Chykalophia Docs
Security

How to recognize phishing attempts

Learn to spot fake emails, texts, and websites before you click — practical warning signs explained in plain English.

securityphishingbeginner

Phishing is when someone sends a fake message designed to look like it's from a trusted source — a bank, Google, your web host, or even your own team member. The goal is to trick you into handing over a password, clicking a malicious link, or sending money.

It is the most common way business accounts get compromised, and it works even on careful people.

Quick summary

Phishing messages create urgency ("Your account will be closed!"), impersonate trusted brands, and ask you to click a link or take immediate action. Before you click anything, check who actually sent the email, hover over links to see where they go, and when in doubt, go directly to the website rather than clicking the link in the email.

The warning signs of a phishing message

Train yourself to look for these patterns:

1. Urgency and panic

Phishing messages almost always create a sense of emergency:

  • "Your account has been suspended — act now"
  • "Unauthorized access detected — verify immediately"
  • "Your payment failed — update your billing in the next 24 hours"

Real companies do occasionally send urgent messages, but legitimate companies also give you time to verify things calmly.

2. The sender's address doesn't match

The display name can say anything — "Google Security Team" — but the actual email address reveals the truth. Check the full email address, not just the name:

  • Legitimate: no-reply@accounts.google.com
  • Phishing: security@google-alerts.net or googlesecurity@mail347.com

Look carefully: phishers sometimes use subtle misspellings like g00gle.com or paypa1.com.

Before clicking any link in an email, hover your mouse over it (on desktop) to see where it actually goes. On a phone, press and hold the link to preview the URL.

Ask: does the link destination match the company it claims to be from? A link claiming to go to your bank but pointing to bankofamerica.securelogin.xyz is fake.

4. Requests for credentials or sensitive information

Legitimate companies will almost never ask you to:

  • Enter your password or 2FA code via a link in an email
  • Confirm your full credit card number by email
  • Download an attachment to "verify your account"

If you receive a request like this, go directly to the company's website by typing the address yourself — don't click the link.

5. Generic greetings

Phishing emails often start with "Dear Customer," "Dear User," or "Hello Account Holder" — because the attacker doesn't know your actual name.

Legitimate services you have an account with usually use your real name.

6. Poor grammar and unusual phrasing

Many phishing messages contain awkward phrasing, unusual capitalization, or grammatical errors. This is not universal — well-crafted phishing can look very polished — but bad writing is always a red flag.

A quick decision process

When an email asks you to take action, pause and run through this:

Check the sender's actual email address. Does it match the company's real domain? Hover over or tap the sender's name to see the full address.

Hover over any links. Does the URL destination look like the company's real website?

Did you expect this message? An invoice from a supplier you've never heard of, a password reset you didn't request, a shipping notification for something you didn't order — these are red flags.

Is it creating pressure to act fast? Slow down. Urgency is a manipulation tactic.

When in doubt, go directly to the website. Type the company's URL into your browser. Don't click the link in the email. Log in and check whether there is actually a problem.

What to do if you clicked something

Don't panic — but act quickly.

  1. Don't enter any credentials on the page you landed on.
  2. Close the tab immediately.
  3. If you already entered your password, change it right now on the real website.
  4. If you entered 2FA codes, change your password immediately — the attacker likely has access.
  5. Run a malware scan if you downloaded anything. See Malware & your website explained.
  6. Report it — forward the email to your email provider's abuse address, or use the "Report phishing" option.

Tell your team

If a phishing email got through to you, it likely got through to your whole team. Let them know as soon as possible so nobody else clicks it.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Passkeys, explained

Passkeys are a new, password-free way to log in that is more secure and easier than passwords. Here is what they are and how they work.

Common email scams targeting businesses

The most common email scams used against small businesses, explained in plain English so you and your team can recognize and avoid them.

On this page

The warning signs of a phishing message1. Urgency and panic2. The sender's address doesn't match3. Suspicious links4. Requests for credentials or sensitive information5. Generic greetings6. Poor grammar and unusual phrasingA quick decision processWhat to do if you clicked somethingCommon questionsRelated guidesLearn more
How to recognize phishing attempts | Chykalophia Docs