Phishing is not some edge case. It is the most reported type of cybercrime, year after year, according to the FBI's IC3 data. It keeps scaling because it costs almost nothing to send and it works often enough to be worth it.
I pulled 50 phishing emails from inboxes I had access to and went through each one the way you would in a real investigation: sender details, pressure language, authentication checks, link destinations. Here is what kept coming up.
Almost none of these emails were technically impressive. They worked because they rushed people. Urgency, fear, one button. That is the whole playbook. Verizon's breach report says the same thing every year: social engineering keeps working even as security tools get better. The tools are not the weak link. We are.
Subject lines like "Account locked," "Payment failed," "Action required." Over 70% of the sample used some version of "do this now or something bad happens." The goal is to get you clicking before you have time to think about whether the email is real.
Words like "secure," "protected," "unusual activity" showed up constantly. Scammers know people trust anything that sounds like fraud prevention. The irony is thick: the language meant to make you feel safe is exactly the language that should make you suspicious.
The display name would say "Chase Bank" or "Apple Support," but the actual sending domain was something like chase-secure-alerts.net or apple.account-verify.xyz. Sometimes the Reply-To header pointed somewhere completely different from the sender. This is the single fastest way to catch a phish. If you only check one thing, check the domain.
Most of these emails were not trying to install malware. They wanted passwords. A fake login page is easier to build than an exploit, and a stolen password gives the attacker access without triggering any security software on your device.
Some emails were obviously sloppy, but plenty looked clean. Logos, proper spacing, footers, even unsubscribe links. Copying a brand's email template takes about five minutes. You cannot judge an email's legitimacy by how professional it looks.
If you can see the full email headers, authentication results will tell you more than the email body ever will. Attackers do not always fail these checks, but when they do, it is a strong indicator the message did not come from who it claims.
This is why security teams push for DMARC. It gives visibility into who is sending email on behalf of a domain and can auto-reject messages that fail authentication.
Checking headers is almost always more useful than judging how "professional" the message looks.
I use the same five steps every time and it takes under a minute:
Clicked a link but did not enter anything? Run a malware scan and keep an eye on your accounts for a few days. You are probably fine.
Entered your password? Change it immediately. Turn on two-factor authentication. Check recent login activity. If it was a work account, tell your security team right away so they can block the indicators before anyone else falls for it.
Phishing shows up in every major cybercrime report as a top category. The volume is massive and it is not slowing down. That is exactly why training your eye and using a repeatable process matters more than trying to gut-feel your way through each email.
ScamKit's email analyzer breaks messages apart, checks authentication, and pulls out indicators the same way a real investigation would.