The email looks completely legit. Your bank’s logo is right there. The colors match. The email address looks official. It says there’s suspicious activity on your account and you need to verify your information immediately or your account will be locked.

You’re being phished.

Phishing is when a criminal impersonates a trusted organization — your bank, Amazon, the IRS, Microsoft, even your boss — to trick you into giving up your login credentials, your credit card number, or access to your computer. It’s the oldest trick in the digital playbook, and it’s only gotten more sophisticated. In 2025, Business Email Compromise phishing scams alone caused $2.77 billion in losses in the United States.

The reason phishing works is simple: it exploits human nature. Urgency, fear, authority — these are emotional levers that short-circuit rational thinking. When you’re worried your bank account is being locked, you stop thinking critically and start clicking.

Here’s how to slow down and spot the trick.

Red Flag #1: Urgency and Fear

“Your account will be suspended in 24 hours.” “Unusual activity has been detected. Verify now.” “Your package cannot be delivered. Confirm your address immediately.”

Legitimate organizations almost never send emails that demand immediate action under threat of consequences. This urgency is manufactured to get you to act before you think.

The rule: The more urgent an email feels, the more suspicious you should be.

Red Flag #2: The “From” Address Doesn’t Match

Look carefully at the actual email address the message came from — not just the display name. Criminals can make the display name say “Chase Bank” or “Amazon” while the actual address is something like support@chase-accounts-secure.net or amazon-billing@xyzabc.ru.

The rule: Hover over or tap the sender’s name to reveal the real email address. If it doesn’t end in the company’s actual domain (chase.com, amazon.com), it’s not from them.

Before you click any link, hover your mouse over it (on a phone, press and hold). The actual web address will appear. If the email claims to be from your bank but the link points to banksecurelogin.xyz or chase.accounts.verify.net — those are fakes.

A real Chase email links to chase.com. Not chase-secure.com, not chase.verify-accounts.net. Just chase.com.

The new trick to watch for: Criminals are now embedding QR codes in phishing emails because traditional email filters don’t scan them. If an unsolicited email asks you to scan a QR code to “verify your account” — don’t.

Red Flag #4: Generic Greetings

“Dear Customer” or “Dear Account Holder” is a red flag. Your bank knows your name. Amazon knows your name. If they’re emailing you about your account, they’ll use it.

Red Flag #5: They’re Asking for Information You’d Never Email

No legitimate bank, government agency, or company will ask you to reply to an email with your password, Social Security Number, or credit card number. Ever. Full stop.

The Simple Rule: Go Around the Email

Here’s the single most reliable thing you can do: don’t click the link in the email. Instead, open a new browser tab and go directly to the company’s website by typing the address yourself (or using a bookmark). Log in from there.

If there’s really a problem with your account, you’ll see it when you log in normally. If there’s nothing there, the email was fake.

Bottom line: When an email triggers a sense of urgency or fear, treat that feeling as a warning sign, not a call to action. Slow down, look at the actual sender address, don’t click suspicious links, and when in doubt — go directly to the website yourself rather than trusting a link in an email.