Free tool
Phishing Quiz
See realistic emails, text messages, QR codes, a voice call and a social DM — and decide: phishing or legitimate? After each answer, we reveal the exact red flags that gave it away, so you learn to spot the next one yourself.
Can you spot a phishing message?
You'll work through 12 realistic scenarios — emails, text messages, a QR code, a voicemail and a social DM. For each one, decide: is it phishing, or legitimate? After every answer we'll reveal the exact red flags (or trust signals) that gave it away.
How to spot phishing in four checks
Almost every phishing message fails at least one of four tests. Run them before you act on any unexpected email or text:
- The sender domain, not the display name. Anyone can set the display name to "Apple" or "Microsoft 365". Look at the actual address and the registered domain — is it
microsoft.comoraccount-microsoft-secure.com? - Where the link really goes. Hover on desktop or long-press on mobile to reveal the destination. Phishing links often read like a brand but resolve to a different domain — or use a Unicode homoglyph (a dotless "ı" in place of "i") that looks identical.
- Urgency and consequence. "Within 24 hours," "before tracking expires," "your mailbox will be deactivated" — manufactured deadlines exist to stop you thinking.
- The ask. Real services rarely ask you to enter your password from an emailed link or pay a small "release fee." When in doubt, navigate to the site yourself instead of following the link.
Why phishing still works
Phishing succeeds because it targets people under pressure: the moment a phone is stolen, a deadline looms, or a "CEO" needs a favor. The technical trick is usually small: one swapped character, a subdomain that puts a trusted brand name in front of an untrusted domain, a link whose text and destination disagree. Training your eye to pause on those details is the single most effective personal defense.
The scenarios in this quiz are modeled on real campaigns across every channel — Find My / iCloud smishing, Microsoft 365 quota lures, business email compromise, homoglyph signature requests, QR-code (quishing) delivery scams, spoofed bank vishing calls, and fake-recruiter social DMs. Read more in our Find My phishing investigation and the smishing and homoglyph attack glossary entries.
Frequently asked questions
What is a phishing quiz?
A phishing quiz shows you realistic emails and text messages and asks you to judge whether each is a genuine message or a phishing attempt. After each answer it explains the specific red flags — spoofed sender domains, lookalike links, urgency, credential requests — so you learn the patterns attackers reuse.
How do I tell a phishing email from a real one?
Check four things before clicking: the real sender domain (not just the display name), where a link actually points (hover or long-press to reveal it), whether the message manufactures urgency or a deadline, and whether it asks you to enter a password or payment details. Any one of those is a reason to slow down and verify through a channel you trust.
Is the quiz free, and do you store my answers?
Yes, it's completely free with no signup. The quiz runs entirely in your browser; your answers and score are not sent anywhere or stored.
What are the most common phishing red flags?
Mismatched or lookalike sender domains (support-icloud.com instead of icloud.com), homoglyph characters that swap a letter for a Unicode look-alike, links whose visible text differs from their destination, urgency and threats ('your account will be deactivated'), unexpected attachments or login pages, and payment or gift-card requests that bypass normal process.
Does the quiz cover QR codes, text messages and phone scams?
Yes. Alongside email phishing it includes smishing (scam text messages), quishing (malicious QR codes), vishing (spoofed phone and voicemail scams, like a fake bank fraud department), business email compromise, and social-media DMs. Each scenario is rendered the way you'd actually see it, so you practise reading the medium as well as the message.
How can my organization defend against phishing at scale?
Awareness training catches the messages that reach inboxes, but the domains and sites behind a campaign should be detected and taken down too. PhishEye continuously finds lookalike domains, phishing pages, and brand impersonation across web, search, ads, and social, then runs evidence-backed takedowns — so fewer phishing messages ever reach your customers.
Related free tools
Breach & exposure
Data Breach Checker
Enter a company domain to see if it's appeared in known data breaches and dark-web leaks — which breaches, when, and exactly what data was exposed.
URL & link analysis
Phishing URL Checker
Paste a suspicious link and see its phishing red flags — homoglyphs, lookalike domains, IP hosts, sneaky TLDs — scored and explained.
Email investigation
Email Header Analyzer
Paste raw headers to reveal the real sender path, hop delays, and SPF / DKIM / DMARC results — straight in your browser.
Awareness catches the inbox. We catch the campaign.
PhishEye finds the lookalike domains and phishing pages behind these messages and takes them down — across web, search, ads, and social.