How to Spot a Phishing Email in 2026

Phishing emails are more convincing than ever. Scammers use AI-generated text, cloned brand templates, and spoofed sender addresses to trick you into clicking malicious links or handing over personal information. In 2025, the FTC received over 300,000 reports of email-based fraud — and those are just the ones that were reported.

Here are five reliable signs that an email is a phishing attempt, even when it looks legitimate at first glance.

1. The Sender Address Doesn't Match the Brand

The display name might say "Bank of America" or "Amazon Support," but the actual email address tells a different story. Hover over or tap the sender name to reveal the full address. Legitimate companies send from their own domain (e.g., @bankofamerica.com), not from random domains like alerts-boa@secure-notice.xyz.

Watch for subtle misspellings: @amaz0n.com, @paypa1.com, or @app1e.com. These look right in a quick scan but fail on closer inspection.

What to do: Copy the sender's domain and paste it into the search bar at the top of this page to see if it's been reported in phishing campaigns.

2. Urgent Language Designed to Panic You

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." "Final notice before legal action."

Scammers manufacture urgency because panicked people don't think critically. Legitimate companies don't threaten you into clicking links within minutes. Your bank will call you if there's real fraud on your account — they won't send a single email with a 24-hour deadline.

If an email makes you feel anxious, that's a feature, not a bug. The scammer designed it that way.

3. Links That Don't Go Where They Claim

A button that says "Verify Your Account" might actually link to http://login-secure-bank.sketchy-domain.com/verify. Before clicking any link in an email:

Desktop: Hover your mouse over the link and look at the URL in the bottom-left corner of your browser.
Mobile: Long-press the link to preview the URL without opening it.

If the domain in the link doesn't match the company the email claims to be from, it's phishing. Period.

What to do: Paste the suspicious URL into the search bar at the top of this page for an instant risk check.

4. Generic Greetings Instead of Your Name

"Dear Customer," "Dear User," or "Dear Account Holder" — these generic greetings are a strong signal of mass-sent phishing. Your bank, your employer, and services you've signed up for know your name and use it.

This isn't foolproof by itself — some legitimate marketing emails use generic greetings, and sophisticated phishing campaigns do include your real name (often pulled from data breaches). But combined with other red flags, a missing name is one more reason to be suspicious.

5. Suspicious Attachments You Didn't Expect

An email from "HR" with an attachment called payroll_update.zip or invoice_march.html? Unless you were specifically expecting that file from that person, don't open it.

Dangerous attachment types include .zip, .exe, .html, .js, and macro-enabled Office files (.xlsm, .docm). Even PDFs can contain malicious links.

The safest approach: if you think an attachment might be legitimate, contact the sender through a different channel (phone, Slack, a fresh email) to confirm they sent it.

What to Do If You Think an Email Is Phishing

Don't click anything in the email — no links, no attachments, no "unsubscribe" button.
Forward the email to checkemail@isitspamchecker.com and we'll analyze it automatically, sending you back a risk report.
Report it to the FTC at ReportFraud.ftc.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org.
Delete the email after reporting.

If you already clicked a link or entered information, read our guide on what to do if you gave info to a scammer for immediate damage-control steps — you'll find it in the sidebar.