 4: Unexpected Attachments
You receive an attachment you were not expecting, even if it appears to come from someone you know. Invoice attachments from vendors you do not work with, document links from HR when you have no pending HR interactions, or shipping confirmations for packages you did not order. Attackers use attachments to deliver malware. If you were not expecting it, verify before opening.
Red Flag 5: Requests for Sensitive Information
Any email requesting passwords, Social Security numbers, full credit card details, or banking information is a red flag. Legitimate organizations never ask for passwords by email. Banks and financial institutions will direct you to log in through their website or app, not provide credentials through an email form.
Red Flag 6: Sender Domain Mismatch
The email claims to be from a trusted organization but the sender's email domain does not match. An email from "FedEx" sent from "fedex-delivery-notice.com" is suspicious. FedEx emails come from fedex.com. Check the full email address, not just the display name. On most email clients, click or hover over the sender name to reveal the actual email address.
Red Flag 7: Too Good to Be True
You have won a prize, inherited money, or been offered a free gift card. These appeals to greed and excitement bypass logical analysis. If something seems too good to be true, it almost certainly is. No legitimate organization gives away money or prizes through unsolicited emails.
The 10-Second Rule
When you see any of these red flags, apply the 10-second rule: stop, take 10 seconds to think, and ask yourself: "Did I expect this email? Does the sender match? Does the link go where it should?" Ten seconds of deliberate thinking is all it takes to defeat most phishing attacks. The attacker's entire strategy relies on you not taking that time.
Free Tools for Link Checking
- VirusTotal (virustotal.com) — Paste any URL to check it against 70+ security engines
- URLscan.io (urlscan.io) — Scan a URL to see where it actually goes and what it loads
- CheckPhish (checkphish.ai) — Free URL scanner that detects phishing pages
Key Takeaways
- Every phishing email shows at least one of seven red flags
- The 10-second rule — stop and think — defeats most attacks
- Hover over links, check sender addresses, and never act on urgency alone
- When in doubt, verify through a separate, trusted channel
Common Questions: The 7 Red Flags of Phishing
Q: What if an email has only one red flag—should I still report it?
Yes. Sophisticated phishing emails may exhibit only a single subtle red flag. For example, a well-crafted spear phishing email might have perfect grammar, a legitimate-looking sender address, and a plausible context—but use a slightly altered domain name (like "paypa1.com" with a number 1 instead of the letter l). When in doubt, report it. False positives cost seconds; a missed phishing email can cost the company thousands of dollars or more.
Q: How can I hover over links safely without clicking?
On most email clients, hovering your mouse over a link (without clicking) displays the actual URL in a tooltip or status bar. In Gmail, the URL appears at the bottom-left of the browser window. In Outlook, a tooltip appears near the cursor. If the displayed URL doesn't match the link text or the expected domain, do not click. You can also right-click and copy the link address (without visiting it) to paste into VirusTotal for analysis.
Q: Are shortened URLs always phishing?
Not always, but they should be treated with caution. Legitimate services like bit.ly and tinyurl are used by marketing teams, but attackers also use them to hide malicious destinations. Free tools like unshorten.it or WhereGoes.com can reveal where a shortened URL actually leads without clicking it. If your organization uses shortened URLs in legitimate communications, establish a policy that they should only come from official company accounts.
Q: What if the email passes all 7 red flag checks?
Even if no red flags are obvious, remain cautious for high-risk requests like financial transactions, credential entry, or data access. Zero red flags doesn't guarantee safety—sophisticated phishing emails are designed to evade detection. For any sensitive action, apply a secondary verification step regardless of how legitimate the email appears. This is your safety net against the most advanced phishing attempts.
The 7 Red Flags of Phishing

Photo by Jan van der Wolf on Pexels
Every phishing email exhibits at least one of seven telltale signs. You do not need to memorize every phishing example — instead, internalize these seven patterns. When you see any one of them, slow down and investigate before acting.
Red Flag 1: Urgency or Threat
Phishing emails create artificial time pressure to make you act without thinking. "Your account will be suspended in 24 hours," "Final notice: Immediate action required," or "You must verify your identity now." Legitimate organizations do not create this kind of pressure for security-sensitive actions. When you feel urgency, that is your signal to stop and verify independently.
Red Flag 2: Generic Greetings
Mass phishing emails cannot personalize because the attacker does not know your name. "Dear Customer," "Dear User," or "Hello" instead of your actual name is suspicious. However, spear phishing will use your name — so the absence of a generic greeting does not guarantee safety. Combine this flag with others.
Red Flag 3: Mismatched or Suspicious Links
The displayed link text and the actual URL do not match. An email says "Click here to access your account" and the link points to "login-verify-secure.com" instead of your bank's domain. Hover over every link before clicking. On mobile, long-press the link to see the URL. If the domain does not match the organization, do not click.
Red Flag 4: Unexpected Attachments
You receive an attachment you were not expecting, even if it appears to come from someone you know. Invoice attachments from vendors you do not work with, document links from HR when you have no pending HR interactions, or shipping confirmations for packages you did not order. Attackers use attachments to deliver malware. If you were not expecting it, verify before opening.
Red Flag 5: Requests for Sensitive Information
Any email requesting passwords, Social Security numbers, full credit card details, or banking information is a red flag. Legitimate organizations never ask for passwords by email. Banks and financial institutions will direct you to log in through their website or app, not provide credentials through an email form.
Red Flag 6: Sender Domain Mismatch
The email claims to be from a trusted organization but the sender's email domain does not match. An email from "FedEx" sent from "fedex-delivery-notice.com" is suspicious. FedEx emails come from fedex.com. Check the full email address, not just the display name. On most email clients, click or hover over the sender name to reveal the actual email address.
Red Flag 7: Too Good to Be True
You have won a prize, inherited money, or been offered a free gift card. These appeals to greed and excitement bypass logical analysis. If something seems too good to be true, it almost certainly is. No legitimate organization gives away money or prizes through unsolicited emails.
The 10-Second Rule
When you see any of these red flags, apply the 10-second rule: stop, take 10 seconds to think, and ask yourself: "Did I expect this email? Does the sender match? Does the link go where it should?" Ten seconds of deliberate thinking is all it takes to defeat most phishing attacks. The attacker's entire strategy relies on you not taking that time.
Free Tools for Link Checking
- VirusTotal (virustotal.com) — Paste any URL to check it against 70+ security engines
- URLscan.io (urlscan.io) — Scan a URL to see where it actually goes and what it loads
- CheckPhish (checkphish.ai) — Free URL scanner that detects phishing pages
Key Takeaways
- Every phishing email shows at least one of seven red flags
- The 10-second rule — stop and think — defeats most attacks
- Hover over links, check sender addresses, and never act on urgency alone
- When in doubt, verify through a separate, trusted channel
There are no comments for now.