Think you can tell a phishing email from a real one? This free phishing test shows you 10 phishing email examples and real messages side by side. For each one, decide whether it is a genuine email or a phishing attempt. After each answer you will see exactly why, with the specific warning signs explained.
Can You Spot a Phishing Email?
10 real-world examples. Decide whether each message is genuine or a phishing attempt, and see the answer explained straight away.
This phishing test covers the most common phishing techniques used against everyday users: fake bank and retailer emails, smishing text messages, spear phishing, and CEO fraud. The phishing email examples in the quiz are fictional but based on real attack templates that circulate at scale.
Signs of a Phishing Email
Every phishing example in this quiz contains at least one of the following red flags. Once you know what to look for, most phishing attempts become much easier to catch.
A fake sender email address
The display name can say anything: “Amazon”, “PayPal”, “Your Bank”. The actual domain after the @ is what matters. A real Amazon email always comes from @amazon.com. Phishing emails use fake sender domains like @amazon-orders-alert.com or @paypal-secure-center.net to look convincing. Always check the full address, not just the name.
Urgency and threats
Phrases like “Your account will be closed in 24 hours” or “Immediate action required” are phishing red flags. They are designed to make you act before you think. Legitimate companies do not threaten account closures over email with short deadlines.
Generic greetings
“Dear Customer” or “Dear User” instead of your name means the message was sent to a mass list. Any company you actually have an account with knows your name and uses it.
Requests for credentials or payment
No legitimate bank, retailer, or service will ask you to confirm your password, PIN, or card number by email or text. If an email asks for this, it is a phishing attempt regardless of how convincing it looks.
Suspicious links
On desktop, hover over a link before clicking. The actual URL shown in the bottom of your browser is what matters, not the visible link text. On mobile, go directly to the company’s app or website rather than following the link in the message.
Unexpected payment requests via text
SMS messages asking for a small “redelivery fee” or “customs charge” are almost always smishing attacks. Legitimate couriers do not collect fees by text message with a payment link.
How to Report a Phishing Email
Knowing how to report a phishing email is just as important as spotting one. When you report phishing email attempts, you help providers and authorities take down malicious sites faster and protect other users from the same attack.
If you receive a phishing email, do not click any links, open attachments, or reply. The right steps depend on where you are.
In your email client: Mark it as phishing or spam. Gmail, Outlook, and Apple Mail all have a built-in option. Your report helps the provider improve filters for everyone.
In the US: Forward the email to the Anti-Phishing Working Group at reportphishing@apwg.org and report it to the FTC at reportfraud.ftc.gov.
In the UK: Forward suspicious emails to report@phishing.gov.uk, run by the National Cyber Security Centre. Forward suspicious texts to 7726.
Impersonating a specific company: If the email impersonates a known brand, forward it to that company’s abuse or security team. Most large organisations have a dedicated reporting address.
Want to Learn More?
This quiz covers email phishing, smishing (SMS phishing), spear phishing, and CEO fraud. Our full guide explains all of these in detail, including exactly what to do if you clicked a phishing link.
Read the full phishing guide for a complete breakdown of how phishing works, how to protect yourself, and how to report phishing attempts in your country.
