Resources Articles Spotting Scams and Phishing in Under 60 Seconds: A Simple Checklist Anyone Can Use

Spotting Scams and Phishing in Under 60 Seconds: A Simple Checklist Anyone Can Use

By Mohammed Hoque On September 16, 2025 In Articles

Scams are getting slick, but your best defense is still fast, calm thinking. In one minute, you can scan any email, text, or DM and decide if it’s safe. Use the checklist below, then save the quick steps for what to do if you already clicked.

The 60-Second Phishing Scan

10 seconds: Check the sender

• Does the name match the email address or phone number?
• Look for tiny changes: rn vs m, .co vs .com, extra dashes, or odd country domains.

10 seconds: Look for urgency or threats

• Pay now, verify now, 24-hour suspension, or legal action are classic push tactics.
• Real organizations allow normal support channels and reasonable timelines.

10 seconds: Inspect the ask

• Requests for gift cards, crypto, wire transfers, or bank detail changes are red flags.
• Login links that bypass the official website or app are suspicious.

10 seconds: Hover or long-press every link

• Desktop: hover to preview the real URL in the status bar.
• Mobile: long-press a link to preview before opening.
• Mismatches between the displayed text and the previewed URL = do not click.

10 seconds: Pause on attachments

• Unexpected invoices, resumes, shipping labels, or password-protected files are risky.
• File types like .html, .exe, .scr, and macro-enabled Office files are high risk.

10 seconds: Sanity check the context

• Were you expecting this message?
• Is the tone off, grammar strange, or the branding slightly wrong?
• When in doubt, verify through a separate, trusted channel.

How To Preview Links Safely

• Go direct: open a new tab and manually type the company’s site or use the official app.
• Check the domain from right to left. Example: security.example.com is owned by example.com, but example.com.bad-site.net is not.
• Be careful with short links. If you cannot expand or preview safely, do not open.
• Watch for look-alike characters and misspellings that mimic real brands.

Common Scam Formats To Recognize

• Account verification: Your account will be closed unless you click here.
• Payment change: Vendor requests new bank details via email.
• Delivery notice: You missed a package; pay a small fee to redeliver.
• Job and prize lures: You were selected; just share your info.
• Multi-factor fatigue: Rapid, repeated MFA prompts you did not initiate.
• Tech support pop-ups: Fake alerts urging remote access or payment.

If You Clicked Or Replied, Do This Now

  1. Disconnect suspicious pages and close the tab. If you entered credentials, change that password immediately.
  2. Turn on two-factor authentication for email, bank, and social accounts. Prefer an authenticator app over SMS when possible.
  3. Check other accounts that reuse the same password. Change them all, and stop reusing passwords. A password manager is a good idea.
  4. Run a reputable antivirus or built-in system scan. Update your device and browser.
  5. Review account activity and set up alerts for logins and payments.
  6. Report the message. In workplaces, contact your support team. For personal accounts, report within the email or messaging app to help block future campaigns.

Build Everyday Resistance In 3 Steps

• Use a password manager and passphrases. Unique, long passwords make stolen credentials less useful.
• Keep auto-updates on for your phone, computer, browser, and router.
• Create a simple verification rule at home and work: no payment or bank-change requests are approved by email alone; verify via a known phone number or portal.

Quick Quiz: Spot The Red Flags

• Payroll update needed now. Upload your new direct deposit form here: [short link]
• Final notice from Bank Support: log in immediately to avoid closure: [weird-domain.co]
• Hi, it’s your CEO. Please buy six $200 gift cards and send the codes in the next 10 minutes.

Answer key: all three are phishing. They use urgency, nonstandard domains, short links, and unusual payment asks.

Printable 10-Point Checklist

  1. Recognize urgency or threats
  2. Verify the sender’s real address or number
  3. Hover or long-press every link
  4. Inspect the domain from right to left
  5. Avoid unexpected attachments
  6. Never approve payment changes by email alone
  7. Do not share MFA codes with anyone
  8. Go direct to the official site or app
  9. If unsure, verify via a trusted channel, give them a phone call
  10. If you clicked, change passwords and turn on 2FA

Sedara Tip For Organizations

Make it easy for people to do the right thing. Add a visible Report Phish button, enforce MFA on email and VPN, run short, realistic simulations with feedback, and require an out-of-band check for any payment or banking request. A clear playbook beats perfect memory under pressure.

Lear more about How to Build a Cybersecurity Awareness and Training Program in your office.

Accomplish your security & compliance goals.
Easier.

Get a Demo