LochStudios  /  Help Centre  /  Security  /  Recognise and avoid phishing emails

Recognise and avoid phishing emails

Learn how to spot fake emails designed to steal your credentials and what to do if you receive one.

Updated

Phishing is a social engineering attack where criminals send fake emails pretending to be legitimate services (banks, hosting providers, payment processors) to trick you into revealing passwords, credit card details, or other sensitive information. Knowing the warning signs helps you stay safe.

Common phishing tactics

Attackers often use these methods:

  • Urgent action required – "Your account will be locked!" or "Confirm your payment now!"
  • Generic greetings – "Dear Customer" or "Dear User" instead of your name
  • Fake links – The URL looks close to the real thing but is slightly different
  • Poor grammar or spelling – Legitimate companies proofread; phishing emails often don't
  • Requests for sensitive data – No legitimate company asks for passwords, credit cards, or two-factor codes via email
  • Threats or promises – "Act now or lose access" or "Click to claim your reward"
  • Mismatched sender details – The email address doesn't match the company's domain

How to spot a phishing email

Hover over links (don't click)
- In most email clients, hover your cursor over a link to see where it actually goes
- If it shows a different address than the text says, it's suspicious
- Example: The text says www.yourhostingprovider.com but the actual link is www.yourhostingprovider-verify.xyz

Check the sender's email address
- Legitimate emails come from official company domains
- Suspicious: noreply@support-bank.com when the real bank's domain is bank.com
- Legitimate: support@bank.com

Look for red flags in the message
- Does it ask you to confirm a password, credit card, or PIN?
- Does it create panic ("Immediate action required!")?
- Are there spelling mistakes or odd phrasing?
- Does the logo look slightly off or pixelated?

Never trust email formatting alone
- Attackers can copy logos and colours—they can make fake emails look very professional

What to do if you receive a phishing email

  1. Don't click links or download attachments – This is how malware and credential theft happen
  2. Don't reply to the email
  3. Report it as spam or phishing in your email client (most providers have this option)
  4. Delete it after reporting
  5. Contact the real company directly – If it claims to be from your hosting provider, bank, or payment processor, call them using a phone number from their official website (not a number in the email)

If you already clicked a phishing link

  • Don't panic – Just because you clicked doesn't mean you're compromised
  • Change your password immediately if you entered one – Use a unique, strong password
  • Enable two-factor authentication (2FA) if it's available on that account
  • Monitor your account for unusual activity
  • Contact your email provider or hosting company to report the incident

Protecting yourself proactively

  • Enable two-factor authentication (2FA) – Even if someone gets your password, 2FA blocks them from logging in
  • Use a password manager – It only auto-fills passwords on the real website; phishing sites won't trigger it
  • Set up email alerts for your important accounts (banking, hosting) so you're notified of login attempts
  • Keep your email address private – Use it only for accounts you actually create; avoid posting it publicly
  • Check your browser's address bar before entering sensitive information – Make sure you're on the correct domain
  • Use browser extensions that warn you about suspicious websites – Some password managers and security browsers offer this

When legitimate companies contact you

Real companies:

  • Address you by name
  • Don't ask for passwords or full credit card details via email
  • Provide direct contact information you can verify
  • Use proper grammar and professional formatting
  • Link to secure pages (URLs start with https:// and show a padlock icon)
  • Include clear unsubscribe options

If you're ever unsure, go directly to the company's official website by typing the URL yourself or calling their published phone number—don't use contact details from the email.

Phishing is a numbers game for attackers: they send millions of emails hoping a small percentage will succeed. By learning these warning signs, you're already ahead of most targets.


Was this article helpful?

← Back to Security