How to Identify and Report Phishing Emails: A Complete Verification Guide

Americans lost over $12.5 billion to phishing and online fraud in 2023, according to the FBI’s Internet Crime Complaint Center. Phishing emails have become sophisticated enough to fool even tech-savvy people — using real company logos, mimicking legitimate email formatting, and creating urgency that bypasses your critical thinking.

This guide covers exactly how to verify whether an email is legitimate and what to do when you identify a phishing attempt.

The 7 Red Flags of Phishing Emails

1. Sender Address Doesn’t Match the Company

The display name might say “Amazon” or “Chase Bank,” but check the actual email address:

• Legitimate: noreply@amazon.com
• Phishing: noreply@amazon-security-alert.com or support@arnazon.com (note the ‘rn’ mimicking ‘m’)

How to check: Click on the sender’s name to reveal the full email address. On mobile, tap the name at the top of the email.

2. Generic Greetings Instead of Your Name

Legitimate companies that have your account information use your real name. Red flags:

• “Dear Customer”
• “Dear Account Holder”
• “Dear Sir/Madam”

3. Urgent Language Creating Artificial Pressure

Phishing emails rely on fear and urgency:

• “Your account will be suspended in 24 hours”
• “Unauthorized access detected — verify immediately”
• “Payment failed — update now or lose access”

Real companies don’t threaten account closure via a single email with a 24-hour deadline.

4. Links That Don’t Match the Claimed Destination

Hover over (don’t click) any link in the email:

• Legitimate: https://www.chase.com/account/verify
• Phishing: https://chase-verify.security-check.com/login or https://bit.ly/3xK2m9

Rule: If the domain before the first slash isn’t the company’s real website, it’s phishing.

5. Requests for Sensitive Information

No legitimate company asks you to:

• Reply with your password
• Enter your Social Security number via email link
• Send photos of your credit card or ID
• Provide your full account credentials through a form

6. Attachments You Weren’t Expecting

Unexpected attachments — especially .zip, .exe, .html, or .doc files — are common malware delivery methods. Even PDF attachments from unknown senders can contain malicious links.

7. Spelling and Grammar Errors

While AI has made phishing emails more polished, many still contain subtle errors in:

• Company names (Paypa1 instead of PayPal)
• URL structures
• Unusual phrasing or formatting inconsistencies

How to Verify a Suspicious Email (Step by Step)

Step 1: Don’t Click Anything

If an email seems suspicious, don’t click any links, download attachments, or reply. Close the email.

Step 2: Check the Full Sender Address

• Gmail: Click the dropdown arrow next to the sender name
• Outlook: Click “Show message details”
• Apple Mail: Hover over the sender name
• Yahoo: Click the sender name to expand details

Step 3: Verify Through Official Channels

If the email claims to be from a company you use:

1. Open a new browser tab (don’t use email links)
2. Navigate directly to the company’s real website
3. Log into your account normally
4. Check for any actual notifications, messages, or account issues

If there’s no matching alert in your actual account, the email is phishing.

Step 4: Check Email Headers (Advanced)

For Gmail: Open the email > Three dots menu > “Show original” Look for:

• SPF: Should say “PASS” for legitimate emails
• DKIM: Should say “PASS” — confirms the domain actually sent it
• DMARC: Should say “PASS” — confirms alignment between sender claims and authentication

If any of these say “FAIL,” the email is likely spoofed.

Step 5: Search for the Exact Email Subject Line

Google the exact subject line in quotes (e.g., “Your Amazon account has been locked”). If it’s a known phishing campaign, security blogs and Reddit posts will appear confirming it’s fake.

What to Do If You Clicked a Phishing Link

If you already clicked:

1. Don’t enter any information — close the page immediately
2. Change your password for the affected account (use the real website)
3. Enable two-factor authentication if not already active
4. Check for unauthorized activity on the account
5. Run a malware scan if you downloaded anything
6. Monitor your credit if you entered financial information

How to Report Phishing Emails

Report to the impersonated company:

• Apple: reportphishing@apple.com
• Google: Use the “Report phishing” button in Gmail
• Microsoft: phish@office365.microsoft.com
• Amazon: stop-spoofing@amazon.com
• PayPal: phishing@paypal.com

Report to authorities:

• FTC: ReportFraud.ftc.gov
• FBI IC3: ic3.gov (for financial losses)
• Anti-Phishing Working Group: reportphishing@apwg.org

Report in your email client:

• Gmail: Three dots > “Report phishing”
• Outlook: Right-click > “Report” > “Report phishing”
• Apple Mail: Forward to reportphishing@apple.com

Common Phishing Email Types in 2026

Quick Verification Checklist

• [ ] Checked the actual sender email address (not just the display name)
• [ ] Hovered over links without clicking to verify URLs
• [ ] Verified claims by logging into the real website directly
• [ ] Checked for generic greetings instead of your name
• [ ] Looked for urgency tactics or threats
• [ ] Confirmed no requests for sensitive information via email
• [ ] Searched for the subject line to check for known scam campaigns

Bottom Line

When in doubt, don’t click. The 30 seconds it takes to open a new browser tab and log into your real account is always worth it. Legitimate companies never punish you for verifying through official channels, and no real urgent issue disappears because you took a few minutes to confirm it was real first.

Sources

• FBI IC3 2023 Internet Crime Report: https://www.ic3.gov/AnnualReport
• FTC Consumer Advice on Phishing: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
• CISA Phishing Guidance: https://www.cisa.gov/secure-our-world/recognize-and-report-phishing