Phishing is the oldest trick on the internet, and it still works because it keeps getting better. The clumsy “Dear Customer” email full of typos was easy to laugh at. The 2026 version is a clean, well-designed message that looks exactly like the real thing, mentions your actual recent activity, and arrives at a believable time of day. This is a plain-language guide to spotting modern phishing without becoming paranoid about every email you open.
What Phishing Actually Is
Phishing is the practice of getting you to reveal something valuable, usually a password or a payment, by pretending to be someone you trust. That trust signal used to be a logo and a fake sender name. Now it is often a personalized story about you, built from data the attacker pulled out of a leaked database somewhere. The goal is unchanged, but the bait is sharper.
The Five Cues That Still Work
You do not need to memorize a list of fifty red flags. A small handful do most of the work.
1. The Sender Domain Is Almost Right
Look at the part of the sender address after the @ symbol. Real PayPal email comes from a domain that ends in paypal.com. A phishing email might come from paypal-security.com, paypal.support-mail.co, or secure-paypal.net. None of those are PayPal. If the message is asking you to act, hover over the sender name and check what domain is really behind it.
2. The Link Goes Somewhere It Should Not
Hover over any link before you click it. Most email clients show the real destination at the bottom of the screen. If the email says it is from your bank and the link points to a Google Docs URL, a Bitly link, or a domain you have never seen, do not click. On a phone, long-press the link to see the same preview.
3. The Message Manufactures Urgency
“Your account will be suspended in 24 hours.” “Confirm your delivery within the next 2 hours.” “Unusual sign-in detected, click here immediately.” Real companies almost never demand action in that tone. Urgency is what scammers use to stop you from thinking. The moment you feel rushed by an email, slow down and verify another way.
4. The Request Does Not Match the Channel
Your bank will not ask you to confirm your full password by email. The tax authority will not ask for your card number over text. Couriers do not send “redelivery fee” links by SMS. If an email is asking for something the real sender would never ask for in that channel, treat it as a phishing attempt by default.
5. The Login Page Looks Right but the URL Is Wrong
This is the one that catches careful people. You click a link, you see a perfect copy of your bank’s login screen, you type your password, and nothing happens. That is because the screen was a clone hosted on a different domain. Before you ever type a password, glance at the address bar. The domain should be exactly the one you expect, and nothing else.
The Newer Tricks Worth Knowing
AI-Personalized Messages
Attackers now use large language models to write emails that mention specific recent events, like a real conference you attended or a real package you are waiting on. The information often comes from data breaches or scraped social media. The fact that an email knows something about you does not prove it is genuine. It only proves that the data is out there somewhere.
Lookalike Domains With Unicode
An attacker can register a domain that looks like microsoft.com but uses a non-Latin character that visually matches one of the letters. The URL passes a casual glance and fails a careful one. If you ever feel something off, copy the URL into a plain text editor. Suspicious characters usually become obvious.
Calendar and File Share Phishing
Phishing no longer arrives only as email. A calendar invite from an unknown sender can include a malicious link. A file shared through a real service like Google Drive or OneDrive can lead to a fake login page. Apply the same caution to any unexpected invitation or shared document.
QR Code Phishing
Posters and PDFs sometimes contain QR codes that lead to fake payment pages. Restaurants, parking meters, and event flyers have all been used. If you are about to enter payment information after scanning a QR code, double-check the domain in the browser before you type anything.
The Two Habits That Beat Almost Everything
If you take only two things from this guide, take these.
Verify out of band. If an email or text claims to be from a service you use, do not click the link in the message. Open a new browser tab, type the website’s address yourself, and log in there. If there is really an issue with your account, it will be waiting for you on the dashboard.
Use a password manager and two-factor authentication. A password manager refuses to autofill on a fake domain, which is one of the strongest anti-phishing defenses you can deploy. Two-factor authentication, especially with an authenticator app or hardware key rather than SMS, means that even a successful phish does not hand the attacker your account.
Reduce Your Exposure in the First Place
Phishing emails get to you because someone, somewhere, knows your address. Reducing how many places hold your real email reduces how many places can leak it. Using a temporary email for low-trust sign-ups is one of the easiest ways to lower that exposure. If a future breach leaks your disposable address from three years ago, the attacker has nothing useful, because the address no longer exists.
If You Think You Clicked
Mistakes happen. The right move after a suspected phishing click is calm and quick. Change the password on the affected account from a different device. Sign out of all sessions in the account settings. Check whether two-factor authentication is still enabled and still tied to a device you control. Look at the account’s recent login activity. If anything is unfamiliar, contact the service’s support directly through their official website.
Phishing succeeds on inattention, not on intelligence. The fix is not to be smarter than every scam in your inbox. The fix is a few small habits that take the urgency out of the equation, plus a couple of tools that catch the rest.