How to Spot a Phishing Email in 2026 — 12 Red Flags (With Real Examples)

Your email client shows two things when an email arrives: a display name (what the sender called themselves) and the actual email address. Most people read the display name and stop there. Attackers know this — and exploit it as the foundation of almost every phishing campaign.

A display name of "HMRC Tax Refunds" or "Microsoft Support" or "Sarah from Accounts" tells you nothing about the actual sender. The real address — visible by clicking or hovering on the display name — is where the truth lives.

In 2026, attackers also exploit look-alike domains — registering addresses like support@micros0ft.com (zero instead of o), paypal@paypal-secure.com (extra subdomain), or invoices@companynamе.co.uk (Cyrillic е instead of Latin e). A 2025 Microsoft Teams phishing campaign used micros0ft-teams.net — one character different from the real domain — and deceived thousands of users.

The check: Click or hover on the sender name to reveal the full email address. Then confirm the domain after the @ symbol matches the official domain exactly — character by character.

Phishing emails are not primarily a technical attack. They are a psychological one. The reason attackers create urgency — "your account will be closed in 24 hours", "immediate action required", "your payment has failed" — is deliberate and evidence-based: the more pressured someone feels to act quickly, the less likely they are to stop and think critically about what they are being asked to do.

The most common urgency triggers used in phishing emails include:

• Account suspension threats: "Your account has been compromised and will be locked unless you verify your details now"
• Payment failure: "Your payment of £X has failed — update your billing details to avoid service interruption"
• Tax and legal threats: "Failure to respond within 48 hours may result in legal action" (HMRC-impersonation scams)
• Time-limited offers: "Your refund/reward expires today — claim it now"
• Security alerts: "Unusual sign-in activity detected — secure your account immediately"

A clickable link in an email has two parts: the anchor text (what you see) and the actual URL (where it actually takes you). These can be completely different. Phishing emails routinely display a legitimate-looking URL — "Click here: www.barclays.co.uk/login" — while the actual link destination is a fake page on a completely different domain.

On desktop: Hover your mouse over any link before clicking. The actual destination URL appears in the bottom left of your browser or email client. If it differs from what the link text displays — or if it uses a shortened URL like bit.ly, or a domain you do not recognise — do not click.

On mobile: Press and hold on the link. Most email apps show a preview of the actual URL destination before you commit to opening it.

The check: If you receive an unsolicited email asking you to log in anywhere, do not use the link at all. Open a new browser tab and navigate to the service directly by typing the address. Log in there. If there is genuinely an issue with your account, you will see it — without having exposed your credentials to a phishing page.

File attachments in phishing emails are one of the primary delivery mechanisms for ransomware and malware. In 2026, the most dangerous attachment types are not the obvious ones — no sophisticated attacker sends a .exe file labelled "CLICK ME". The dangerous ones are dressed as legitimate business documents.

The rule: If you were not specifically expecting a file from this person, treat it as suspicious — regardless of who sent it. Verify with the sender through a separate channel (call or text them directly, not by replying to the email) before opening. Never enable macros in an Office document unless you know with certainty why they are required and who sent the file.

Older phishing guidance correctly pointed out that "Dear Customer" or "Dear User" instead of your actual name was a phishing indicator. This remains partially true — but the evolution of phishing in 2026 has complicated the picture in both directions.

Generic greetings ("Dear Account Holder", "Hello", "Dear Valued Customer") suggest a mass-send phishing campaign where the attacker does not have your name. Still relevant — a bank that has your name will use it.

Suspiciously specific greetings can also be a tell in the opposite direction. Spear phishing emails now routinely include your full name, job title, company name, and sometimes references to recent activity — all scraped from LinkedIn, company websites, and data breaches. An email that seems unnervingly well-informed about your specific situation should trigger heightened scrutiny, not reassurance.

This is the single most reliable rule in phishing detection, and it has no exceptions: no legitimate organisation — not your bank, not Microsoft, not Google, not HMRC, not your IT department — will ever ask you to provide your password, PIN, or full login credentials via email.

The same applies to variations of this request: emails asking you to "confirm your identity" by entering your password, emails directing you to a page that asks you to "verify your account" by logging in, and emails from apparent IT support asking for your current password to "reset" or "upgrade" your account. All of these are phishing.

Legitimate services reset passwords through a process that does not require you to reveal your current password at any point. Legitimate banks verify your identity through their own app or by asking knowledge-based questions you set up yourself — not by asking for your online banking PIN over email.

Phishing emails impersonating well-known brands — Microsoft, PayPal, Amazon, HMRC, Royal Mail, major UK banks — frequently use copied logos, colour schemes, and email templates. The quality varies: some are essentially pixel-perfect; others have subtle tells that reveal them on close inspection.

• Slightly wrong logo colours or proportions: Brand colour values are precise — a slightly different shade of blue on an HSBC email is a tell
• Inconsistent font weights: Real corporate emails use a specific typeface applied consistently; phishing versions often mix fonts or weights incorrectly
• Low-resolution imagery: Logos that look slightly blurry or pixelated compared to crisp originals
• Email footer inconsistencies: Legitimate corporate emails have precise legal disclaimers and registered address information; phishing versions often have vague or missing footers, or footers that do not match the claimed organisation
• Broken or missing formatting on mobile: Legitimate transactional emails are built by professional design teams and render correctly; phishing templates often break on mobile views

Compare any suspicious email to a previous genuine email from the same organisation. Visual comparison is often the fastest way to spot an impostor.

Business Email Compromise (BEC) — also called CEO fraud or invoice redirect fraud — is the most financially damaging type of phishing for UK small businesses. Unlike mass phishing, BEC is targeted and researched. The attacker studies the organisation's structure, identifies who has payment authority, and crafts a highly convincing email to that person.

The tell is consistent across almost all BEC attacks: the email asks you to bypass a normal process. It might be:

• An email appearing to be from your MD or CEO asking for an urgent bank transfer to an unfamiliar account — "I'm in a meeting, can't call, please transfer £X now"
• A supplier email stating their bank details have changed and asking you to update your payment records before the next invoice
• An IT email asking you to approve an urgent payment or bypass a security step "just this once" due to a system issue
• An HR email asking you to update an employee's bank details for payroll — supposedly from the employee

Not all phishing creates fear — some creates excitement or pleasant surprise. HMRC tax refund scams are among the most frequently reported phishing attacks against UK individuals and small businesses. The pattern is consistent: an email claims you are owed a refund of a specific, believable amount (£200–£900 is most common — enough to seem real, not so much it seems too good to be true), and directs you to a fake HMRC portal to "claim" it by entering your bank details.

Other common variants include:

• Parcel delivery failed: "Royal Mail attempted delivery — pay £2.49 to rebook" — a small payment request designed to harvest card details
• Energy rebate schemes: Impersonating Ofgem or energy suppliers with refund offers
• Business grant notifications: Particularly effective against small business owners — fake HMRC, Innovate UK, or local authority grant emails
• Lottery or competition wins: Less sophisticated but still widely used — "You've been selected for a £500 Amazon gift card"

The rule: HMRC does not offer refunds by unsolicited email. If you are owed a tax refund, it will appear in your Personal Tax Account or HMRC online portal — not in an email asking for bank details. Log in directly at gov.uk/personal-tax-account to check your status.

QR code phishing — known as quishing — has grown dramatically since 2025, directly linked to Microsoft's policy of blocking malicious macro-enabled Office files. Unable to use file attachments reliably, attackers pivoted to embedding QR codes in PDF attachments or directly in email bodies. When scanned, the QR code takes the victim to a phishing page — but because email security filters scan URLs in text, not images, the malicious link is invisible to security software.

Quishing emails typically impersonate multi-factor authentication prompts ("Scan this QR code to verify your Microsoft 365 identity"), package delivery tracking, or shared document access.

Over 57% of phishing emails in 2026 are sent from compromised legitimate accounts — not fake addresses. This means the email genuinely comes from your supplier's real email address, your client's real inbox, or a colleague's actual account — because that account has been silently compromised by an attacker who is using it to phish the victim's contacts.

This is the hardest category of phishing to spot because the sender address passes every check — it genuinely is who it claims to be. The attacker often waits, reads the compromised account's email history, and then crafts a reply in an existing thread — making the phishing email look like a natural continuation of a real conversation.

The tells to look for when the address itself is legitimate:

• Behavioural inconsistency: The email asks for something this person has never asked for before — a payment, a file, account credentials
• Slight tone change: The writing style feels slightly different from their usual communications — more formal, more urgent, less specific to your relationship
• Unexpected context: A supplier suddenly sending a payment redirect. A client suddenly attaching a document out of nowhere. A colleague asking you to "take a look at this" with a link
• A request that does not match the thread history: If an ongoing email thread suddenly pivots to a payment request or bank detail change, that is a major warning sign

The defence: Any request that involves money, credentials, or sensitive action — even from a known, verified address — should be confirmed verbally or through a separate channel before acting.

For years, one of the most reliable phishing indicators was poor language: spelling mistakes, awkward phrasing, unusual sentence constructions, and grammatical errors that no native English speaker would produce. That indicator is now largely obsolete. In 2025, 82.6% of phishing emails were AI-generated — a 53.5% increase year on year. AI-written phishing emails are not just grammatically correct. They are stylistically natural, contextually appropriate, and tonally accurate to the organisation they are impersonating.

More alarmingly, AI tools now allow attackers to generate personalised phishing at scale — emails that reference your actual name, role, company, recent LinkedIn activity, or public news about your organisation — in minutes. A 2025 academic study found that AI-crafted phishing emails achieved a 54% click rate compared to just 12% for human-written ones.

The implication is significant: you can no longer use language quality as a phishing detector. A perfectly written email is not evidence of legitimacy. The technical checks — sender address, link destination, request type — become even more critical when the content itself gives no language-based signal of threat.