The misspelled Nigerian-prince email is dead. Modern phishing is fluently written (AI handles that now), correctly branded, and arrives looking exactly like the message your bank, boss or delivery service would send. What hasn’t changed is the underlying mechanic — and that’s the part you can reliably detect.
The one pattern under every scam
Every phishing attack, regardless of polish, combines urgency + an action involving credentials or money. “Your account will be suspended — verify now.” “Your package is held — pay the customs fee.” “This is the CEO — wire this today, quietly.” The emotional spike is the tell; legitimate organizations almost never need you to act in the next ten minutes, and they never mind you taking a slower, independent route to respond.
The golden rule: never travel the link you were sent
This single habit defeats nearly all phishing: when a message asks you to log in, pay, or verify — don’t click; navigate independently. Open the bank’s app, type the company’s address yourself, or call the number on the back of your card. If the alert is real, it’ll be visible from inside your account. If it isn’t, you just sidestepped the entire attack without needing to analyze anything.
What to check when you do inspect
The sender’s actual address, not the display name (tap/hover to expand it — “Apple Support” sending from a random domain ends the analysis). The link’s real destination (long-press on mobile, hover on desktop) — scammers rely on lookalike domains and URL shorteners. Generic greetings on supposedly personal account matters. And any request to move money, buy gift cards, install software, or share codes — each of those is a fire alarm on its own.
The newer variants worth knowing
Smishing (texts about deliveries, tolls, banks) — same rules, and your postal service does not collect fees via text link. Quishing — QR codes in emails and on parking meters leading to fake payment pages; treat QR codes like links from strangers. Voice cloning — calls that sound like family in trouble asking for money; agree on a family code word, and verify by calling them back on their real number. MFA fatigue — repeated push notifications hoping you’ll approve one to make them stop; never approve a login prompt you didn’t initiate, and change the password immediately if they keep coming.
One more: the “verification code” scam
Nobody legitimate will ever ask you to read them a code that was texted to you. Not your bank, not Microsoft, not the marketplace buyer. That code is the key to your account — anyone requesting it is stealing it, in real time, with you as the accomplice.
If you already clicked
Acted on a phishing link? Move fast and skip the shame: change the affected password immediately (and anywhere it’s reused — then fix the reuse with a password manager), enable two-factor if it wasn’t on, watch the account’s activity, and if money or card numbers are involved, call the bank now — early reports recover funds surprisingly often. Phishing works on intelligent people via timing and emotion; the defense isn’t being smarter than the scam, it’s having habits the scam can’t route around.
Related reads
- How to Extend Android Battery Life: 12 Settings That Actually Work
- How to Make Your iPhone Battery Last Longer: A No-Myths Guide
- How to Speed Up a Slow Laptop: The Fixes That Work (and the Ones That Don't)