How to spot a phishing email in 2026
Have you ever been phished by your own work? Have you felt betrayed when you clicked a link in an email that looked legit and then your IT department sends you an email assigning you mandatory phishing training? Email phishing has evolved over time, and so has the way to spot a fake email. As phishing has gotten more sophisticated, spotting fakes has become increasingly harder. Luckily there are still tell-tale signs you can look for on any email to spot if it's a scam or if it's really a Nigerian prince desperately trying to give you money.
Why the old advice stopped working
For years, the standard phishing-detection advice was "look for typos and bad grammar." That worked when phishing emails were written by humans who didn't speak English well. Or by attackers who didn't care about quality because they were sending millions of messages at a time. The misspellings, the awkward phrasing, the generic "Dear Customer" lines were tells. They're mostly a thing of the past.
The 2025 KnowBe4 Phishing Threat Trends Report found that 82.6% of phishing emails now contain AI-generated content. IBM X-Force researchers showed that a generative AI model can produce a convincing, personalized phishing email in five minutes with five prompts. Previously the same email used to take their team about 16 hours to write. Microsoft's 2025 Digital Defense Report measured AI-generated phishing click rates at 54%, compared to 12% for human-written campaigns.
The grammar is now perfect. The tone matches your boss's writing style. The signature looks right. The logo is the right resolution. The misspellings and sometimes humorous mistakes of early phishing emails are gone.
But there are still tells that give away an email is a phish.
The five real tells
1. Don't trust the display name
Most email clients show you the sender's name in big friendly text and hide the actual email address. "PayPal Customer Service" is a name anyone can type into their email settings. The actual address might be service@paypa1-secure.xyz. Click or tap the sender's name to see the real address. If it doesn't match the company's real domain (@paypal.com), stop.
Watch especially for one-letter swaps. The real microsoft.com becomes rnicrosoft.com (that's r-n, not m). The real paypal.com becomes paypa1.com (that's the number 1, not lowercase L). These are easy to miss when scanning your inbox at 8am.
2. Hover before you click
On a desktop, hover your mouse over any link and the real destination shows up at the bottom of your browser or email client. On mobile, long-press the link to see a preview. The text of the link can say https://www.microsoft.com and still go anywhere the attacker wants.
If the link's real domain isn't the official domain of the company that supposedly sent the email, don't click. Open a new browser tab and go to the company's site directly.
3. Why am I getting this?
"Did I expect this?" is now the single most useful question you can ask. A wire transfer request from the CEO. A SharePoint share notification from a colleague. A password reset for an account you didn't reset. An invoice from a vendor you don't use. Even if the email reads perfectly, ask whether the request fits how that person or company normally works with you.
AI eliminates the surface-level red flags like grammar and spelling, but the behavioral red flags are still there.
4. Legitimate platforms can be the carrier
A modern phishing trick: the email actually does come from QuickBooks, or Zoom, or SharePoint, or PayPal. The attacker uses the real platform to send the message, so it passes every email authentication check and your spam filter never sees it. KnowBe4 reported a 67% jump in this kind of attack in 2025.
The scam is in the document, the invoice, or the meeting link the platform is technically sending you "legitimately." Treat any "shared document" or invoice notification you weren't expecting the same way you'd treat an unsolicited wire transfer request: skeptical until verified.
5. Verify odd requests
If an email asks you to send money, change credentials, or hand over sensitive information, verify it through a different channel. Call the sender back on a number you already know. Walk down the hall if you both work in office. Open a new browser tab and log into the real site directly. Voice and video can be faked too, as we covered in fake face, real money, but the solution is the same: a second channel of communication you can trust. This is one step that AI can't fake. Yet.
When in doubt
Slow down. Urgency is the number-one manipulation tactic for a reason: it works. Anything that pressures you to act now deserves an extra minute of scrutiny.
If you have an IT person or a security helpdesk, forward suspicious emails to them. Most of the time they would rather check a hundred false alarms than miss the one that gets through. If you don't have an IT person, reply to the request through a known channel (not the email) before doing anything irreversible.
It is genuinely fine to delay an "urgent" request by ten minutes to verify it. No one who's actually your boss, your bank, or your vendor will be mad about that ten minutes. The only person mad about it is the scammer.
Real life examples
If you want to calibrate your eye on real phishing, both Berkeley and Stanford publish regularly-updated archives of what's actually hitting their users. Berkeley annotates each example with what makes it a phish, useful if you want to drill into the tells. Stanford is a running list, useful for getting a sense of how often new variants show up.
Another good resource is CISA's phishing page, which covers what to do after you've clicked something you shouldn't have.
Closing
The mandatory phishing training emails from IT will keep coming, and you might still keep clicking on the occasional test. That's the point of these tests. The simulations are calibrated to catch a small percentage of employees so the training stays useful. The goal is to create a small alarm in your own brain before you click anything that wasn't expected, anything that pressures urgency, or anything that asks for something sensitive.
Joel
If you have a phishing story (even an embarrassing one), I'd love to hear it. You can reach me at joel@freshfromcache.com.
Sources:
KnowBe4, Phishing Threat Trends Report Vol. 5, March 2025
IBM X-Force, AI vs. human deceit: Unravelling the new age of phishing tactics, November 2025
Microsoft, Digital Defense Report 2025, October 2025
KnowBe4, 2025 Phishing Threat Trends Report Vol. 6 (Surged Abuse of Legitimate Platforms), October 2025
