phishing detection

You know what phishing looks like. Misspelled words, suspicious links, Nigerian princes. You’ve done the training. You’ve passed the tests.

And yet.

Somewhere, right now, someone who knows all of this is clicking a link they shouldn’t. Not because they’re careless or stupid, but because they’re busy, distracted, and the email looked just legitimate enough.

Phishing detection isn’t about knowledge. It’s about habits that kick in automatically, even when you’re not thinking clearly.

Most phishing fails a quick sanity check. The problem is we don’t do the check. We see an email, we react, we click. The trick is building a pause into that reaction:

1. Was this expected? Unexpected requests for credentials, payments, or sensitive data are suspicious by default.

2. Does the context make sense? An “account locked” email for a service you don’t use is obviously fake. But even for services you do use, did you do anything that would trigger this?

3. Who sent this? Look at the actual email address, not just the display name. “PayPal Security” from security-paypal@mail-verify.net is not PayPal.

Most phishing attempts fail this 3-second test. The ones that pass deserve closer scrutiny.

URLs are the hardest thing for attackers to fake. Learn to read them.

https://account.paypal.com/login breaks down as:

• https:// - Protocol (should be HTTPS for any login)
• account.paypal.com - Domain (this is what matters)
• /login - Path (less important for legitimacy)

The domain is everything between :// and the next /. Within that domain, read right to left:

• paypal.com - This is the actual domain (owned by PayPal)
• account. - This is a subdomain (controlled by whoever owns paypal.com)

Attackers use several tricks:

Subdomain deception:

• paypal.account-verify.com - The domain is account-verify.com, not PayPal
• secure-paypal.com.malicious.net - The domain is malicious.net

Typosquatting:

• paypai.com (lowercase L instead of lowercase l)
• paypa1.com (number 1 instead of lowercase l)
• paypal-secure.com (adding words to legitimate brand)

Homograph attacks:

• Using characters from different alphabets that look identical
• pаypal.com using Cyrillic ‘а’ instead of Latin ‘a’

On desktop, hover over links to see their destination before clicking. On mobile, long-press links to preview URLs.

If the displayed text says “www.paypal.com” but the link goes elsewhere, that’s phishing.

Email display names can be anything. The actual address matters.

Legitimate:

• service@paypal.com
• noreply@email.chase.com

Suspicious:

• paypal-service@gmail.com
• support@paypal.security-verify.com
• alert@paypal.com.suspicious-domain.net

Urgency without specificity:

• “Your account will be suspended in 24 hours” - What account? Why?
• Legitimate services provide specific details about issues

Generic greetings:

• “Dear Customer” or “Dear User” when legitimate emails would use your name

Grammar and formatting:

• Legitimate companies have professional copywriters and QA processes
• Errors suggest rushed, non-professional origin

Mismatched branding:

• Wrong logo colors, fonts, or layouts
• Images that look stretched or pixelated
• Footer information that doesn’t match the claimed sender

Be especially cautious of:

• Unexpected attachments from anyone
• File types that can execute code (.exe, .js, .html, .zip with executables)
• “Invoice” or “Document” attachments you didn’t expect
• Password-protected files (attackers use this to bypass security scanners)

When you reach a website (whether through email link or direct navigation), verify legitimacy before entering credentials.

HTTPS with a valid certificate is necessary but not sufficient. Attackers get SSL certificates too.

What to check:

• Click the padlock icon → View certificate details
• Verify the certificate is issued to the expected organization
• Check the certificate isn’t expired

What certificates DON’T tell you:

• That the site is legitimate
• That your data is safe
• That you should trust the organization

A phishing site can have a perfectly valid SSL certificate.

Compare against your memory of the legitimate site:

• Are colors exactly right?
• Is the logo correct?
• Is the layout what you expect?
• Do fonts look professional?

When in doubt, navigate directly to the site by typing the URL or using a bookmark. Don’t trust links.

Phishing sites often only implement the pages needed for credential theft.

Signs of a fake:

• Footer links that go nowhere or to unrelated pages
• “Forgot password” or “Create account” links that don’t work
• Missing functionality that the real site would have
• Error messages that don’t make sense

Check when a domain was registered:

• Legitimate company domains are typically years old
• Phishing domains are often registered days or weeks before attacks

Use whois command or online tools to check domain age.

Search certificate transparency logs for the domain to see:

• When certificates were issued
• How many certificates exist for the domain
• Whether the certificate history matches expectations

For technical users:

• Inspect network requests to see where data is actually sent
• Check for suspicious JavaScript
• Look at form action URLs

1. Don’t click anything in the suspicious message
2. Report it - Forward to your IT security team or use the report phishing button
3. Delete it - Remove from inbox to avoid accidental future clicks

1. Close the tab immediately
2. Clear your browser cache
3. Run a malware scan
4. Monitor for unusual activity

1. Change password immediately on the legitimate site
2. Enable 2FA if not already active
3. Check for unauthorized activity in the affected account
4. Report the incident to IT security
5. Monitor related accounts - if you reuse passwords, change those too

Make verification automatic, not exceptional:

• Always check sender addresses
• Always hover over links before clicking
• Always navigate directly for sensitive actions

Assume unexpected requests are suspicious until verified:

• Banks don’t email asking for credentials
• Tech support doesn’t call unsolicited
• Legitimate urgency comes with verifiable specifics

If a request might be legitimate:

• Call the company using a number from their official website (not from the email)
• Navigate directly to the service and check your account
• Contact the purported sender through a known-good method

For organizations building phishing detection capabilities:

Regular simulated phishing campaigns:

• Establish baseline click rates
• Provide immediate education when employees click
• Track improvement over time
• Adjust difficulty as skills improve

Make reporting easy:

• One-click phishing report buttons in email clients
• No penalties for reporting false positives
• Feedback on reported items to reinforce good behavior

Ongoing touchpoints:

• Brief reminders about current phishing trends
• Examples of real attacks targeting your industry
• Recognition for employees who catch and report attempts

Here’s what I’ve learned watching thousands of people go through phishing simulations: the ones who catch attacks aren’t the most security-aware. They’re the ones who’ve built checking into their workflow.

They hover over every link. Not because they’re suspicious of that specific email, but because that’s just what they do. They verify sender addresses the way they check their mirrors before changing lanes. Automatic.

The goal isn’t to become paranoid. It’s to make verification so routine that you don’t have to think about it.

Most phishing attempts are obvious once you look. The trick is remembering to look when you’re tired, rushed, or just trying to get through your inbox before lunch.

Build detection habits through practice, not just training. Try our interactive security exercises with phishing scenarios designed to test your reflexes, not just your knowledge.