How to Spot a Phishing Email: A Defender's Checklist

The fastest phishing victims click in 21 seconds. That is the median time between opening the email and clicking the malicious link, according to Verizon's 2026 Data Breach Investigations Report. No security team reacts that fast. The only control that operates inside those 21 seconds is the person reading the message.

That is why spotting a phishing email is a skill worth drilling, for everyone on staff and especially for the analyst who triages what gets reported. The 2026 DBIR attributes 62% of breaches to the human element and finds phishing was the initial access in 16% of them. The message that starts a breach almost always looks ordinary. The skill is seeing past how it looks to what it is asking you to do.

This guide is a checklist. It covers the signals that matter, in the order you should check them: the sender, the message itself, the links and attachments, and the request. Then it covers what an analyst does with the headers when a user reports one, because reading a raw header is where a hunch becomes a verdict.

Why phishing emails are hard to spot

A modern phishing email is not the broken-English Nigerian-prince mail of a decade ago. Attackers buy or copy real brand templates, register lookalike domains, and increasingly use generative AI to write clean, context-aware messages with no spelling tells at all. The old advice to "watch for typos" is close to useless now.

What has not changed is the underlying mechanism. A phishing email has to do two things: convince you it is from someone you trust, and get you to take an action that helps the attacker. Every detection signal traces back to one of those two requirements. The disguise leaves seams, and the request is something a legitimate sender would not actually make. You learn to look at both.

The other reason these are hard: they exploit speed. Authority, urgency, and fear are the standard levers, and all three are designed to make you act before you inspect. The single most effective habit is slowing down on any message that wants money, credentials, or an MFA approval. That pause is where every check below happens.

The signals: what to check, in order

Most phishing emails fail at least one of these checks. Run them top to bottom. Any single strong signal is enough to stop and report; multiple weak signals together are also a verdict.

1. The sender address, not the display name

The display name is free to set and means nothing. "Microsoft Support" or your CEO's full name in the From field is trivial to spoof. Click or hover to reveal the actual email address behind it.

Look for the real domain. A message claiming to be from your bank that comes from secure-chase-alerts.com instead of chase.com is the whole tell. Watch for lookalike domains that read correctly at a glance: paypa1.com with a digit one, micros0ft.com with a zero, or an extra word like account-apple.com. Attackers also abuse legitimate services, sending from a real cloud or survey platform so the domain itself passes inspection. The domain check is necessary but not sufficient.

2. The greeting and the tone

A bank that has your name does not address you as "Dear Customer." Generic greetings on a message about a specific account are a flag. So is a tone that does not match the supposed sender: a curt, demanding note from a vendor you have a friendly relationship with, or unusual phrasing from a colleague.

Watch the emotional pressure. "Your account will be suspended in 24 hours," "unauthorized login detected, verify now," "the wire must go out today" are all engineered urgency. Real institutions rarely threaten you into immediate action through email.

3. The links, before you click

Hover over every link and read the status-bar URL without clicking. The visible link text can say https://www.microsoft.com while the actual destination is something else entirely. The mismatch is the signal.

Inspect the real domain the same way you inspected the sender: lookalikes, extra subdomains designed to mislead (microsoft.com.login-secure.ru, where the real domain is login-secure.ru), URL shorteners that hide the destination, and raw IP addresses in place of a hostname. A login page reached from an email link deserves special suspicion, because credential harvesting is the most common payload. When in doubt, navigate to the site yourself in a new tab rather than clicking through.

4. Attachments and unexpected files

An unexpected attachment is one of the highest-risk elements in any email. Be wary of file types that can execute or carry macros: .html files that render a fake login page locally, .zip or .iso archives that hide an executable, Office documents that ask you to "enable content," and anything with a double extension like invoice.pdf.exe. A real invoice from a known vendor in a normal format is routine; an unexpected document that pushes you to enable macros is not.

5. The request itself

This is the most reliable signal because it does not depend on the disguise being imperfect. Ask what the email wants you to do. Phishing almost always wants one of a small set of things:

• Enter your username and password on a linked page.
• Approve an MFA prompt or share a one-time code.
• Pay an invoice, change banking details, or move money.
• Open an attachment or enable its content.
• Reply with sensitive data: payroll, tax forms, employee lists.

A legitimate sender rarely needs you to do any of these through an unsolicited email under time pressure. A request for a payment change that arrives only by email, with a reason you cannot verify, is the signature of business email compromise (BEC), the most expensive category of email fraud. The FBI's Internet Crime Complaint Center logged roughly $3 billion in BEC losses in 2025 alone, and most of those messages carried no malware and no broken English. They simply asked.

A side-by-side: legitimate vs phishing

The same notification, sent two ways. The differences are the checklist in practice.

No single row proves anything on its own. A real notification can be urgent, and a good fake can use your name. The verdict comes from the pattern across rows, weighted toward the request: when the message wants credentials, money, or an MFA approval and any other signal is off, treat it as phishing until proven otherwise.

Reading the header: how an analyst confirms it

When a user reports a suspicious email, eyeballing the body is the start, not the finish. The proof is in the headers, and reading them is the core skill a SOC analyst brings to phishing triage. The full header records the path the message took and the results of the authentication checks the receiving server ran.

Three checks tell you most of what you need:

• From vs Return-Path vs Reply-To. The visible From can be forged. Compare it to the Return-Path (where bounces go) and the Reply-To (where your reply actually goes). A From of your CEO with a Reply-To at a free webmail address is a forged display name aimed at a reply, the classic BEC setup.
• SPF, DKIM, and DMARC results. The Authentication-Results header records whether the sending server was authorized for the domain (SPF), whether the message was signed and unaltered (DKIM), and whether the two align with the visible From domain (DMARC). A dmarc=fail or spf=fail on a message claiming to be from a real brand is strong evidence of spoofing.
• The Received chain. The stack of Received lines traces the servers the message passed through, bottom to top. The originating server and IP at the bottom often contradict the claimed sender: a "bank" email that originated from a residential IP in an unrelated country is not from the bank.

These checks are exactly what a secure email security gateway automates at scale, but the analyst still has to read them by hand on the messages that slip through and get reported. From the header the analyst extracts the indicators that drive the rest of the response: the sending IP, the originating domain, the embedded URLs, and any attachment hashes.

What to do when you spot one

For a user, the action is short. Do not click, do not reply, do not open the attachment. Report it through your organization's report-phish button or to the security team, then delete it. If you already clicked or entered anything, say so immediately. Speed limits the damage, and a blameless report is the fastest way the security operations center learns a campaign is live.

For an analyst, a confirmed phish kicks off a repeatable loop:

1. Confirm and extract. Verify it is malicious from the headers and body, then pull the indicators: sender address, originating IP, URLs, file hashes.
2. Scope it. Search the mail platform for every copy. One report usually means dozens of deliveries. Find who received it and, critically, who clicked or entered credentials.
3. Contain. Purge the message from all mailboxes, block the indicators at the gateway and firewall, reset credentials for anyone who fell for it, and revoke active sessions to kill stolen tokens.
4. Hunt. Check for follow-on activity: new inbox forwarding rules, logins from unusual locations, MFA changes. Feed the indicators into detections so the next instance is caught automatically.

When a click leads to a confirmed account takeover, this rolls into full incident response. The skill that matters most is the same one the user needs, scaled up: reading the message and the header and telling a real attack from noise.

Building the habit

Spotting phishing is pattern recognition, and it improves with reps. Three things build it faster than passive reading.

1. Run the checklist consciously on real mail until it becomes automatic. Hover before you click. Read the sender domain, not the name. Ask what the message wants.
2. Practice on headers. Learn to read Authentication-Results and the Received chain on messages you already know are safe, so you can read them fast on ones you do not.
3. Work real cases. Trace a phishing email from the lure through the click to the credential theft, so you see the whole chain and not just the bait.

Frequently Asked Questions

What is the first thing to check in a suspicious email?

Check the sender's actual email address, not the display name. The display name is trivial to fake, so hover or click to reveal the real address and read the domain behind it. A mismatched or lookalike domain on a message claiming to be from a brand you know is one of the strongest single signals that the email is phishing.

How can you spot a phishing email if there are no spelling mistakes?

Stop relying on typos. Modern phishing, often written with AI, is clean. Check the sender domain, hover over links to read the real destination, and most importantly ask what the message wants you to do. A clean, professional email that pressures you to enter credentials, approve an MFA prompt, or move money is still phishing regardless of how polished it reads.

Can you tell a phishing email is fake without clicking anything?

Yes, and you should never need to click to decide. Inspect the sender address, hover over links to preview their true destination, read the greeting and tone, and evaluate the request, all without clicking or opening attachments. If the message asks for credentials, payment, or an MFA approval under time pressure, treat it as phishing and report it.

What does an analyst look at in email headers?

An analyst compares the From, Return-Path, and Reply-To addresses for mismatches, reads the SPF, DKIM, and DMARC results in the Authentication-Results header to detect spoofing, and traces the Received chain to find the true originating server and IP. Together these confirm whether the message really came from who it claims to and supply the indicators used to scope and contain the campaign.

What should I do if I think I received a phishing email?

Do not click links, open attachments, or reply. Report it through your organization's report-phish button or to your security team, then delete it. If you already clicked a link or entered credentials, report that immediately so the team can reset your password, revoke active sessions, and check for follow-on activity. Reporting fast limits the damage.

Are phishing texts and phone calls the same threat as email?

They use the same psychology applied to a different channel. Smishing (text) and vishing (voice) often succeed at higher rates than email because users trust those channels more and security tooling there is thinner. The same checklist applies: distrust unsolicited urgency, verify the sender through a known channel, and never hand over credentials, codes, or money on an inbound message you did not initiate.

The bottom line

A phishing email has two jobs: look trustworthy and get you to act. Every check you run targets one of those. Read the sender domain instead of the display name, hover links before you click, distrust manufactured urgency, and above all ask what the message wants. When it wants credentials, money, or an MFA approval and anything else looks off, stop and report it.

For analysts, the body is the hunch and the header is the proof. Reading the From, Return-Path, Reply-To, the SPF and DMARC results, and the Received chain turns a reported message into extracted indicators and a scoped response. The same instinct works at both ends of the chain: the user who pauses for 21 seconds and the analyst who reads the header are doing the same job, which is telling a real attack from a routine inbox.