Reading A Phishing Email Like A Pro

You can't trust how an email looks anymore. AI writes them perfectly. Logos are copied pixel-for-pixel. Sender names are spoofed. The grammatical tells of 2020 are gone.

So how do you actually check?

Three places to look. Every single time. 30 seconds total.

Check 1 — The Sender's Actual Email Address

Every email has two parts to the "From" field:

• Display name — what you see most prominently. "PayPal Support", "Bank of America Customer Service", "Apple Account". This is trivial to fake. The scammer types whatever they want here;
• Actual email address — the part inside angle brackets, like <service@paypal.com>. This is harder to fake, but easy to make look right.

To see the actual address: on a desktop, click the sender name to expand. On a phone, tap the sender header.

The real test: does the domain after the @ symbol match the company exactly?

PayPal sends emails from paypal.com. Not from:

• paypal-secure.com;
• paypal.com-verify.net;
• secure-paypal.com;
• paypaI.com (lowercase "L" replaced with capital "i" — same shape, different character);
• paypa1.com (lowercase "l" replaced with number "1");
• paypal-support@gmail.com (anyone can sign up for a Gmail address with any name).

Real companies use their own exact domain. No exceptions. If you're not sure what their real domain is, look up their official website by typing the company name into Google — never trust the email itself for confirmation.

Check 2 — Hover Over Every Link

The link text is just words. The link destination is what actually happens when you click. They can be completely different.

An email might display "Click here to verify: paypal.com/login" — but the actual link could send you anywhere.

To see the real destination:

• On a desktop: rest your cursor over the link without clicking. The real URL appears in the bottom-left corner of your browser or email app;
• On a phone: long-press the link (don't release immediately). A preview pops up showing the real URL;
• If you can't preview: don't click. Period.

How To Read A Suspicious URL — Right To Left

Here's the trick scammers use most:

paypal.com.account-verify-secure.tk/login

It looks like it starts with paypal.com. It does. But that's not where you're going. URLs work right-to-left.

The domain is the last bit before the first single slash (/). In this case:

paypal.com . account-verify-secure . tk / login
                                       ^^
                                  THIS IS THE REAL DOMAIN

You're going to account-verify-secure.tk — a site in Tokelau that the scammer registered for free. The "paypal.com" is just a subdomain, set up to mislead you.

Real PayPal URLs always look like:

paypal.com/login
www.paypal.com/myaccount
secure.paypal.com/whatever

The last bit before the slash is always exactly paypal.com. Anything else, no matter how official the rest looks, is fake.

A few common scammer tactics in URLs:

• Subdomain trick — paypal.com.evil.tk (the real domain is evil.tk);
• Lookalike domain — paypa1.com (number 1 instead of letter l), payρal.com (Greek rho instead of p);
• Hyphen tricks — paypal-com.tk, paypal-security-verify.com;
• TLD swap — paypal.cm instead of paypal.com (Cameroon's national domain), or paypal.co instead of .com;
• URL shorteners — bit.ly/3xyz123 hides the real destination entirely. Never click shortened links in unsolicited emails.

Check 3 — The Action Being Requested

Even if Checks 1 and 2 don't catch it, the request itself often gives the scam away.

Real companies almost never do these things via email:

• Threaten to delete your account in 24 hours unless you click a link;
• Ask you to "verify your password" by entering it on a linked page;
• Demand a small payment to "release" a package, refund a tax, or reactivate an account;
• Send urgent unexpected invoices that need to be paid right now;
• Request your full credit card number, social security number, or 2FA codes for any reason whatsoever.

Real companies usually do this instead:

• Tell you what they noticed, calmly, and ask you to log in yourself to verify;
• Reference specific details only you and they would know (last 4 digits of card, name of a transaction);
• Give you plenty of time and never include a countdown;
• Never include the action they want you to take as a clickable link — you have to go to their actual site.

If an email demands urgent action through a clickable link, treat it as fake until proven otherwise — even if everything else looks perfect.

The Universal Move — Never Click. Always Type.

This single habit defeats almost every phishing email, regardless of how convincing it looks:

1. The email says "click here to verify your account";
2. Don't click;
3. Open a new browser tab;
4. Type the company's real address (paypal.com, wellsfargo.com, etc.) yourself;
5. Log in normally;
6. Check if there's actually a problem.

Eight out of ten times, there isn't. The other two times, the real company tells you exactly what's wrong, with no scary countdown — and you handle it from there.

This habit costs you 20 seconds per email. It saves you, on average, from the ~3-7 phishing attempts you'll receive this week alone.

Special Case — Texts And Messaging Apps

Phishing isn't just email anymore. The same techniques arrive through:

• SMS ("smishing") — "Your package couldn't be delivered, click here: bit.ly/xyz";
• WhatsApp — "Hi mom, this is my new number, please save it…" (more on this in Chapter 4);
• LinkedIn DMs — "Saw your profile, would love to chat about a job opportunity, here's my company site…";
• iMessage / Telegram / Signal — anywhere people communicate.

The same three checks apply. Sender identity, link destination, and the nature of the request. Bonus rule for messaging: don't trust a phone number you don't already have saved. A "wrong number text that turns into a friendly conversation" is the #1 opening move of pig butchering scams (Chapter 4).