Back to Header Analyzer

Phishing Red Flags

Warning signs that an email might be fraudulent or malicious

When in Doubt, Don't Click!

If you spot even ONE of these red flags, treat the email with extreme caution:

  • Don't click any links
  • Don't download attachments
  • Don't reply with sensitive information
  • Contact the sender through a known, trusted channel to verify
  • Forward suspicious emails as attachments to phish@check.craigpeterson.com

Severity Levels

CRITICALAlmost certainly malicious
HIGHVery suspicious
MEDIUMProceed with caution
LOWMinor concern

Sender & Display Name

Mismatched email address and display name

HIGH

The display name shows 'PayPal Security' but the email address is random123@gmail.com

Unfamiliar or suspicious sender domain

HIGH

Email claims to be from Microsoft but comes from microsof1-support.com or similar look-alike

Personal email for business communication

HIGH

Your 'CEO' is emailing from a Gmail, Yahoo, or Hotmail account instead of company domain

Unusual sender for the request

MEDIUM

Why would your bank contact you from a customer service survey system?

Links & URLs

Hover reveals different destination

CRITICAL

Link text says 'paypal.com' but hovering shows it goes to paypa1-secure.xyz

Shortened URLs hiding the real destination

HIGH

Using bit.ly, tinyurl, or other URL shorteners for 'urgent' banking links

Misspelled domain names

CRITICAL

amaz0n.com (zero instead of O), microsof1.com (one instead of T), etc.

Suspicious subdomain structure

HIGH

paypal.com.security-verify.com (the real domain is security-verify.com, not PayPal)

IP addresses instead of domain names

HIGH

Links going to http://192.168.1.1 or http://103.45.67.89 instead of proper domains

Content & Language

Generic greetings

MEDIUM

'Dear Customer' or 'Dear User' instead of your actual name

Urgent or threatening language

HIGH

'Your account will be closed in 24 hours!' or 'Immediate action required!'

Too good to be true offers

HIGH

'You've won $1,000,000!' or 'Claim your inheritance from a foreign prince'

Poor grammar and spelling

MEDIUM

Professional companies proof-read their emails. Multiple typos are a red flag.

Requests for sensitive information

CRITICAL

Legitimate companies NEVER ask for passwords, SSNs, or full credit card numbers via email

Unusual requests from known contacts

HIGH

Your boss suddenly asking you to buy gift cards or wire money without prior discussion

Attachments

Unexpected attachments

HIGH

You weren't expecting a file, especially from someone you don't know well

Suspicious file types

CRITICAL

.exe, .scr, .zip, .js, .vbs files - especially if claiming to be documents

Double file extensions

CRITICAL

document.pdf.exe - the real extension is .exe, trying to look like a PDF

Password-protected attachments with password in email

HIGH

Used to bypass email security scanning - the scanner can't check encrypted files

Office documents requesting 'Enable Macros'

CRITICAL

Legitimate documents rarely need macros. This is a common malware delivery method.

Technical Indicators

Failed authentication (SPF/DKIM/DMARC)

CRITICAL

Email headers show authentication failures - the sender isn't who they claim to be

Unusual send time

MEDIUM

Your local colleague sending emails at 3 AM, or coming from foreign time zones

Suspicious routing path

HIGH

Email from your 'bank' routed through servers in different countries

Plain text when HTML is normal

LOW

Your bank always sends formatted HTML emails, but this one is plain text

Real-World Example: Anatomy of a Phishing Email

🚩 From: "PayPal Security" <account-verify@paypa1-security.com>
To: you@example.com
🚩 Subject: URGENT: Verify Your Account Within 24 Hours

🚩 Dear Customer,

We have detected 🚩 unusual activity on your PayPal account. For your security, we have 🚩 temporarily limited your account.

🚩 Click here immediately to verify your identity and restore full access: 🚩 http://paypal.com.verify-account.tk

🚩 If you do not verify within 24 hours, your account will be permanently suspended.

Sincerely,
PayPal Security Team

🚩 Red Flags in This Email:

  • 1.Mismatched sender: Display name says "PayPal Security" but domain is paypa1-security.com (note the "1")
  • 2.Generic greeting: "Dear Customer" instead of your name
  • 3.Urgency and threats: "24 hours", "immediately", "permanently suspended"
  • 4.Suspicious URL: paypal.com.verify-account.tk - the real domain is verify-account.tk, NOT paypal.com
  • 5.Unusual domain extension: .tk (Tokelau) - PayPal uses .com

Spotted a Suspicious Email?

Forward it as an attachment to get a comprehensive phishing analysis in 30 seconds