How to Spot and Stop Phishing Emails & Fake Websites
Phishing is the #1 way hackers steal logins, money, and business data. Let’s fix that.
Phishing attacks are sneaky, fast, and everywhere. Here’s how to spot red flags, confirm what’s legit, and protect both your personal data and business systems before scammers strike.
⚠️ What is Phishing?
Phishing happens when scammers pretend to be someone you trust — a bank, coworker, or delivery company — to trick you into giving up sensitive info like passwords, payment details, or personal data. It often comes through emails or fake websites designed to look real.
🎯 Common Types of Phishing
- Email phishing — fake emails asking you to click links, open attachments, or “verify” info.
- Website phishing — clones of real login pages or payment portals to steal credentials.
- Smishing — text message phishing.
- Vishing — phone call scams pretending to be tech support or bank security.
- Spear phishing — highly targeted scams aimed at one person or business.
🚩 Red Flags to Watch For
- Sender looks off. Display name looks right, but email address is weird or misspelled.
- Link mismatch. Hover over links — if the address doesn’t match, don’t click.
- Urgency. Anything saying “Act now or else” is a red flag.
- Generic greeting. “Dear Customer” = spam cannon.
- Bad grammar. Scammers rarely use Grammarly.
- Strange attachments. Don’t open .zip, .exe, or “Enable Macros.”
- No SSL padlock. Secure sites show https://, but remember — a padlock alone doesn’t mean safe.
- Lookalike domains. “secure-paypa1.com” is not PayPal. Check every letter.
📧 Real-World Examples
Example 1 — Fake bank email:
“URGENT: Your account will be closed. Click here to verify.”
Link preview: http://verify-bank-login.example.com
Red flags: urgency, mismatched link, generic greeting.
Example 2 — Payroll spoof:
“Please confirm your W-2 for payroll.”
Red flags: unexpected request, strange sender domain, attachment prompt.
🔍 How to Verify a Suspicious Message
- Don’t click anything. Treat it as suspicious until proven otherwise.
- Check the full sender email — not just the display name.
- Hover links (desktop) or long-press (mobile) to preview URLs.
- Open the company’s site directly in a new tab, not through the email.
- Check SPF/DKIM headers if you’re tech-savvy — or forward to IT.
- Confirm SSL certificate info on any login or payment page.
🧯 If You Already Clicked or Shared Info
- Change your passwords immediately.
- Enable MFA (multi-factor authentication).
- Notify your bank or card issuer if payment info was exposed.
- Run a full malware scan with your antivirus or EDR.
- Report the phishing email to your provider and the spoofed company.
- Save evidence for IT or authorities if necessary.
🏢 How Small Businesses Can Fight Back
- Use business-grade email filtering with anti-spoofing protection.
- Set up SPF, DKIM, and DMARC for your domain.
- Require MFA for all employee accounts.
- Perform regular backups and restore tests.
- Train employees monthly with short phishing tests.
- Apply least-privilege access — no unnecessary admin rights.
✅ Quick Action Checklist
💬 Common Questions
Is the padlock icon a guarantee the site is safe?
No. HTTPS only means traffic is encrypted, not that the site owner is legit. Always confirm the actual domain.
Could my coworker be hacked?
Absolutely. A compromised account can send real-looking phishing messages. Verify by calling or starting a fresh email thread — never reply to the suspicious one.
How can I check email headers?
In Gmail or Outlook, use “View message source” or “Message details.” Look for SPF/DKIM results and sending server info. If unsure, send it to your IT partner.
Need help? SpeakGeek can secure your inbox and your business.
If you want a no-nonsense plan to stop phishing attacks before they happen, we’ll handle your email filtering, DMARC setup, MFA deployment, and training.
SpeakGeek PCs • Las Vegas • Henderson • Mesquite • Pahrump
Protecting your data, one click at a time.