How to spot a phishing email in 60 seconds

The threat you probably underestimate

In 2023, the FBI reported over $2.9 billion in losses from phishing attacks — and that only counts the cases reported. Security professionals estimate the true figure is 4–6x higher. The people who lost that money were not naive. They were doctors, lawyers, business owners, and retirees. They were people exactly like you — who thought they'd recognize a scam when they saw one.

They were wrong. And the reason they were wrong is that modern phishing emails are no longer the grammatically broken, obviously fake messages from Nigerian princes. Today's attacks are engineered by organized crime teams with branding assets, real-looking domains, and detailed knowledge of your life pulled from data breaches and social media. They know your name. They know who you bank with. They know you ordered a package last week.

What you are actually up against

A sophisticated phishing email today will:

• Use your bank's exact logo, color scheme, and footer boilerplate — often ripped directly from legitimate emails
• Come from a domain like security-alerts-bankofamerica.com — which passes a casual glance
• Reference real details: your first name, your account type, a recent transaction
• Create a time-pressured scenario that bypasses your deliberate thinking: "Your account has been locked. Verify within 24 hours or access will be permanently suspended."
• Use HTTPS — meaning it will show a padlock icon that most people mistake for "safe"

Free tools like VirusTotal can tell you if a URL is on a blocklist. They cannot tell you whether an email is actually from your bank. That requires human judgment — and that's exactly the gap attackers exploit.

The 60-second checklist

• Check the sender's actual email address — hover over or tap the display name to reveal the full address. "Bank of America" can be sent from bofasupport@gmail.com. Look for domains that are close but wrong: paypa1.com, apple-id-support.net.
• Hover over every link before clicking — the destination URL appears in your browser's status bar. Does it match the company's actual domain?
• Identify urgency language — "Act now," "Your account will be closed," "Verify immediately." Urgency is an engineered emotional trigger, not a genuine emergency signal.
• Check personalization — legitimate services know your full name. "Dear Customer" or "Dear Valued Member" is a red flag in any email from a company you have an account with.
• Look at the reply-to address — it may differ from the from address, meaning your reply goes to the attacker even if the original looked legitimate.
• Verify out-of-band for any financial action — if the email asks you to confirm a payment, log in, or update credentials: call the organization directly using a number from their official website. Not the number in the email.

The contexts where phishing succeeds most

Attackers time their campaigns deliberately. You are most vulnerable when:

• You recently made an online purchase and are expecting shipping notifications
• It is tax season — impersonation of the IRS, HMRC, or your country's revenue authority spikes every year
• You are busy, tired, or multitasking — deliberate thought requires mental resources
• The email references a recent public event, data breach, or service outage you already know about
• You have an account with the impersonated organization — which makes the scenario plausible

Why "I'll just Google it" is not enough

Searching for a company's name will find their legitimate website — but it won't tell you whether the email you received is real or forged. It won't analyze the email headers. It won't assess the URL structure. And it won't give you a next-step recommendation.

That's the difference between a search engine and a decision firewall. One returns information. The other gives you a verdict.

Still unsure? Submit it.

If you checked these indicators and are still uncertain — do not click. Submit the email content to MountainShield for advisory review. We assess sender legitimacy, link destination risk, and behavioral patterns to give you a clear recommendation within your plan's SLA. The cost of being wrong is measured in thousands of dollars and weeks of recovery. The cost of checking is a few minutes.