A phishing email is a fake email trying to trick you into giving up a password, bank information, or money. They’ve gotten very realistic, but five simple checks catch almost all of them.
The five checks
Look at the sender's address (not just the name)
Hover your mouse over the sender’s name — or tap it on your phone — to see the real email address. A real email from Amazon comes from something ending in @amazon.com. A phishing email comes from @amaz0n-support.com, @amazon.security-center.co, or similar look-alike.
Watch for urgency and threats
“Your account will be closed in 24 hours.” “Confirm your information immediately.” “You owe $950 in back taxes.” Real companies, especially your bank and the government, move slowly. They send letters on paper. Urgency is a scam’s favorite tool.
Never click the link — go to the site yourself
If the email says “click here to update your payment,” don’t click. Open a new browser tab and type amazon.com (or chase.com, or irs.gov) yourself. If there’s really a problem, you’ll see it there too.
Look for typos and weird phrasing
Big companies pay people to proofread their emails. Scammers often don’t. “Kindly confirm your acount details” is a giant red flag. So is any email that calls you “Dear Customer” when the company knows your real name.
Never open unexpected attachments
If your cousin suddenly emails a PDF labeled “invoice.pdf” that you weren’t expecting, call her. Her email may have been hacked. Real viruses spread by exactly this trick.
What to do with a phishing email
- Don’t reply. Even clicking unsubscribe tells the scammer your address is real.
- Report it. In Gmail, tap the three-dot menu → Report phishing. In Outlook, click the Report → Phishing button. Apple Mail has Report Junk.
- Delete it. After reporting, delete and empty the trash.
- If you already clicked something: change your password for that site, and turn on two-factor authentication if it’s offered.
Common current scams
- “Your package couldn’t be delivered” — USPS, UPS, FedEx all do deliver missed packages, but they don’t ask for a credit card via email.
- “Your Microsoft account will close” — Microsoft never sends these. Real account notices show up inside
account.microsoft.com. - “You have an unpaid toll” — every US state toll system has been impersonated in 2025-26. Go to the real state site directly.
- “Grandma, I’m in trouble” — the grandchild scam. It’s almost always fake. Call the real grandchild’s normal number to confirm.
What’s next
Want a private place to work on worried documents? Read our email a PDF guide and check out the free, private PDF tool we recommend if you need to edit, merge, or redact anything first.