Why this matters more than ever right now

Email is still the number-one attack vector for cybercriminals. According to the FBI’s Internet Crime Complaint Center (IC3), phishing was the most reported cybercrime in the United States in 2024 – and the volume keeps climbing year after year. On top of that, the quality of attacks has changed dramatically: where we used to see broken English and obvious fakes, AI-powered text generation now produces messages that are virtually indistinguishable from the real thing.

This affects all of us – whether we plow through hundreds of work emails a day or only check our inbox once in a while.

Spotting phishing emails: the key warning signs

Phishing emails want you to hand over personal information – passwords, credit card numbers, login credentials. They disguise themselves as messages from banks, shipping carriers, online retailers or even coworkers. Here’s how to unmask them:

Scrutinize the sender address

The display name in your email client means almost nothing – what matters is the actual sender address. Hover over the sender name or click “Details.” An email from “Chase Bank” with the address This email address is being protected from spambots. You need JavaScript enabled to view it. is not a real bank message. Pay attention to the domain – the part after the @ sign. Criminals love to use domains that look similar to the real thing but aren’t quite identical.

Generic or odd greetings

“Dear Customer” or “Dear User” instead of your name? That’s a red flag. Legitimate companies where you have an account will typically address you by name. That said, thanks to data breaches, criminals increasingly do have real names – so a personalized greeting alone isn’t a green light.

Artificial urgency

“Your account will be locked in 24 hours!” – “Final notice before collections!” – “Verify your identity immediately!” When an email creates intense pressure and pushes you to act right now, proceed with extreme caution. Legitimate companies rarely send you ultimatums by email.

Check links before clicking

Before you click any link: hover over it (without clicking!) and look at the status bar of your browser or email client to see where the link actually goes. Is it a cryptic URL or a domain that has nothing to do with the supposed sender? Don’t touch it. When in doubt, open the company’s website manually in your browser instead of using the link in the email.

Errors in the text and layout

Even though AI-generated phishing emails keep getting better, watch for subtle mistakes. Odd line breaks, a logo in the wrong resolution, inconsistent formatting, slightly off phrasing – all of these can point to a fake. But be careful: the absence of such errors doesn’t automatically mean the email is legitimate.

Dangerous attachments: these file formats should set off every alarm bell

Besides phishing links, email attachments are the second major attack vector. One carelessly opened attachment can unleash trojans, ransomware or spyware on your computer. Certain file formats are especially risky:

• .exe, .com, .bat, .cmd, .scr, .pif – Executable files. No legitimate company sends programs via email. If you see a file like this as an attachment: don’t open it, don’t save it, delete it immediately.
• .zip, .rar, .7z – Compressed archives aren’t inherently dangerous, but they’re commonly used to hide malicious files. Especially sneaky: password-protected ZIP files where the password is included in the email text. This method is specifically designed to bypass your email provider’s virus scanner.
• .docm, .xlsm, .pptm – Office documents with macros. The “m” at the end signals that embedded code is included. This code can run automatically when you open the file and download malware. Standard documents in .docx, .xlsx or .pptx format are significantly safer because they cannot contain macros.
• .js, .vbs, .wsf, .ps1 – Script files that Windows can execute directly. They have no business being in an email.
• .iso, .img – Disk images that newer versions of Windows mount with a double-click. Attackers are increasingly using this format because some virus scanners don’t inspect it as thoroughly.
• .html, .htm – HTML attachments can contain local phishing pages that capture your login credentials without the attack running through an external website. That makes it much harder to detect.

Golden rule: If you aren’t expecting an attachment, don’t open it – no matter how trustworthy the sender appears. When in doubt, verify with the sender through a separate communication channel (phone call, separate email) – not by replying to the suspicious message.

Trojans: the invisible threat

Trojans disguise themselves as useful programs or documents but carry out malicious actions in the background. Unlike viruses, they don’t spread on their own – they need your active help, usually in the form of a double-click on an attachment or a download.

Common disguises in emails:

• Fake invoices: “Please find attached your invoice #2026-04881” – with a .pdf.exe in the attachment. Windows hides known file extensions by default, so all you see is “Invoice.pdf.” Make sure to turn on file extension display in Windows Folder Options!
• Job applications: A classic, especially for HR departments. A supposed résumé as a Word document with macros.
• Package notifications: “Your package could not be delivered – please verify your shipping address.” If you’re actually waiting for a delivery, it’s easy to click without thinking.

A personal tip that’s worked well in our household with two kids: I turned on file extension display on every family computer and explained to my children what to watch for. It takes five minutes and dramatically improves security.

Responding the right way: what to do when you get a suspicious email

Step 1: Don’t click, don’t open. Sounds simple, but it’s the most important step. As long as you don’t click a link or open an attachment, the email generally can’t do any harm.

Step 2: Check the sender and content. Use the criteria described above. Verify the real sender address and the destination URLs of any links.

Step 3: When in doubt, contact the sender directly. Call your bank (use the number from their real website, not the one in the email!), ask your coworker in person – confirm through an independent channel whether the message is genuine.

Step 4: Report and delete. Many email providers have a “Report phishing” feature. Use it. At work, notify your IT department. Then delete the email.

Step 5: If you did click. Don’t panic, but act fast. Change the passwords of any affected accounts immediately – from a different device if possible. Run a full virus scan. If you entered banking information, contact your bank right away. Document the incident: screenshots of the email, the URL and the timestamp will help if you need to file a report.

An ounce of prevention is worth a pound of cure

A few basic measures make life significantly harder for attackers:

• Keep your operating system and software up to date. Security updates patch known vulnerabilities that trojans exploit.
• Show file extensions. In Windows, go to Folder Options → View and uncheck “Hide extensions for known file types.”
• Enable two-factor authentication. Even if your password falls into the wrong hands, the second factor prevents unauthorized access.
• Keep macros disabled by default in Office documents. Only enable macros when you are absolutely certain the document is trustworthy.
• Back up regularly. If ransomware strikes, current backups are your lifeline.
• Use common sense. The best technical safeguards in the world won’t help if we ignore every warning sign when we’re stressed or in a rush. Take those three seconds before you click.

The bottom line: awareness is the best antivirus

No antivirus software on Earth catches every threat. The last line of defense is always you. The good news: with a little knowledge and a healthy dose of skepticism, you can spot the vast majority of attacks before they do any damage. Check the sender, be suspicious of urgency, don’t open unexpected attachments – and talk to your family and coworkers about these topics. Because security isn’t a state – it’s a habit.

Stay alert – and stay safe.