Digital KarmaDigital Karma All Articles
Phishing & Scams

How to Spot a Phishing Email in 2026

Phishing emails are the #1 way people get hacked. Here are 7 telltale signs to look for before you click anything.

Digital KarmaMay 1, 2026 6 min read

Why Phishing Still Works

Despite decades of warnings, phishing remains the single most effective cyberattack vector. In 2025, over 3.4 billion phishing emails were sent every day. The reason is simple: attackers don't need to hack your computer — they just need to trick you.

The 7 Red Flags

1. Urgency and Fear Tactics

"Your account will be suspended in 24 hours!" Legitimate companies rarely threaten you with immediate consequences. If an email makes your heart race, that's by design — attackers want you to act before you think.

2. Mismatched Sender Addresses

The display name says "Apple Support" but the actual email address is [email protected]. Always hover over the sender's name to reveal the real address. Look for subtle character swaps like "l" replaced with "1" or "rn" mimicking "m".

3. Generic Greetings

"Dear Customer" or "Dear User" instead of your actual name. Your bank knows your name. A phisher doesn't.

4. Suspicious Links

Before clicking any link, hover over it (don't click!) to see where it actually goes. The text might say www.paypal.com but the actual URL leads to paypal-secure-login.sketchy-site.com.

5. Unexpected Attachments

If you weren't expecting a document, invoice, or "receipt," don't open it. Especially be wary of .zip, .exe, and even .pdf files from unknown senders.

6. Spelling and Grammar Errors

While AI has made phishing emails more polished, many still contain odd phrasing or grammatical mistakes that a legitimate corporation would never send.

7. Requests for Sensitive Information

No legitimate company will ever ask for your password, Social Security number, or full credit card number via email. Period.

What to Do If You're Not Sure

When in doubt, don't click anything in the email. Instead:

  • Open a new browser window and go directly to the company's website
  • Call the company using the phone number on their official website (not the one in the email)
  • Forward the suspicious email to the company's official abuse address

Pro tip: If you accidentally clicked a phishing link, immediately change the password for that service and enable two-factor authentication. Then run a malware scan on your device.

phishingemailscamsbeginner

Want to know your Security Score?

Take our free survey and get a personalized cybersecurity assessment — plus early access to the Digital Karma app.

Take the Free Survey
Back to all articles