Spotting Phishing in 2026: Beyond the Obvious Signs
The classic phishing checklist (typos, weird URLs) catches almost nothing in 2026. Here is what actually distinguishes a phish from a legitimate email.
The phishing-awareness slide deck your company made you sit through is probably wrong in 2026. The classic red flags — typos, urgent tone, suspicious sender — still appear, but modern phishing campaigns are generated by LLMs and look indistinguishable from legitimate corporate emails. The grammar is perfect. The tone matches the sender's prior emails (often because the attacker has been reading the inbox for weeks). The signature has the right logo.
What still works to distinguish phish from real is a set of signals that have nothing to do with the text of the email.
The three signals that still work
Sender domain mismatch from the actual SMTP envelope. The "From" header you see is a display string. The real sender is in the Return-Path and the Received chain. A phish from Microsoft Support <support@microsoft.com> will have a Return-Path pointing to a domain you have never heard of, and Received headers showing the message originated from a residential IP in a country you don't do business with. Train your team to view raw headers, not the friendly view.
Display name + link mismatch. A link rendered as https://login.microsoftonline.com but actually pointing to https://login-microsoftonline.attacker.tld is the most reliable single tell that still survives in 2026. The visible text is in the HTML body; the actual target is in the href. Hover before clicking. If the email client doesn't preview hrefs (mobile clients often don't), copy the link and paste it into a scratch file to read it before opening.
Out-of-band corroboration. "The CEO asked me to wire $50k" — yes, sure, then call the CEO on a phone number you already have, not one in the email. "IT needs you to re-authenticate" — yes, sure, then open the IT portal from your bookmarks, not from the email link. The simple rule: any email that asks you to click a link to do a sensitive thing should be answered with "I'll do that, but I'll get there my own way." A real sender does not care which path you take to get there. An attacker does.
What does not work as a signal in 2026
"It looks unprofessional." LLM-generated phish does not look unprofessional anymore. The era when you could spot phish from broken English died around 2023.
"It comes from outside the org." Plenty of real correspondence comes from outside, and plenty of phish is sent from inside after an account compromise. The boundary doesn't tell you what you think it tells you.
"The link is shortened." Lots of legitimate marketing tools shorten links. The presence of a bit.ly is not by itself diagnostic; the absence of a plausible destination once you expand it, is.
"They asked for credentials." Sophisticated phish doesn't ask for credentials directly — it asks you to log into a real-looking portal that captures them server-side. The ask is "review this document" or "confirm your meeting." The credential prompt comes after, in a flow that looks like normal authentication.
A 30-second drill that catches most of them
When you get an email that triggers your gut, run this drill before responding:
- View raw headers. Confirm the
Fromdomain matches the Return-Path and that the originating Received hop is somewhere plausible. - Hover every link. Read the actual target. If it points to a domain that looks like but isn't your normal vendor's domain, stop.
- If there's a URL you cannot verify by eye, paste it into our URL scanner for a fast safety check, and run the sender domain through our phishing detector to surface lookalike-domain patterns.
- If the message asks you to do something sensitive, do that thing via a path the email did not provide.
This routine takes thirty seconds and catches the vast majority of targeted phish that gets past your spam filter. The remaining percentage — highly targeted, well-resourced — needs a different control: out-of-band verification for any sensitive action, every time, with no exceptions for "I trust this person" because the attacker is also exploiting that trust.
The good news: phish attacker economics have not changed. They still need to monetise quickly, which means they still pressure you to act now. Any email asking you to act now, on a link, from a sender whose path to you you cannot verify, deserves the thirty seconds.