Date:Posted By:

How to spot phishing emails, texts, calls and fake websites — and what to do about them

At vali.now we analyse many emails every week, and the same patterns appear again and again in the attacks that try to bypass even the best filters. Knowing these 15 red flags makes the difference between a near-miss and a costly breach.

Here are the 15 most common warning signs we see in 2025 — grouped so they’re easy to remember and teach to your team.

Sender & Identity Red Flags

  1. The sender address doesn’t quite match
    “Amazon Orders” coming from amazon-support@amaz0n-verification.net or a random Gmail address.
    What to do: Hover over the name (don’t click) and check the real email address.
  2. Generic greetings instead of your name
    “Dear Customer”, “Valued User”, “Account Holder” — real organisations that know you will use your name.
    What to do: Treat it with extra caution and verify the sender through another channel.
  3. Executive or colleague impersonation (whaling)
    Sudden urgent request from the CEO, CFO or a co-worker asking for payments, gift cards or data “in confidence”.
    What to do: Always verify on a different channel (call, Slack/Teams, in person).

Pressure & Urgency Tricks

  1. You’re being rushed or threatened
    “Your account expires in 1 hour”, “Legal action will be taken today” — legitimate companies rarely use scare tactics.
    What to do: Pause and log in directly via the official website or app instead of clicking.
  2. Unexpected invoices or sudden payment-detail changes
    A supplier or colleague suddenly wants money sent to a new bank account.
    What to do: Pick up the phone and call a known number before acting.
  3. Requests for passwords, MFA codes or credit-card details
    No real bank, HR or IT team will ever ask you to reply with a password or “confirm” a one-time code.
    What to do: Never share the information and forward the message to your security team.

Link & Attachment Warnings

  1. Links that don’t go where they claim
    Blue text says microsoft.com but the actual URL is micros0ft-security.net or a string of random numbers.
    What to do: Hover (or long-press on mobile) before clicking. If in doubt, type the address manually.
  2. Unexpected attachments or unusual file types
    .zip, .iso, .js, .scr, .htm, or Office files that beg you to “enable macros”.
    What to do: Don’t open – ask for a safe PDF via a trusted channel instead.
  3. QR codes in emails or PDFs (“quishing”)
    Scan this code to “view your parcel / invoice / tax refund”.
    What to do: Never scan unsolicited QR codes — type the address manually.
  4. HTTPS padlock is there… but the domain is wrong
    A green lock no longer means safe. Only trust the actual domain name.
    What to do: Check the domain carefully and only proceed if it exactly matches the official site.

Design & Language Giveaways

  1. Slightly “off” design and branding
    Wrong colours, low-resolution logos, strange fonts or a footer that doesn’t match previous emails.
    What to do: Compare with a genuine message you received before.
  2. Grammar, spelling or awkward phrasing
    AI has reduced this, but many campaigns (especially from non-native speakers) still contain odd sentences.
    What to do: Use it as one more reason to slow down and verify.

Voice, Video & Multi-Channel Attacks

  1. Unexpected phone calls (vishing)
    “Microsoft Support”, “your bank” or even “internal IT” calling out of the blue asking for remote access or codes.
    What to do: Hang up and call back on an official number.
  2. Deepfake voice or video calls
    An unscheduled Teams/Zoom call where “the boss” urgently needs approval or code.
    What to do: Verify every unusual request on a second channel.
  3. MFA fatigue / push-bombing
    You suddenly receive 10–20 login approval requests even though you’re not logging in anywhere.
    What to do: Always press “Deny”, then change your password from a trusted device.

Your 3-Step Reflex That Stops Almost Every Attack

  1. Pause – Does anything feel slightly strange?
  2. Verify – Use a second, independent channel (phone call, official app, known colleague).
  3. Report – Forward the message to your IT/security team (or to report@vali.now if you’re our customer).

One second of healthy suspicion beats weeks of clean-up.

Stay vigilant, stay safe!

If in Doubt: vali.now

Your best defense is healthy skepticism. If something seems just a little off or a bit too good to be true – it probably is. Your best option is to forward the details to help@vali.now. Our cybersecurity professionals have been recognizing and fighting off such attacks for decades. Your first case (up to one hour of research) on our side is free, with affordable rates after that. You’ve got nothing to lose and you might just prevent catastrophic losses by reaching out.

Leave a comment

Your email address will not be published. Required fields are marked *