Skip to content
Step 1 /
flag Introduction

Inspecting email

Phishing almost always follows the same pattern. Once you know the patterns and have a fixed routine, you can spot most attempts in a few seconds. In this module we first lay out the patterns and the routine, then you practise with real examples, including one that is actually genuine.

target What you will learn in this module
  • check_circle The fixed patterns that give phishing away
  • check_circle A simple routine: reflect, verify the sender, verify the destination
  • check_circle Practise with real examples, including a genuine email
pattern The patterns

The patterns: what every phishing attempt boils down to

Almost every phishing message combines one of these asks with one or more pressure tactics. When you see this pattern, switch into check mode.

The attacker always wants one of two things:

  • “Give me something”: a password, a code, personal data, or a payment.
  • “Click on something”: a link or an attachment.

And to push you to act quickly, they add pressure:

  • Urgency: “within 24 hours”, “your account will be blocked”.
  • Too good to be true: you have won something, a refund is waiting.
  • Unexpected: you were not expecting this message.
  • Emotion: fear, curiosity, or appeals to authority (“the director is asking…”).
lightbulb Rule of thumb

If something sounds too good to be true, it usually is. And a real company or a real bank will never put you under time pressure to confirm your details via a link.

checklist The routine

The routine: reflect and verify

Against those patterns, you have one simple habit. Do it in this order, every time.

  • 1. Reflect. Pause for a moment. Was I expecting this message? Does the story add up? Do I feel pressure to act quickly? Pressure is itself a signal.
  • 2. Verify the sender (the origin). Do not look at the display name, look at the real email domain. “HSBC” tells you nothing; @hsbc.co.uk or @hsbc-secure.net tells you everything.
  • 3. Verify the destination (the target). Do not click straight away. Hover over the link or button, or tap and hold on mobile, and read where it really goes.
verified_user When in doubt: never use the buttons in the message

Go to the official website yourself (type the address or use your bookmark) or call a number you look up yourself. That sidesteps the trap entirely.

travel_explore The weak spot

The lookalike domain: the trick you have to know

The most important phishing trick is a domain that looks almost right. The display name lies, the domain tells the truth.

check_circleReal service@hsbc.co.uk
warningFake service@hsbc-secure.net
check_circleReal noreply@argos.co.uk
warningFake noreply@argos-payment.com
check_circleReal info@fedex.com
warningFake info@fedex-delivery.com

Look at the part right after the @, or right before the first forward slash of a link. That is where the real domain sits. The question is not whether the display name looks right, but whether that real domain is the official domain of who the sender claims to be. A scammer can freely choose both the name and a lookalike domain.

domain One company, multiple real domains

Some companies use several official domains, for example dhl.com, dhl.co.uk, and dhlexpress.co.uk. A different domain is therefore not automatically fake. In doubt? Look up the official domain via the real website or a search engine, and never use the link from the message.

visibility Look carefully: some letters look alike

Scammers play with letters that look similar. The combination “rn” looks like an “m”, a capital “I” looks like a lowercase “l”, and a zero “0” looks like the letter “o”. That turns microsoft.com into an unnoticeable rnicrosoft.com. So read a suspicious domain letter by letter.

account_balance Example 1 of 4 · bank

A “security alert” from the bank

Apply the routine. Tap on the sender and on the button, then give your verdict.

View in
Unusual sign-in, confirm your identity
H
ads_click hover or tap to see the real sender
Unusual sign-in, confirm your identity
HSBC Bank

Dear customer,

We noticed a sign-in from a new device. For your security we have temporarily restricted your access.

Confirm your identity within 24 hours, or your account will be blocked.

Confirm my identity ads_click hover or tap to see the real link
HSBC UK · This is an automated message, please do not reply.

Is this message phishing or trustworthy?

cases Example 2 of 4 · watch out

Not everything is phishing

Important: not every email from a known brand is fake. Apply the same routine and watch for the green flags. Inspect the sender and the button before you judge.

View in
Your order is on its way
A
ads_click hover or tap to see the real sender
Your order is on its way
Argos

Hello,

Good news! Your order with order number 2026-4471829 is on its way and will arrive tomorrow.

You can track your parcel through your account. We are not asking you to pay or confirm anything.

Track order ads_click hover or tap to see the real link
Argos · You are receiving this email because you placed an order. Preferences

Is this message phishing or trustworthy?

local_shipping Example 3 of 4 · delivery

Outstanding “customs charges”

One more. Inspect first, judge after.

View in
Customs charges due on your shipment
F
ads_click hover or tap to see the real sender
Customs charges due on your shipment
FedEx

Dear recipient,

Your international shipment is awaiting release. There is £1.49 in customs charges due.

Pay online to avoid delays.

Pay customs charges ads_click hover or tap to see the real link
FedEx © 2026 · Track your shipment on the official website.

Is this message phishing or trustworthy?

badge Example 4 of 4 · colleague

A “colleague” asking for your login

Not every phishing attempt uses a brand. Sometimes the message looks like it is from a colleague, often someone you do not speak to every day. Inspect the sender, and pay particular attention to what is being asked.

View in
Urgent: I need access to our CRM
J
ads_click hover or tap to see the real sender
Urgent: I need access to our CRM

Hi,

I am locked out of our CRM and have to finish a proposal today for an important client. Can you quickly send me your login (username and password) so I can get in?

I know it is unusual, but it really is urgent. Thanks!

James

Is this message phishing or trustworthy?

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
Where is the real domain of the sender service@hsbc-secure.net?
Correct: the real domain is everything after the @, here hsbc-secure.net. That is not hsbc.co.uk, so this is a lookalike domain. The display name 'HSBC' can be chosen freely by a scammer.
quiz Practice · question 2 of 2
You are unsure about an email from your bank. What is the best thing to do?
Correct: never use the buttons or the reply address from a suspicious message. Go to the official site yourself or call a number you look up yourself. That sidesteps the trap entirely.
summarize Summary

What you take away from module 2

  • bolt Phishing always wants 'give me something' or 'click on something', often with pressure: urgency, too good to be true, unexpected.
  • bolt The routine: reflect, verify the sender (origin), and verify the destination (target).
  • bolt The real domain sits after the @, or just before the first forward slash of a link. The display name lies.
  • bolt Not everything is phishing: watch for the green flags too and verify before you judge.
  • bolt When in doubt: never use the buttons in the message, go to the official site yourself or call a number you know.
workspace_premium Module complete

Module 2 complete 🎉

You now know the patterns and the routine, and you have practised with real emails. In module 3 we apply the same routine to SMS and chat messages, because they have their own traps.

lock_open 2 of 5 modules

On your way to your “Recognising phishing” certificate

Complete all 5 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-2 completeradio_button_unchecked Modules 3-4radio_button_unchecked Final exam ≥ 70%
workspace_premium