PRECIOUSKY Search RSS
Security

The 7 Phishing Red Flags You Keep Missing

Phishing works because it looks normal. Here are seven concrete red flags that reveal a scam email or message — and the one habit that beats all of them.

The Preciousky Desk · ·2 min read
A fishing hook hidden inside an envelope on warm paper
Phishing dresses a hook up as something ordinary and urgent.

Phishing isn't going away — it's getting better, now polished by AI. But the underlying tricks are consistent. Learn these seven red flags and most scams reveal themselves before they catch you.

A red flag planted among a row of identical white flags
Once you know the flags, the scam emails start to stand out.

1. Urgency and threats

"Your account will be closed in 24 hours." "Unusual login — verify now." Manufactured panic is the number-one tool, designed to make you act before you think. Real companies rarely threaten you on a countdown.

2. The sender address doesn't match

The display name says "Apple," but the actual email is [email protected]. Always expand and read the real address, not the friendly name.

3. Links that don't go where they claim

Hover or long-press to reveal the true destination. If the text says one thing and the URL says another, stop. (Our guide on telling if a link is safe covers this in depth.)

4. Generic or slightly-off greetings

"Dear Customer" from a company that knows your name, or oddly formal phrasing, is a tell. AI has improved scam grammar, so don't rely on typos alone — but awkward, generic openings still leak through.

5. Unexpected attachments

An invoice you didn't expect, a "receipt," a "shipping label" as a file. Attachments are a classic malware delivery route. If you weren't expecting it, don't open it.

6. Requests for credentials or codes

No legitimate company will ask for your password, full card number, or a one-time code by email or chat. Anyone asking you to "read back the code we just sent" is trying to defeat your two-factor.

7. It's too good (or too scary) to be true

Refunds you didn't earn, prizes you didn't enter, fines you don't recognise. Strong emotion — greed or fear — is the lever.

The one habit that beats all seven: never act through the message. Go to the site or app yourself.

The habit that wins

You won't catch every flag every time, especially when busy. So build one reflex: when a message wants you to log in, pay, or share a code, don't use its links. Open the official app or type the address yourself. That single habit neutralises phishing even when the disguise is perfect — and pairs beautifully with passkeys, which can't be phished at all.

Key takeaways

  • Urgency, mismatched senders and deceptive links are the top tells.
  • No real company asks for passwords or one-time codes by message.
  • AI fixed the typos — don't rely on bad grammar alone.
  • Best habit: reach the site yourself, never through the message.

Frequently asked questions

What should I do if I think I clicked a phishing link?

Don't panic. If you entered a password, change it immediately (and anywhere you reused it), enable two-factor authentication, and watch for unusual activity. If it was a work device, tell IT right away.

Why does phishing still work on smart people?

Because it targets emotion and busyness, not intelligence. A convincing message at a stressful moment beats knowledge. That's why a verification habit matters more than just 'being careful'.

#phishing#email#scams