Cybercriminals send millions of malicious emails every day. These scams are designed to steal credentials, money, and even entire identities. By spotting the warning signs early, you can break the attack chain before any damage is done.
This guide walks you through the top phishing red flags to watch for, how to protect yourself from common email scams, and what to do if you think you’ve clicked on a malicious link.
Top 10 phishing red flags in emails to watch out for
While phishing emails can take many forms, most of them share some common warning signs. Below are the top 10 red flags of a phishing email scam that you should always watch out for. If you notice any of these in an email, proceed with caution (or better yet, don’t proceed at all!).
1. Unsolicited or unexpected emails
Didn’t request a password reset? Didn’t subscribe to the newsletter you just received? Be suspicious. If an email shows up out of the blue from someone you don’t know or a company you weren’t expecting to hear from, be skeptical.
2. High-pressure tactics
Phishing attempts frequently use high-pressure tactics and unusual demands to bypass your better judgment. These methods often use dramatic and urgent subject lines to grab your attention and create a sense of urgency, like:
❗“Your account will be deleted today.”
❗“Suspicious activity detected—log in now!”
❗“Your account has been suspended!”
❗“Final warning!”
They do this to play on your fear and make you act quickly without thinking critically. Legitimate companies typically don’t threaten users or demand immediate action via unexpected emails.
Phishers also like to impersonate high-level executives. These requests often deviate from normal procedures and create a sense of urgency or secrecy and might:
- Come outside of regular business hours.
- Ask you to keep the request confidential.
- Urge you to skip standard protocols.
Examples of such requests include demands to transfer funds immediately (“I need you to transfer $10,000 to this account ASAP”) or to purchase and send sensitive information like gift card codes (“Please buy 50 gift cards and send me the codes”).
3. Requests for sensitive information
Be extremely wary if an email is asking you to provide sensitive personal information. Legitimate organizations never ask for things like passwords, Social Security numbers, bank account details, or credit card numbers via email—especially not out of the blue. If you get an unsolicited message urging you to “confirm” or send such private information, it’s a huge red flag that the email is a scam.
4. Slight misspellings in email addresses or domains
One common phishing trick is to use an address that’s almost identical to a real one, with just a slight change.
For example, an email that looks like it’s from support@paypal.com might actually be support@paypaI.com (the last letter is a capital “i” instead of lowercase “l”), or a bank email might use @bankofamerca.com missing an “i.” These subtle misspellings are easy to overlook.
5. Suspicious links or attachments
Phishing emails often push you to click links or open attachments. Be very careful here. Hover over any link. If the preview URL shows numbers, dashes, or a mismatched domain, skip it. Unexpected ZIP, ISO, or EXE files belong in the trash.
🔐 Stay safe with ExpressVPN: ExpressVPN’s Threat Manager blocks known malicious domains—helping stop phishing links before they load.
6. Fake branding or logos
Scammers will often slap a company’s logo or header on the email to make it look official, but the quality and consistency might be wrong. Low-quality images, old logos, outdated copyright years, or off-brand color schemes can all signal fakes.
7. Offers that are too good to be true
Scammers call this tactic “prize phishing.” You receive an email, text, or social media DM packed with upbeat language about winning a phone, voucher, or cash. The scammers create fake brand pages and use forged logos so everything looks official. Once you click the link, you’re asked to “verify” your identity or pay a small “handling fee.”
That’s where the trap springs: the form steals your login details or credit card number, and the payment page can install malware. Legitimate giveaways don’t require payment or sensitive personal information.
8. Design or layout that feels “off”
Phishing emails often feel… wrong. Poor formatting (misaligned text, clashing fonts, weird spacing) or shoddy visuals (blurry logos, low-res images) are warning signs. Reputable companies usually send polished, consistent-looking emails, so if the design looks amateurish or different from what you’re used to, be suspicious. If the layout or style of an email gives you a bad vibe, don’t ignore that feeling.
9. Generic or suspicious greetings
“Dear User” or “Valued Customer” might seem fine—until you realize your actual service provider usually calls you by name. If you’ve had an account with a company for years and they don’t address you properly in their emails, that’s a red flag—real services know your name.
10. Poor spelling and grammar
Top brands run copy through proofreaders. Random capital letters or clumsy phrasing scream fraud. Be wary of:
- Awkward phrasing
- Misspellings
- Strange punctuation
- Inconsistent language
Note: Scammers now use AI and LLMs to write near-perfect emails in seconds, which means generic greetings and poor spelling and grammar as telltale signs of phishing are becoming less prevalent.
What are the most common email phishing tactics?
Phishers use various tricks to fool people. Here are some of the most common tactics:
- Spear phishing: Attackers comb your social profiles for clues—job title, recent posts, even colleague names—then craft an email customized to you alone so it reads like a genuine message.
- Malicious links (including QR codes and images embedded in the email body): The email urges you to click a button or scan a code that leads to a spoofed login page. Because the link is hidden behind text or an image, it can slip past basic spam filters.
- Malicious attachments: Some emails come with attachments (PDF and Word documents) that, when opened, can install malware on your device or prompt you to enable dangerous macros. If you weren’t expecting a file, it’s safer not to open it.
- Multi-channel deception: Some attackers combine email with other methods. For example, you might get a phishing email followed by a phone call from the scammer pretending to “support” you.
Phishing and AI
Unfortunately, AI has revolutionized phishing, too, making phishing emails much more sophisticated than before—and harder to identify. Large language models have stripped away the spelling slips that once betrayed a phish. Criminals feed them corporate press releases and LinkedIn bios, then send flawless emails and invoices that blend into real threads.
Ready-made phishing kits—phishing-as-a-service—lower the bar even further. According to London-based cybersecurity company Netcraft, the Darcula phishing-as-a-service platform ships branded templates, hosting, and—new this year—an AI module that writes lures in dozens of languages. Anyone with a few hundred dollars can run thousands of look-alike domains in minutes.
Your best defense stays the same: confirm money requests on a voice line you trust, hover over every link, and let ExpressVPN’s Threat Manager block known phishing sites before they load.
How to protect yourself from phishing attacks
Knowing the red flags is half the battle. The other half is practicing good security habits every day. Here are some essential steps to protect yourself from phishing attacks and other email scams:
1. Don’t click on unknown links or attachments
This is rule number one for a reason. If you receive an email from an unknown sender—or even a suspicious-looking email from someone you do know—never click links or download attachments without vetting them.
Many phishing attacks require that extra click to do their damage, whether it’s taking you to a fake login page or installing malware via a file. By refraining from that click, you stop the attack in its tracks. You can also use antivirus scanners or sandbox services to examine attachments in a safe environment before opening them.
2. Verify the sender before taking action
Always verify that an email is legitimate before you reply, click, or act on its instructions. If an email claims to be from a company, double-check the sender’s address and compare it to previous legitimate emails from that company.
When in doubt, don’t use the contact information provided in the suspicious email. Instead, independently find the official customer service number or website of the company and contact them directly to ask if they sent you something.
3. Use multi-factor authentication (MFA)
Enabling MFA on your accounts is one of the best safety nets against phishing. MFA means that even if someone steals your password, they still need a second proof of identity, like a code from your authenticator app, a one-time pin from your phone, a fingerprint, or your hardware security key to log in.
Many online services—from email providers to banks—offer MFA options. At a minimum, turn it on for your primary email and any financial accounts. With MFA in place, a phisher who tricks you into revealing your password will hit a roadblock because they likely don’t have that second factor.
Some advanced phishing scams try to steal one-time codes as well by spoofing login pages. Having MFA can still stop most attacks because even if you log in on the spoofed page, it will still require a second confirmation.
4. Keep software and security tools updated
Software updates patch security holes that phishing attacks might exploit, so enable automatic updates for your operating system, browsers, and email programs.
Also, use security tools: install reputable antivirus with strong phishing protection, keep its malware database updated, and use your email provider’s spam filters. Modern web browsers have built-in phishing protection as well.
What to do if you clicked on a phishing link
Mistakes happen. If you realize you clicked on a phishing link or otherwise engaged with a suspicious email, don’t panic, but act quickly. Here’s what to do if you think you took the bait:
Change affected passwords immediately
If you entered your credentials on a phishing site, assume that password is compromised. Change it right away on the real service. Also, change any other accounts that used the same password (and going forward, use unique passwords for each account to minimize this risk).
It’s a good idea to enable MFA on your accounts if you haven’t already, which adds an extra verification step when logging in. The quicker you update your security info, the less chance the scammers have to misuse your accounts.
💡 Quick tip: Use a password manager. ExpressVPN Keys can help you generate and store unique passwords. This way, even if one password is stolen, the rest of your accounts stay safe.
Disconnect and scan your device
If you suspect you may have downloaded malware, disconnect from the internet. Unplug your network cable or turn off Wi-Fi to cut off any communication from your device.
Then, run a full scan with your antivirus. Let it check for any infections or suspicious programs. If something is found, follow the software’s instructions to remove it. It’s wise to stay offline until you’re confident your system is clean to prevent any malware from sending out data or spreading.
Notify your IT or security team
If this happened on your work account or device, inform your IT/security team immediately. It might feel embarrassing, but reporting quickly is crucial. The team can take steps to secure your account, scan your computer, and prevent the incident from spreading in the company.
Remember, you’re not the first person to click a bad link—companies train for this exact situation, and they need to know so they can respond effectively. Early reports let them quarantine malicious mail and warn colleagues.
If the phishing incident was on a personal account (not work), you may not have an IT team, but consider who else you should alert. For example, if you gave away bank details, call your bank; if your email was compromised, let your contacts know not to trust any strange messages coming from you. The key is to contain the damage and get help where needed.
Report the attack
After dealing with the immediate fallout, take a moment to report the phishing attack. Most email services let you easily report phishing, which helps them improve their filtering. You can also forward the phishing email to the appropriate authorities or organizations. By reporting it, you contribute to blacklist databases and help law enforcement track down culprits.
How to report phishing emails
Reporting phishing emails not only helps you protect yourself, but it also helps protect others. Many scammers reuse the same email templates or target multiple people, so every report counts. Here are two key avenues for reporting phishing emails:
Reporting to your email provider
The easiest way to report a phishing email is through your email service’s built-in tools. Most providers have a Report phishing or Report spam button. Using it not only removes the email from your inbox but also sends a signal to the provider to block similar messages in the future.
Gmail
Open the phishing message. Next to Reply, click More (three dots). Click Report phishing.
Yahoo Mail
Open the phishing message. Mark the message as Spam.
Outlook
Open the phishing message. Click More Actions (three dots). Click Report > Report phishing.
For domain emails, contact your service provider directly.
Reporting to anti-phishing agencies
You can also report phishing attempts to organizations that track scams. A primary one is the U.S.-based non-profit Anti-Phishing Working Group. Simply forward the phishing email to reportphishing@apwg.org to help get it into their system.
In the U.S., the Federal Trade Commission (FTC) accepts reports at ReportFraud.ftc.gov. If the phishing message spoofed a specific company, you can often notify that company’s security department as well.
By reporting, you help shut down phishing websites and alert others. It only takes a minute and can make a difference in the broader fight against scammers.
Conclusion: Why spotting red flags early matters
Recognizing phishing red flags early—ideally as soon as you read the subject line or preview the email—can save you from a lot of trouble. If you catch a scam email before clicking anything, you neutralize the threat right away.
Think of it like a smoke alarm for your inbox: if you notice the warning signs in time, you can avoid the fire. Scammers rely on victims being too busy or distracted to scrutinize their messages. By training yourself to pause and evaluate emails for authenticity, you’ll stay one step ahead of attackers.
Spotting red flags early means you won’t enter that password on a fake site, download that dangerous attachment, or wire money to a fraudster. In short, it’s the key to staying safe online in the face of increasingly sophisticated email scams.
FAQ: Common questions about phishing emails
Can phishing emails install malware?
No, not by themselves in your inbox. A phishing email won’t infect you unless you interact with it. The danger comes if you click a malicious link or open an infected attachment in the email—then malware can be downloaded to your device. If you simply receive or read the email without clicking anything, you’re generally safe. It’s the action that triggers the harm, which is why being cautious with links and files is so important.
How do I report phishing emails?
To report a phishing email, use your email client’s “report phishing” feature, if available. This will flag it to your provider. You should also forward the email to the Anti-Phishing Working Group at reportphishing@apwg.org.
Additionally, consider reporting it to any relevant authority or the impersonated organization. For example, if someone pretended to be your bank, let your bank’s fraud department know. Reporting phishing attempts helps improve filters and can aid in efforts to shut down the scammers. Remember to report before deleting the email, and never reply to it.
What if I replied to a phishing message?
If you replied but didn’t send any personal info, you’re likely okay (though you might get more spam now since the scammer knows you’re responsive). If you sent sensitive information, such as passwords, account numbers, or personal details, assume that the data has been compromised.
Here’s what to do: Immediately change any affected passwords and contact relevant institutions (for example, your bank if you gave financial info). And of course, stop any further communication with the scammer. Going forward, be extra careful with any unsolicited emails asking for information.
What are 3 indicators of phishing?
Three common indicators of a phishing email are:
- Mismatched or strange sender address: The email claims to be from someone or some company you recognize, but the sender’s email address is off—wrong domain or odd spelling.
- Urgent or threatening language: The message creates panic (“Immediate action required” or “Account will be closed”) or uses an extreme lure (“You won a million dollars!”). This pressure to act fast without thinking is a major red flag.
- Suspicious links or attachments: The email contains a hyperlink that looks legitimate but, on hover, points to an unrelated website, or it has an attachment you weren’t expecting. Either can be an attempt to compromise your device or data.
There are certainly other signs, like poor grammar or generic greetings, but the presence of any one of the above is a strong hint that the email could be a phishing attempt.
What is a red flag in email?
A red flag is any warning sign that an email might be a scam or fraudulent. It’s basically something that triggers suspicion. For example, a red flag could be an email from a bank that uses a generic greeting like “Dear Customer” (when the bank usually uses your name) or an unsolicited attachment from someone you don’t know.
In short, it’s a warning to be cautious and double-check the email’s authenticity. If you notice a red flag, take the time to verify the message before doing anything with it.
How can I check if an email is real or fake?
Inspect the sender’s full address, hover over links, and look for personalization. Compare the tone and design with previous legitimate emails from that brand. To confirm urgent claims, navigate to the company’s site manually—never via embedded links—or call customer support using a number you located yourself (not the one provided in the email). Free tools like email-header analyzers can also validate domains. If anything feels off, assume it’s phishing until proven otherwise.
Is it safe to open a phishing email without clicking anything?
Yes—just opening the email to read its text is generally safe, as long as you don’t click any links or download attachments. Modern email systems won’t execute harmful code just from opening a message. So if you realize an email is phishing but you only opened it and then closed it, your computer should be fine.
That said, it’s best not to interact with suspicious emails at all. Don’t reply or click “enable images” or any buttons. If you identify an email as a likely phish, the safest move is to delete it. Simply reading it is okay; taking action on it is what can cause trouble.
Who do I contact if I gave personal information to a scammer?
For financial details, call your bank or credit card issuer to freeze or monitor your accounts. Exposed credentials? Change passwords and enable MFA. If your personal identifiers (e.g., Social Security number) were leaked, place a fraud alert or credit freeze with major bureaus. Report the incident to local police or your national cybercrime unit. In the U.S., IdentityTheft.gov offers step-by-step recovery resources.
Are phishing emails always from strange addresses?
No. Attackers spoof domains or hack real accounts, so some phishing emails appear to come from trusted senders. Always check the entire address, not just the display name, and look for other red flags in the content. If an email from a familiar contact seems odd—urgent money request, unexpected attachment—verify through another channel before acting.
Can phishing emails come from people I know?
Yes. A friend’s or colleague’s account may be hijacked, or a scammer may spoof their address. You can even receive a phishing email that appears to be sent from your own email address. This is possible because email headers, including the “From” address, can be forged. Scammers don’t need to compromise your account to make it look like you sent yourself an email. They manipulate the email’s metadata.
This type of phishing—like many others—wants to confuse or alarm you, suggesting your account has been compromised and demanding action. Treat unusual requests—even from known contacts—with caution. Confirm any unexpected instructions, such as money transfers or confidential data, via phone or a new email thread sent to an address you type manually. Trust, but always verify when stakes are high.
If ExpressVPN has an email list of their addresses they use, I would like to be redirected there. If not it would be a great tool for a future addition.
I believe the email I have, just isn’t working by ExpressVPN but I’ll never know until I can look up a reference of emails ExpressVPN uses/owns.
I was caught by one, by reading email on my phone. It was only when I looked at it on a desktop client that I saw there was a second message below, which was there to fool the spam filter. Had I scrolled all the way down to the bottom of the message, I would have seen that it was an obvious fake. This was a very expensive mistake.
Great tips. Another tell, even though the sender’s email may look legit on first glance, click on the down arrow to the right of the sender. This will expose the “complete” address versus just the pre @.
you had a few grammatical errors.. how do i know you’re legit?
“A top tip is to type the company’s name in a search engine to see what email domain it uses.”
Thank you for a helpful article! I don’t see this information when I type my bank’s name in a search engine. Maybe I’m not looking the right place?
Hey John, in your example, type your bank’s name into a search engine. Then click search result for the official site. When it loads up, pay close attention to the full URL in the address bar—that’s the official domain they use and what likely follows the “@” symbol in your bank’s legitimate email address. Hope that helps!