How to spot a phishing email in 30 seconds

The practical guide to identify phishing attempts before it's too late. 7 dead giveaways anyone can check.

Last updated : May 3, 2026
← Back to blog
Guide 🕑 6 min 📅 May 3, 2026 ✍️ The Fiabli team
Every day, more than 3.4 billion phishing emails are sent worldwide. At least one will land in your inbox this week. The good news: 90% of attempts follow the same patterns. With a little method, you can spot them in less than 30 seconds — without software, just with your eye. Here are the 7 signals every anti-phishing analyst checks first.

1. The sender doesn't match the brand

First reflex: look at the full sender address, not just the displayed name. An email claiming to come from your bank but sent from customer.support@secure-update-bank.com is fake. Real banks always use their official domain (e.g., chase.com, bankofamerica.com).

Common typosquatting tricks: amaz0n.com (zero instead of o), paypaI.com (capital I instead of l), microsoft-secure.com (extra words around the official domain).

2. Unusual time pressure

"Your account will be suspended in 24h", "Action required immediately", "Last chance". Any legitimate brand gives you time to verify. Time pressure is a phishing classic: it prevents reflection and pushes impulsive clicks.

If you're threatened with a sanction within 24h, take 5 minutes to call customer service via an official number (never the one in the email).

3. Lying links

Hover over each link without clicking. The browser shows the real URL at the bottom. If the link says "www.irs.gov" but points to http://irs-secure.com/refund?id=8482, it's phishing.

Also beware of shortened URLs (bit.ly, t.co) in serious emails: no bank, no government uses URL shorteners in official emails.

4. Request for sensitive information

No bank, no government, no serious service will ever ask you by email: your full password, your PIN, your credit card code, or a money transfer. If they do, it's phishing 99.9% of the time.

Typical case: "Update your bank details" with a form asking IBAN + secret code. Any banking info entry must happen on the official app, never via an email link.

5. SPF, DKIM, DMARC: the headers rarely lie

For the more technical: open the email headers (Gmail: three dots → "Show original"). You'll see 3 lines:

  • SPF: pass — the sending server is authorized for this domain
  • DKIM: pass — the cryptographic signature is valid
  • DMARC: pass — the domain policy is respected

If any of the three is fail or none, the email is highly suspicious. This is exactly what Fiabli automatically checks for you, in less than 2 seconds.

Summary: the 30-second rule

Faced with a suspicious email, ask yourself 3 questions:

  1. Does the full sender address match the official brand domain?
  2. Is the email creating unusual urgency?
  3. Can I verify the information through another channel (official app, customer number)?

If you answer "no, yes, no", it's probably phishing. To automate this verification on all your mailboxes, create a free Fiabli account in 2 minutes — your first analysis takes 1.8 seconds.

Ready to protect your mailbox?

Activate Fiabli in 2 minutes. First verdict in under 2 seconds. Free plan forever.

Create a free account

Related articles

News 🕑 5 min

The 5 most common email scams in 2026

Fake tax refund, fake parcel, fake Amazon, sextortion, CEO fraud: the scams claiming the most victims this year.
Technical 🕑 9 min

SPF, DKIM, DMARC: understanding email authentication

The 3 protocols that prove an email truly comes from who it claims. Without jargon, with examples.
Product 🕑 7 min

Why Fiabli uses Claude (Anthropic) for phishing detection

The AI choices behind Fiabli: Haiku 4.5 by default, Sonnet 4.6 escalation, prompt caching, prompt injection — the technical kitchen.