Home / Blog / Phishing

Phishing

Phishing red flags: how to spot a scam link in seconds

Phishing links cost people their passwords and savings every day. Learn the red flags that expose a scam message or link in seconds, and how to verify anything you are unsure about.

22 May 2026 · 7 min read

Phishing is the most common way ordinary people get hacked. It does not require sophisticated malware — just a convincing message and a moment of inattention. The good news is that phishing relies on a small set of psychological tricks, and once you can recognise them, most scams fall apart on inspection. Here is how to spot a phishing link in seconds.

Red flag 1: manufactured urgency

"Your account will be suspended in 24 hours." "Unusual login detected — verify now." "Your parcel could not be delivered, update your details immediately." Urgency is the phisher's favourite tool because it pushes you to act before you think. Any message that combines a threat with a deadline and a link deserves immediate suspicion. Legitimate organisations rarely demand instant action through a link.

Urgency plus a link is the signature of a phishing attempt.

Red flag 2: a mismatched or look-alike address

The link text and the actual destination are not always the same. On a computer, hover over a link to see where it really goes. On a phone, press and hold to preview the URL. Watch for look-alike domains — paypa1.com instead of paypal.com, apple-id-verify.net instead of apple.com — and for the real brand name buried as a subdomain of something else, like apple.com.secure-login.tk. The true domain is the part just before the first single slash.

Red flag 3: it asks for credentials or payment

A message that drives you to a page asking for your password, card number, or one-time code is the heart of most phishing. No legitimate company will ask you to confirm your password by clicking an email link. If you need to log in somewhere, navigate to the site directly through your browser or app — never through the link in the message.

Red flag 4: generic or wrong greetings

"Dear Customer" or "Dear [email protected]" instead of your name suggests a mass-sent scam. So do subtle errors — a bank that misspells its own name, awkward grammar, or a tone that does not match how the organisation normally communicates. Modern phishing is more polished than it used to be, so absence of errors does not prove safety, but their presence is a strong tell.

Red flag 5: unexpected attachments

An invoice you were not expecting, a "voicemail" file, a shipping document from a company you never ordered from — unsolicited attachments are a common malware vector. Be especially wary of files with double extensions like invoice.pdf.exe or office documents that demand you "enable macros" to view them.

Unexpected attachments and macro prompts are classic malware delivery.

Red flag 6: the channel does not fit

Did your bank really text you from a random mobile number? Would a government agency contact you about taxes via a messaging app? Mismatched channels — official-sounding content arriving through an unofficial medium — are a giveaway. Scammers use SMS, WhatsApp and social media because these feel personal and bypass email spam filters.

When you are not sure: scan the link

Sometimes a message is genuinely ambiguous, or you have already received something and want to check it without risk. Paste the link into the SpyApp URL scanner. It analyses the destination server-side — so the dangerous page never loads on your device — and tells you whether the address is associated with phishing, malware or tracking, along with a clear risk score. It is the fastest way to turn "I'm not sure" into a definite answer.

What to do if you have already clicked

  1. If you entered a password, change it immediately from a different device and enable two-factor authentication.
  2. If you entered card details, contact your bank to freeze the card and watch for fraudulent charges.
  3. If you downloaded a file, do not open it — scan it first, and delete it if flagged.
  4. Report the message to the impersonated organisation and your email or messaging provider so others are protected.
The golden rule: never log in or enter sensitive details through a link in an unexpected message. Go to the site or app directly instead. That single habit defeats the majority of phishing.

Phishing is constantly evolving, but the underlying tricks — urgency, deception and a request for your secrets — stay the same. Learn to spot them, verify when in doubt, and you will sidestep the attacks that catch millions of others. For more on link safety, see our guide to scanning URLs and domains.

Check it yourself. Use the free SpyApp scanner to analyse any suspicious file, link, domain or IP — and see what the community already knows about it.

Frequently asked questions

What is the most reliable phishing red flag?

A message that creates urgency and drives you to a link asking for your password or payment details. That combination is the core of almost all phishing.

Is it safe to click a link just to look?

Risky. Some links trigger downloads or exploit your browser. Scan the link first, which checks the destination without loading it on your device.

Can phishing happen by text message?

Yes. SMS phishing ('smishing') and messaging-app scams are extremely common because they feel personal and bypass email filters.

Keep reading