Phishing is when someone sends a fake message — usually an email or SMS — pretending to be a bank, a delivery company, or a service you use, to trick you into handing over passwords, card details, or money. It’s the most common way ordinary people get scammed online, and it works because the messages look real. The good news: once you know the red flags, most phishing attempts are easy to spot. Here are seven.
The seven red flags
- Urgency and threats. “Your account will be blocked in 24 hours.” Scammers rush you so you act before you think. Real organisations rarely threaten instant closure by email.
- A slightly wrong sender address. The name looks right, but the actual email is something like [email protected]. Always check the real address, not just the display name.
- Links that don’t match. Hover over (or long-press) a link before tapping. If the text says your bank but the URL is a random domain, it’s fake.
- Requests for sensitive info. No legitimate bank asks for your full password, OTP, PIN, or card number by email or message. Ever.
- Generic greetings. “Dear Customer” instead of your name often signals a mass scam, though better fakes now use your name too.
- Odd spelling and formatting. Clumsy grammar, strange spacing, or a logo that looks slightly off are common tells.
- Unexpected attachments. A bill or “invoice” you didn’t expect can carry malware. Don’t open it.
The one habit that beats all of them
When in doubt, don’t click anything in the message. Go to the company yourself — type the website address directly or open their official app — and check there. If your “bank” says there’s a problem, log in the normal way and look. This single habit defeats almost every phishing attempt, because the scam relies on you using their link instead of your own.
If you’ve already clicked
- Don’t panic, act fast. If you entered a password, change it immediately — and anywhere else you reused it.
- Turn on two-factor authentication so a stolen password alone isn’t enough. Our guide to setting up 2FA in 10 minutes walks through it.
- If you shared card or bank details, contact your bank to block the card and watch for unauthorised transactions.
- Report it to the service being impersonated and, for financial fraud in India, the national cybercrime helpline.
FAQ
How do I know if an email is phishing?
Look for urgency or threats, a mismatched sender address, links that don’t go where they claim, and requests for passwords or OTPs. When unsure, ignore the message and check by going to the company’s site or app directly.
What should I do if I clicked a phishing link?
Change the affected password right away (and anywhere you reused it), enable two-factor authentication, and contact your bank if you shared financial details. Then report the scam.
Can phishing happen by text or WhatsApp?
Yes. The same tricks arrive by SMS (“smishing”), WhatsApp, and calls. The red flags and the “go to the source yourself” habit work for all of them.
Spotting scams is part of basic digital safety. For more plain-English security, start with our cornerstone tech words glossary, learn how to set up two-factor authentication, or browse more Tech guides.
Keep reading on Super Rat Machine
Start here — core guides
- Managing Money in Your 20s: A Beginner’s Guide
- Build a Productivity System That Survives Real Life
- Plain-English Tech Words You Keep Seeing (2026 Glossary)
- Tiny Habits That Compound: A Realistic Starter Guide
- How to Land a Remote Job From India (and Anywhere Else)
- Budget Travel Playbook: Plan, Book, Pack, Repeat
All articles
Money
- How to Make a Monthly Budget That Actually Works
- How to Build a 3-Month Emergency Fund on a Small Salary
- Tax-Saving Investments for Salaried Employees (Section 80C Recap)
- Health Insurance for First-Time Buyers (India): What to Look For
- SIP vs Lump Sum: The Honest Comparison
- UPI vs Credit Card: When Each One Actually Wins
- Managing Money in Your 20s: A Beginner’s Guide