Phishing Emails in 2026: 9 Red Flags and What to Do

Phishing used to be a badly written email from a “prince.” In 2026, it’s often a perfectly normal-looking message that steals one thing: your next step.

Maybe it’s a fake Microsoft 365 sign-in page. Maybe it’s a “DocuSign” link that opens a real-looking form. Maybe it’s an invoice that “needs approval.”

This guide is practical: 9 red flags, then a what-to-do checklist for when you’re not sure (and when you already clicked).

The quick rule

If a message creates pressure (time, money, account access) and asks you to click, open, scan, or sign in — slow down.

9 phishing red flags (modern version)

1) The message is “about you”… but weirdly generic

It knows your name or company, but the wording feels copied/pasted.

Try this: ask yourself, “Would this sender know this detail?” (invoice number, project name, last 4 digits, etc.)

2) The sender address is close, but not right

Display names lie. The real clue is the domain.

support@micros0ft.com (zero)
billing@paypaI.com (capital i)
@company.com-secure-login.net

3) The link looks okay… until you hover or long-press

Attackers rely on you not checking.

Safe check: hover on desktop or long-press on mobile and confirm the domain is exactly what you expect.

4) It wants you to “re-authenticate” or “confirm” urgently

Common lures:

“Unusual sign-in detected”
“Mailbox storage full”
“Payment failed”
“Document shared with you”

5) It asks for something your company normally wouldn’t

Examples:

“Send gift cards”
“Change bank account details”
“Approve a wire transfer”
“Share your OTP/2FA code” (legit companies will not ask)

6) Attachments with pressure + vague names

Be cautious with:

Invoice.pdf.html
Payroll_Update.zip
DocumentViewer.iso

If you must open files for work, prefer viewing in the web app (Google Drive / Microsoft 365) instead of downloading.

7) The email thread is “real” (but hijacked)

Sometimes the attacker replies inside an existing thread after compromising someone.

Giveaway: a sudden “here’s the new link” or “open this file” that doesn’t match the conversation.

8) QR-code phishing (“quishing”)

The QR code is used to bypass email link scanners.

Rule: treat QR codes in email like links. Scan only if you can see the destination URL and it matches the real domain.

9) It tries to move you to a different channel

“Email me at this address,” “Text me,” “Message me on WhatsApp.”

That’s a classic way to dodge protections and verification.

What to do when you’re not sure

Use this mini-checklist:

Don’t click. Open a new tab and type the website address yourself.
Verify out-of-band: call the person using a known number or message them in your normal internal tool.
Check the request: does it match your process (approvals, invoices, doc sharing)?
Report it to your IT/security channel. If you’re a small team, forward it to whoever manages your email.

If you clicked (or entered your password)

Act fast — minutes matter.

Change your password immediately (from a clean device if possible).
Enable 2FA (authenticator app or passkeys; avoid SMS if you can).
Log out other sessions in your account security settings.
Check mailbox rules / forwarding (attackers often add rules to hide replies).
Tell your team so nobody else trusts replies from that thread.
Run a malware scan if you opened an attachment.

A simple team policy that prevents a lot

If money or access is involved:

Any bank detail change must be confirmed by phone.
Any urgent payment request needs a second approver.
No one shares one-time codes—ever.

FAQs

“But the email had our logo and looked perfect.”

That’s normal now. Branding is easy to copy. Verification is still about domains, process, and out-of-band checks.

“Is it safe if I preview the email?”

Usually yes, but links and attachments are the risky parts. Don’t download or open attachments unless you trust the sender and you’re expecting it.

“What’s the safest 2FA?”

Passkeys are excellent. Next best is an authenticator app. Hardware keys are great for high-risk roles.