The Anatomy of a Phishing Email: How to Spot Fakes in 2026
In 2020, you could spot a phishing email by its broken grammar, generic greeting, and suspicious urgency. In 2026, AI-generated phishing emails read like they were written by a native speaker — because they were written by a system trained on the entire internet.
The old advice is obsolete. You can no longer rely on "looking for mistakes" to identify fakes. Instead, you need to check the technical signals that AI cannot forge: authentication headers, sender domains, and URL destinations.
This article teaches you how to read those signals, with examples of real phishing patterns.
Why phishing still works
Despite decades of awareness campaigns, phishing remains the #1 attack vector because:
- Volume — Billions of phishing emails are sent daily. Even a 0.1% success rate is millions of victims.
- Personalization — AI scrapes LinkedIn, social media, and company websites to generate targeted emails that reference real projects and real people.
- Urgency — Phishing exploits time pressure: "Your account will be locked in 24 hours." People act before they think.
- Trust — Emails appear to come from services you actually use, with identical formatting and branding.
Signal 1: The sender address
The most reliable signal. Always check the actual email address, not just the display name.
What to look for
| Legitimate | Phishing | Trick |
|---|---|---|
noreply@amazon.com | noreply@amazon-support.com | Lookalike domain |
security@paypal.com | security@paypa1.com | Homograph (1 vs l) |
team@slack.com | team@slack.com.phishing.ru | Subdomain trick |
info@yourbank.com | info@yourbank-secure.com | Keyword injection |
Rule: If the domain after the @ is not exactly the domain you expect, it is phishing. No exceptions.
Display name spoofing
The display name (what you see before the angle brackets) can be anything:
From: "Amazon Customer Service" <scammer@malicious-domain.com>Many email clients show only the display name, hiding the actual address. Always expand the full sender details.
Signal 2: Authentication results
This is the signal AI cannot fake. Every email has authentication headers that show whether SPF, DKIM, and DMARC passed.
How to check
In most email clients, you can view headers by clicking "Show original" or "View source." Look for:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of noreply@amazon.com designates ...)
dkim=pass (header.d=amazon.com)
dmarc=pass (p=QUARANTINE)If you see spf=fail, dkim=fail, or dmarc=fail, the email did not come from who it claims. Treat it as suspicious regardless of how convincing the content looks.
In Cleanbox, authentication results are visible in the spam report for every message — you do not need to dig through raw headers.
Signal 3: URL destinations
Phishing emails want you to click a link. The visible link text and the actual URL destination are often different.
How to check
Hover over any link (do not click) and look at the actual URL in your browser status bar or tooltip:
| Visible text | Actual URL | Verdict |
|---|---|---|
| Click here to verify | https://amazon.com/verify | Looks legitimate |
| Click here to verify | https://amazon-verify.phishing.ru/login | Phishing |
| https://paypal.com/security | https://paypal.com.evil.com/security | Phishing (subdomain trick) |
| Review your order | https://bit.ly/3xK9f2 | Suspicious (URL shortener hides destination) |
Rule: The domain that matters is the one immediately before the TLD. In paypal.com.evil.com, the actual domain is evil.com — the paypal.com part is just a subdomain.
Signal 4: Urgency and pressure
Phishing emails almost always create artificial urgency:
- "Your account will be suspended in 24 hours"
- "Unauthorized login detected — act now"
- "Payment failed — update immediately"
- "You have been selected — offer expires today"
Legitimate companies rarely threaten immediate consequences via email. If an email makes you feel panicked, that is by design. Pause, verify through a separate channel, then act.
Signal 5: Unexpected attachments
Phishing emails often include attachments designed to install malware:
- High risk: .exe, .js, .lnk, .iso, .vbs, password-protected .zip
- Medium risk: .doc/.docx with macro warnings, .html files
- Low risk: .pdf, .jpg, .png (but can still contain embedded exploits)
Rule: If you did not expect an attachment, do not open it. If someone you know sends an unexpected attachment, verify with them through a different channel before opening.
Signal 6: Generic vs. personalized
This used to be the #1 detection method ("Dear Customer" = phishing). AI has largely eliminated this signal, but some patterns persist:
- No name at all — Legitimate services usually address you by name
- Wrong name — If the email addresses you as "John" but your name is "Jane," the attacker has bad data
- Impersonal for a service that knows you — Your bank knows your name, your account number, and your branch. A phishing email pretending to be your bank but missing these details is suspicious.
However: AI phishing CAN personalize. Do not trust an email just because it uses your name correctly.
Signal 7: Reply-to mismatch
Some phishing emails set the From header to a legitimate address but the Reply-To to a different (attacker-controlled) address. If you reply, your response goes to the attacker.
Check: does the Reply-To match the From? If not, and the email asks you to reply with sensitive information, it is almost certainly phishing.
The verification flowchart
When you receive a suspicious email, run through this checklist:
- Check the sender address (not display name). Is the domain exactly right?
- Check authentication. Do SPF/DKIM/DMARC pass?
- Hover over links. Does the URL destination match the expected domain?
- Assess urgency. Is the email trying to make you panic?
- Check attachments. Were you expecting a file?
If any step raises a flag: do not click, do not reply, do not open attachments. Instead, navigate to the service directly by typing the URL, or contact the sender through a known channel.
What to do when you spot phishing
- Do not interact with the email (no clicks, no replies, no attachments)
- Mark as spam in your email client — this trains the filter
- Report to your IT team if it targeted your organization
- If you already clicked: change your password immediately, enable 2FA, and monitor your accounts for unauthorized activity
