How to spot a modern phishing email

The old tells are dead

Phishing emails in 2023 had typos, broken English, generic 'Dear Customer' greetings, and obviously fake sender names. Easy to spot.

AI-generated phishing emails in 2026 have native-quality language, your real name, your company, and references to projects you actually work on (often pulled from LinkedIn or social media).

Stop teaching yourself to spot 'bad English.' That heuristic is broken.

Check 1 — Does it demand urgent action?

Almost every successful phishing email exploits the same psychology: don't think, act now.

Common urgency triggers: 'verify your account in the next hour or it will be suspended,' 'unauthorized login attempt — confirm now,' 'invoice overdue — pay today to avoid late fees,' 'urgent: CEO needs you to wire $X for a deal.'

Real legitimate processes have time. Banks, payment processors, IT departments don't operate on hourly deadlines for routine tasks.

Treat urgency as a red flag. Step away from the email. Take 5 minutes. The world won't end.

Check 2 — Hover over every link before clicking

The link text shown can say anything. The actual destination is what matters.

On desktop: hover over a link without clicking. Your browser/email client shows the real URL at the bottom or in a tooltip.

On mobile: long-press a link to see the URL.

Look for: domain that exactly matches the legitimate site? Or a look-alike (g00gle.com, paypa1.com)? Or a totally different domain that's pretending to be a tracking redirect?

Common tricks: subdomains (paypal.com.security-alerts.fake.com is on fake.com, not paypal.com), Punycode characters (Cyrillic 'а' looks identical to Latin 'a'), URL shorteners that hide the destination.

Check 3 — Verify out-of-band for sensitive requests

This is the rule that catches everything else: any email asking for credentials, payment, account changes, or sensitive information must be verified through a separate channel before action.

Practical: 'My boss is emailing asking me to wire money for an urgent deal.' → call your boss on the phone number you have saved (not the number in the email). 'My bank is asking me to confirm my login.' → close the email, open your bank's app or visit the URL directly typing it manually.

Yes, this is annoying. Yes, do it anyway. The cost of a 30-second phone call is much less than the cost of a successful phishing attack.

Specific patterns to recognize

The 'IT support, please reset your password' email — usually arrives at end of day, threatens lockout, links to a domain that's close-but-not-exact to your company's. Always verify with IT directly.

The 'shipping confirmation for an order you didn't place' — designed to make you click to dispute. Hover the link; if it doesn't match the retailer's real domain, delete.

The 'invoice attached PDF' — opens normally, may include a malicious link or trigger second-stage download. Don't open attachments from unexpected senders; verify with the supposed sender directly.

The 'CEO wire-transfer request' — designed to bypass normal procedures by exploiting authority and urgency. Companies should have written policies that any wire transfer requires phone verification.

When you've already clicked

Don't panic. Don't beat yourself up — modern phishing is sophisticated.

If you only clicked the link but didn't enter credentials: change the password of the targeted account immediately as a precaution. Run an antivirus scan. Watch for unusual account activity over the next week.

If you entered credentials: change the password immediately on the legitimate site (not via the email). Enable 2FA if you hadn't. Check for any unauthorized changes to the account (forwarding rules, new recovery email, etc.). Report to your IT/security team if a work account.

If you sent money: contact your bank immediately to attempt to reverse. The window for reversal closes fast. File a police report and an FBI IC3 (or your country equivalent) report.

Frequently asked questions

What if the email really IS from my boss / my bank?

Then a 30-second phone call confirms it. Real bosses and real banks don't get angry that you verified a $50,000 wire request. They thank you.

I got an email with my real password in the subject line — am I being blackmailed?

The 'sextortion' email is mass-produced. Your password almost certainly came from a public breach (check haveibeenpwned.com). Change that password everywhere it's used. Don't pay anything. Don't reply.

My company runs phishing simulations and I'm afraid to click anything anymore.

Good — that's the goal. Hover every link, verify sensitive requests out-of-band, and report anything suspicious to IT. Even false positives are useful data for the security team.

What about phone calls and texts that pretend to be official?

Same framework. 'Urgency? Verify out-of-band.' Hang up, call back the official number you have on file (not the number that called you). Most legit callers won't pressure you to stay on the line.

Are link-preview tools useful?

They can help — Outlook and Gmail expand most shortened links automatically. But they're not foolproof. The hover-and-verify habit is more reliable.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides