Affiliate disclosure: Some links in this article are affiliate links. If you buy through them, I earn a small commission — at no extra cost to you. I only recommend tools I would genuinely use myself.

3.4B

phishing emails sent every single day

82%

of phishing emails now AI-generated

36%

of all data breaches start with phishing

You were taught to look for bad spelling and grammar. That rule no longer works.

Attackers now use AI to write phishing emails. The results are polished. The results are polished, professional, and personalised — better than many legitimate business emails. The grammar check that used to catch 80% of phishing attempts catches almost nothing in 2026. And most people have not updated their mental model to account for this.

This article covers what actually works now: the signals that AI cannot fake, real examples of what these emails look like, and — critically — exactly what to do if you have already clicked something you shouldn't have.

What Phishing Emails Actually Look Like in 2026

Before the signals, the examples. Three formats — each engineered to exploit a different emotional state.

The sender field is the fastest check. The display name can say anything — 'Security Team', 'Your Bank', 'Account Services'. The actual email address reveals the truth. Hover or tap to see it.

Delivery scams work because of timing coincidence — you are often expecting something. The structural signal is the payment request. No courier asks for money via an email link.

All three emails are visually different. The mechanism is identical — a request that organisation would never actually make, delivered with just enough urgency to bypass careful thought.

The Rule That No Longer Works — And What Replaced It

Grammar errors and misspellings used to be the most reliable phishing signal. They were genuine tells — attackers could not write convincing English at scale. That changed when AI became widely accessible. A phishing email generated by a language model reads fluently. The "Nigerian prince" era is over.

In security awareness training conducted as part of ISO 27001 audits, the single most effective phishing lure is not a poorly-written bank email. It is a clean, personalised internal HR communication that references something slightly plausible about the recipient's situation. Employees who would immediately reject a grammatically awkward email click it without hesitation.

So if grammar is no longer reliable, what replaced it?

Behavioural inconsistency. Not whether the email looks right — but whether it behaves like a real email from that sender would.

The question is not 'does this look legitimate?' It is 'would a legitimate version of this sender actually send this?' That shift in question changes everything.

The 7 Signals That Actually Work Now

These are structural signals — things AI cannot eliminate because they are baked into how phishing works, not how it is written.

Sender domain does not match the organisation

Display name says 'PayPal' but the real address is paypa1-alerts@secure-centre.net. Hover or tap the sender name to reveal the actual address. One character difference confirms it.

Urgency combined with authority

'Your account closes in 24 hours unless you act now.' Real organisations do not set email ultimatums. This combination is the single most reliable structural phishing pattern that exists.

Request type the organisation never makes by email

Banks never email you a login link. Tax authorities never send refund claim forms. If it is asking you to do something you have never been asked to do before — that inconsistency is the signal.

Link destination does not match the display text

Button says 'Log in to your account' but hovering shows a different domain. Desktop: check the browser status bar. Mobile: long-press to preview the destination.

Generic greeting on a personalised service

'Dear Customer' on a service that normally uses your name. Weakening as attackers use breached data — but still meaningful combined with other signals.

Unexpected attachment with a request to open it

If you did not request a file, do not open it. Phishing attachments are disguised as invoices, shipping labels, HR documents, and shared cloud files.

Email redirects you away from the official site

Any link in a security or account email that goes to anything other than the organisation's own exact domain is a confirmed red flag.

How to Check a Suspicious Email Right Now

If you have a suspicious email open in another tab, run through this before doing anything else.

7-step suspicious email check

Takes under 2 minutes

0/7

Reveal the real sender address

Tap or hover the sender name — not the display name, the actual email address. Does the domain exactly match the organisation? One character difference is a confirmed phishing attempt.

Both

Hover the link before clicking

Desktop: hover over any link and check the URL in the browser status bar. Mobile: long-press to preview. Does it go to the official domain?

Both

Check the greeting

Does the email use your name, or 'Dear Customer'? Cross-reference with how this organisation normally addresses you.

Both

Identify the request type

Is this organisation asking you to do something they have never asked by email before? Credentials, payment, or personal information via email are red flags regardless of everything else.

Both

Check the urgency level

Is there a deadline or a threat? Urgency is a manipulation technique. Slow down whenever an email wants you to act fast.

Both

Search the subject line

Copy the subject line and search it with 'phishing' or 'scam'. Active campaigns are reported within hours — you will often find community confirmation of the exact email.

Both

When in doubt, go directly

Do not click any link. Open a new browser tab and navigate to the organisation's official website or app. If there is a real issue with your account, you will see it there.

Both

Why Phishing Emails Feel So Familiar — And Why That's the Point

Phishing works on recognition, not confusion. The email looks like something you were half-expecting — and that feeling of familiarity is engineered. These are the five templates behind every phishing email you will ever receive.

The security alert — triggers fear

Unusual sign-in, account at risk, verify now. Microsoft alone accounts for 36% of all brand impersonation in phishing. Everyone fears losing access to an account they depend on.

The delivery notification — triggers anticipation

Your parcel could not be delivered. Pay a small redelivery fee. Sent at scale — a percentage of recipients always have something on order. The timing coincidence feels like proof.

The payment failure — triggers anxiety

Your subscription payment failed. Update your card to avoid interruption. Subscription services are universal. The anxiety of losing access triggers fast action before thinking.

The shared document — triggers curiosity

Someone shared a file with you. A Google Drive, Dropbox, or OneDrive notification. Clicking opens a fake login page. Curiosity overrides the check.

The IT or HR notification — triggers obligation

Your password expires in 24 hours. Your payslip is ready. These have the highest click rates of any phishing template because people do not question what looks like a routine work task.

The brand in the sender field changes. The emotional template never does. Once you recognise which of these five levers an email is pulling, the specific branding becomes irrelevant.

I Already Clicked — What to Do Based on What Happened

Three scenarios. Three different urgency levels. Find yours.

Scenario A — You clicked the link but entered nothing

💡
Risk level: Low. Simply visiting a phishing page without entering anything rarely results in compromise on a modern, updated device. Follow the 3 steps below.
1

Close the tab and clear your browser cache

Close the tab completely. In your browser settings, clear cache and cookies for that session. This removes any tracking cookies the page may have set.

2

Check your device is fully updated

Known vulnerabilities in outdated browsers and operating systems are the exception that makes passive visits dangerous. Update both now if you haven't recently.

3

Monitor your accounts for 48 hours

No password changes required unless unusual activity appears. Watch for login alerts from unrecognised devices on your email and any accounts linked to it.

Scenario B — You entered your email address, password, or personal information

Risk level: Medium to high. The attacker has what you entered and automated tools will test it against hundreds of services within minutes. Act on the steps below immediately.
1

Change the password for that account immediately

Do this from a trusted device — not the one you used to click the link, in case it is compromised. Use a completely new password not used anywhere else.

2

Change passwords on every account where you reused that password

Password reuse turns one phishing success into full account takeover. If you use 1Password or any password manager, run a breach check to identify all reused passwords and change them.

3

Check haveibeenpwned.com for your email address

Go to haveibeenpwned.com and enter your email address. If your credentials appear in known breaches, prioritise changing all of them — not just the account you just phished.

4

Enable two-factor authentication on your email account

Your email is the master key — it controls password resets for everything linked to it. 2FA on email alone prevents the majority of account takeover chains that start here.

5

Alert your bank if you entered financial information

Contact your bank immediately if you entered card details or banking credentials. Request a card freeze if necessary — this is a free service on most accounts.

The password manager I use for this: 1Password — stores all your logins securely so you only need to remember one.

Scenario C — You opened an attachment

Risk level: High. Phishing attachments are designed to install silently — PDFs with embedded scripts, Office documents with macros, ZIP files with malware. Do not enter any passwords on this device until you complete the steps below.
1

Disconnect from the internet immediately

Turn off WiFi and mobile data. This limits what any installed malware can transmit before you clean the device.

2

From a separate trusted device — change your email password first

Change your email account password and any banking app passwords before reconnecting the compromised device to the internet. Do this now, not after the scan.

3

Run a full malware scan

On Android: download Malwarebytes and run a full scan. On iPhone: iOS sandboxing prevents most attachment-based malware — your main risk is credential theft, not device infection.

4

Change all passwords again after any malware is removed

If the scan finds anything, assume everything entered on that device after opening the attachment was captured. Change all passwords from a clean device.

5

Notify your IT team if the device is used for work

Phishing-via-attachment is the primary entry point for ransomware on organisations. Even if your personal data seems unaffected, your employer's network may be at risk.

Run a scan immediately: Malwarebytes detects malware that standard antivirus tools miss.

How to Make Sure This Does Not Happen Again

Use a different password on every account

1Password generates and stores a unique password for every account. One breach at one service stays contained — the attacker gets one password that works nowhere else.

Enable 2FA on your email account before anything else

Your email is the master key. An attacker who controls your email can reset passwords on everything linked to it. 2FA on email alone stops the majority of takeover chains.

Pause whenever an email creates urgency

Phishing works on emotion, not technology. The moment an email makes you feel urgent, scared, or excited — that feeling is the signal. The real organisation can wait 60 seconds while you check the sender address.

Report it — do not just delete it

Gmail: tap the three dots → Report phishing. Outlook: use the Report button. Reporting trains the filter and protects the next person who receives the same email.

The Honest Summary

Phishing is not a technology problem — it is a psychology problem. Attackers do not need to defeat your security software. They need to defeat your attention for approximately 30 seconds.

The techniques in this article require no technical knowledge. Revealing the real sender address takes two seconds. Hovering a link before clicking takes one. Searching the subject line takes thirty. The reason most phishing succeeds is not that people lack the skills — it is that the email was specifically designed to prevent them from using those skills.

Every phishing attack depends on the window between you receiving the email and you clicking the link. The attacker controls everything except what happens in that window. Slow down in that window. The rest follows.

💡
Phishing requires your action. It cannot steal your credentials without your participation. The window between receiving the email and clicking the link is where every attack can be stopped. That window belongs to you. Use it.