7 Ways to Spot a Phishing Email

Phishing emails are getting more sophisticated. But they still leave clues. Here's how to spot them before they trick you - or someone you care about.

Check the Sender's ACTUAL Email Address

The "From" name can say anything. The email might say "Commonwealth Bank" but the actual address could be "support@cbank-security-alert.com" - not a real bank domain.

Red flags:

• Random numbers or letters in the domain (secure-login-872634.com)
• Misspellings (arnazon.com, paypa1.com, rnicrosft.com)
• Extra words added (commbank-security.com instead of commbank.com.au)

Beware of Urgency and Threats

Scammers create panic. They want you to act before you think. Legitimate companies rarely send "YOUR ACCOUNT WILL BE CLOSED IN 24 HOURS" emails.

Common pressure tactics:

• "Act now or lose access"
• "Your account has been compromised"
• "Legal action will be taken"
• "You have 2 hours to respond"

Hover Over Links (Don't Click!)

Before clicking any link, hover your mouse over it. Look at the URL that appears (usually at the bottom of your browser or in a tooltip). Does it match where you'd expect to go?

What to look for:

• The link text says "commbank.com.au" but the actual URL is different
• Shortened links (bit.ly, tinyurl) in professional emails
• HTTP instead of HTTPS for sensitive sites
• Random long URLs with lots of parameters

Look for Generic Greetings

Your bank knows your name. If an email starts with "Dear Customer" or "Dear User" instead of your actual name, be suspicious. Legitimate companies personalize their communications.

Generic openings to watch for:

• "Dear Valued Customer"
• "Hello User"
• "Dear Account Holder"
• No greeting at all, just jumping into the message

Check for Spelling and Grammar Errors

Major companies have professional communications teams. Emails full of typos, weird phrasing, or obvious grammar mistakes are red flags. That said, scammers are getting better - don't rely on this alone.

Common errors in phishing emails:

• Inconsistent capitalization ("your Account has Been Locked")
• Awkward phrasing ("Please to verify your identity")
• Mixed formal and informal language

Be Suspicious of Attachments

Unexpected attachments - especially .exe, .zip, or Office files with macros - can contain malware. If you weren't expecting a document, don't open it.

Dangerous attachment types:

• .exe, .scr, .bat (executable files)
• .zip or .rar with password (hides content from scanners)
• .doc or .xls asking you to "enable macros"
• Unexpected invoices, receipts, or documents

When in Doubt, Verify Independently

If an email asks you to do something - pay money, update credentials, confirm information - verify through a separate channel. Go to the company's website directly (type the URL yourself, don't click the link) or call using a number from the official website.

Safe verification methods:

• Type the company's URL directly into your browser
• Call the number on the back of your card or official website
• Log into your account directly (not through the email link)
• Ask someone you trust if the email seems legitimate

The Golden Rule

If something feels off, it probably is.

Trust your instincts. Legitimate companies would rather you call to verify than become a victim of fraud.

Where TrustNope Fits

TrustNope adds another layer to your defence. Even if an email looks perfect, you can check whether the sending domain has proper email authentication. A "Nope" verdict means the domain can be easily spoofed - extra caution is warranted.

But remember: TrustNope checks domains, not individual emails. A well-protected domain can still have compromised accounts. Use all these tips together for the best protection.