Skip to content
// OPERATOR LOG · ENTRY 301 · MISSION 03 · BRIEFING 01 OF 06 · EST 7 MIN

Anatomy of a phishing email

Five places a phishing email gives itself away#

Phishing emails have gotten visually convincing. Logos are perfect. Grammar is fine. The signature block lists a real address. The graphic-design layer is no longer a useful tell.

What hasn't improved is the underlying structure of the attack. Every phishing email still has to hit five jobs to be functional, and each one leaves a fingerprint a defender can read in seconds.

1. The sender display name#

The "From" field shows whatever the attacker typed. "PayPal Service support@payy-pal-secure.com" is a perfectly valid email header — the brand name is just a label. Always look at the actual address, not the display name.

2. The subject line#

Phishing subject lines have a narrow vocabulary: Urgent, Action Required, Account Suspended, Unusual Sign-In, Pending Refund, Final Notice. They have to engineer the open. Once you've seen the pattern, it's recognizable from the inbox preview.

3. The opening hook#

The first paragraph almost always does two things at once: it establishes consequence ("we noticed unusual activity") and it offers a path back to safety ("click here to verify"). Real customer notifications usually open with the neutral state ("here's your monthly statement") rather than a threat.

The single most diagnostic element. Hover over the link without clicking. The status-bar URL is the truth. If it does not end in the brand's actual domain — paypal.com, not paypal-secure-login.net or paypa1.com or paypal.com.account-verify.io — discard.

5. The signature#

The footer often lists a real-looking address, a real-looking phone number, copyright notices. These are meant to reassure. They are also trivial to copy from a real email. The signature block tells you nothing on its own.

A 10-second triage routine#

When an unexpected email lands and asks you to do something, run this in your head:

  1. Read the actual sender domain (not the display name).
  2. Hover the call-to-action link and read the destination.
  3. Ask: is this email asking me to log in or transfer something I wasn't already planning to do?

Three checks. If anything is off, don't click. Open the brand's app or site by typing the address yourself.