>
GUIDE

How to Spot a Phishing Email in 10 Seconds

24 Jun 2026 · 3 min read · Comments

Phishing is the most common way accounts get compromised. Modern scam emails look convincingly real. Here are the handful of telltale signs that give them away every time.

An Example Phishing Email

From: security-alert@paypa1-support.com ⚠ suspicious domain
To: you@email.com
Subject: ⚠️ Your account has been limited — action required within 24 hours

Dear Valued Customer,

We have detected unusual activity on your PayPal account. To avoid permanent suspension, you must verify your information immediately.

Failure to act within 24 hours will result in your account being permanently closed.

Verify My Account Now

PayPal Inc. · 2211 North First Street · San Jose, CA 95131

That email has at least five red flags visible before you even read the body. Here's how to spot them:

1. Check the Sender's Email Address

2. Spot the Artificial Urgency

3. Hover Over Links Before Clicking

4. Generic Greeting

5. Unexpected Attachment

10-SECOND CHECKLIST
☐  Is the sender's domain exactly right?
☐  Does it create urgency or threats?
☐  Does the link URL match the company?
☐  Does it use your real name?
☐  Were you expecting this email?
If any answer is suspicious — don't click. Go directly to the company's website by typing the address yourself.

What to Do If You're Not Sure


Sam Feldman
Sam Feldman
"A good banner has no fixed form and has no inherent meaning."
Austin, TX · https://sams.blog/weekly
RELATED READING
The complete security stack, in one setup
Signal vs WhatsApp: which messenger keeps chats private?

Frequently asked questions

What is the most important security tool to install first?+

A password manager, because credential stuffing is the cause of the majority of account compromises. Once every account has a unique password, the risk of one breach cascading to other accounts drops to near zero.

How do hackers actually get into people's accounts?+

Most account compromises don't involve sophisticated hacking. They rely on reused passwords from old breaches, phishing emails that collect credentials, or social engineering. Technical attacks like brute force are rare against well-configured accounts.

Is it worth paying for privacy tools?+

The core stack — password manager, antivirus, private browser — costs under $30/year combined (Brave is free; NordPass has a free tier; TotalAV starts at $19/year). That's cheaper than resolving a single identity theft incident, which averages hundreds of hours of victim time.

You’re About to Get the Exact Security Setup I Built for My Own Parents — the One That Actually Works

Most people have one layer of protection. They’re missing three.

  • The 3-layer setup I’d never skip — stripped to what matters.
  • Who’s really watching you — your browser, your provider, and the “free” tools selling your data. How to shut them out.
  • A 30-second leak check — most people’s passwords are already out there. See if yours are, and what to do.
  • Pull your info back, data brokers are selling your address and number right now. Here’s how to get removed.

20 minutes, start to finish — then it runs in the background. Enter your email and I’ll send it over.

Something went wrong — please try again.
You're in — check your inbox shortly.
100% confidential. Unsubscribe anytime.