Phishing Email Checklist
Phishing Email Checklist Guide: How To Review Suspicious Email
A phishing email checklist helps you pause before clicking: inspect the sender, pressure, links, attachments, request, language, and context without pasting the email or any private details into a web page.
The Short Version
The safest phishing review is boring on purpose. You do not need to paste the email body, sender address, link, invoice, attachment, password, 2FA code, recovery code, or account number anywhere. You only need to classify the signals and decide whether to verify, report, or respond.
Use the free phishing email checklist when you want a local risk score and a copyable action plan for a suspicious message.
Practical default
For sensitive actions, do not use the email as the path. Open the official app, type the known address, use a bookmark, or contact the person through a saved channel.
Phishing Email Checklist
Sender
Check the real address, not only the display name
- Expand sender details before trusting a familiar name.
- Compare the domain to a known-good site or saved contact.
- Treat reply-to mismatches as a reason to verify elsewhere.
Pressure
Slow down urgency, threats, and secrecy
- Watch for same-day deadlines, account closure threats, or surprise charges.
- Break secrecy requests by confirming with a trusted person or team.
- Open the account directly instead of using the email's deadline link.
Links
Verify where links go without clicking to investigate
- Avoid shortened, hidden, misspelled, or extra-long domains.
- Use bookmarks or typed addresses for login, payment, and file actions.
- Be suspicious of file-sharing links that require a fresh sign-in.
Attachments
Treat unexpected files as active risk
- Do not open unexpected invoices, shared documents, archives, or executables.
- Confirm the file through another channel before opening it.
- Ask whether the same file is available inside the official app or portal.
Request
Refuse secrets, payment changes, and code requests
- Never share passwords, passkeys, recovery codes, 2FA codes, or backup codes.
- Verify payroll, bank, invoice, and gift-card requests out of band.
- Use saved contacts, not phone numbers or links from the suspicious email.
Context
Ask whether this email belongs in the real-world thread
- Compare the message to recent work, orders, support cases, and invoices.
- Be careful with new vendors, surprise documents, and reopened old threads.
- When the story feels almost right, verify before acting.
Match The Risk To The Response
A checklist is useful because it turns a vague feeling into a decision. The goal is not to prove an email is real. The goal is to avoid unsafe actions until the request is verified.
| Risk level | Typical signs | Safer response |
|---|---|---|
| Low concern | Known sender, expected context, no sensitive request, no risky link or attachment | Review normally, but use the official site for logins and payments. |
| Needs verification | Some pressure, unclear sender, hidden link, unexpected file, or unusual wording | Pause and confirm through a trusted channel before clicking, replying, or opening files. |
| High risk | Domain mismatch, lookalike link, password or code request, payment change, secrecy | Do not interact. Report it, delete or quarantine it, and check the real account separately. |
| Already clicked or shared | A password, code, payment detail, file, or device access may have been exposed | Start breach response: rotate credentials, revoke sessions, preserve evidence, and notify the right owner. |
What To Do If You Already Clicked
If you clicked a suspicious link, opened an unexpected attachment, entered a password, approved a login, shared a code, or sent payment details, treat it as response work instead of email review. Start with the breach response checklist and focus on accounts that can reset or access everything else: primary email, password manager, device account, banking, work identity, and cloud admin.
Recovery is much easier when backup access is ready before a crisis. A 2FA recovery checklist helps confirm trusted devices, backup codes, recovery contacts, and account ownership before a phishing attempt turns into lockout.
Do Not Paste Suspicious Emails Into Checklist Pages
Use categories only. Never paste the email body, sender address, links, attachments, passwords, passkeys, recovery keys, 2FA codes, payment details, personal documents, or account identifiers into a web checklist.
Related Security Tools
Phishing Email Checklist
Score suspicious email signals locally without pasting the message, links, passwords, codes, or private details.
Breach Response Checklist
Build a calm response plan after a clicked link, shared code, suspicious login, or account takeover.
2FA Recovery Checklist
Check recovery codes, backup devices, trusted numbers, and account ownership before an emergency.
Add Friction To High-Value Passwords
Passlock stores passwords in macOS Keychain and adds intentional friction with time locks, word challenges, and partner keys. It is useful for passwords that should not unlock on autopilot after a stressful email.
FAQ
What is a phishing email checklist?
A phishing email checklist is a step-by-step review of non-secret signals in a suspicious email, including sender details, urgency, links, attachments, sensitive requests, language, and context.
Should I paste a suspicious email into an online checker?
No. Do not paste email bodies, sender addresses, links, attachments, passwords, 2FA codes, invoices, account numbers, or private details into an online checklist. Use categories and safe summaries only.
What are the strongest signs of a phishing email?
High-risk signs include mismatched sender domains, lookalike links, unexpected attachments, requests for passwords or codes, payment changes, secrecy, urgent threats, and messages that do not match the expected context.
What should I do after spotting a phishing email?
Do not click links, open attachments, reply, or share details. Report the message, verify the claim through a trusted channel, and use a breach response checklist if anything was clicked or shared.