How to Recognize a Phishing Email: Step-by-Step

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

Phishing email detection has become harder in 2026. AI-generated messages eliminate the spelling mistakes, grammatical errors, and formatting problems that once served as reliable red flags. Attackers use AI to craft contextually appropriate, grammatically perfect emails personalized to individual targets. The old advice — “look for typos” — is no longer sufficient.

This guide provides an updated step-by-step process for evaluating any suspicious email, built around the indicators that remain reliable even against AI-generated attacks.

The 8-Step Evaluation Process

Step 1: Check the Actual Sender Address

Click or hover on the sender name to reveal the full email address. Phishing emails use display names that look legitimate (“PayPal Customer Service,” “IT Department”) paired with email addresses from unrelated domains.

What to look for:

• Does the domain match the claimed organization? (paypal.com vs paypa1-secure.xyz)
• Are there subtle substitutions? (amaz0n.com, micros0ft-support.net, g00gle.com)
• Is the domain unusually long or complex? (secure-account-verify-amazon-support.com)
• Does the email come from a free email service? (gmail.com, outlook.com) when claiming to be a corporation?

2026 update: Attackers increasingly use lookalike domains registered hours before the campaign. The domain may appear clean because it has no reputation history. Do not trust a domain simply because it does not appear in known phishing databases.

Step 2: Evaluate the Emotional Manipulation

Phishing relies on emotional triggers that bypass rational evaluation. The four most common:

Urgency: “Your account will be suspended in 24 hours” / “Immediate action required” Fear: “Unauthorized access detected” / “Your account has been compromised” Greed: “You’ve won a $500 gift card” / “Claim your tax refund” Authority: “This is the IT department” / “CEO requested this immediately”

If the email makes you feel like you must act right now, that urgency is the attack. Legitimate organizations provide reasonable timeframes for action.

Step 3: Inspect Links Without Clicking

Hover your mouse over every link in the email without clicking. Compare the visible text to the actual URL that appears in the tooltip or status bar.

Red flags:

• The displayed text says “amazon.com/account” but the URL points to a different domain
• The URL uses an IP address instead of a domain name
• The domain includes extra words (amazon-secure-verify.com instead of amazon.com)
• The URL uses URL shorteners (bit.ly, tinyurl) to hide the actual destination
• The link uses a legitimate service (Google Docs, OneDrive) as a redirect

On mobile: Long-press a link to preview the URL. The small screen makes link inspection harder, which is why phishing increasingly targets mobile users.

Step 4: Evaluate the Request

What is the email asking you to do? Legitimate organizations rarely request the following via email:

• Click a link to “verify” your account credentials
• Open an attachment to view an “invoice” or “receipt” you did not expect
• Provide your password, SSN, or financial information
• Transfer money or purchase gift cards
• Install software or disable security features
• Change your password through a link in the email (instead of going directly to the site)

Any email requesting credentials, financial action, or software installation should be verified through an independent channel before you act.

Step 5: Verify Through an Independent Channel

If the email claims to be from your bank, employer, or a service you use, verify the claim independently:

• Navigate directly to the organization’s website by typing the URL in your browser (do not click the email link)
• Call the organization using the phone number on their official website or your account card
• Contact the person who supposedly sent the email through a different communication channel (Slack, phone, in person)

This single step defeats nearly all phishing attacks. If the request is legitimate, it will still be valid when you access the service directly.

Step 6: Examine Attachments Critically

Unexpected attachments are a primary malware delivery mechanism. Exercise extreme caution with:

• Executable files: .exe, .bat, .cmd, .ps1, .scr
• Office documents with macros: .docm, .xlsm (or any document that prompts you to “enable content”)
• Compressed files: .zip, .rar, .7z (which may contain executable files)
• SVG files: An emerging 2026 vector that can contain embedded scripts
• Calendar invites: .ics files from unknown senders can contain malicious links

If you did not expect the attachment, do not open it. If the sender claims to be someone you know, verify through an independent channel before opening.

Step 7: Look for Contextual Mismatches

Even AI-generated phishing can contain contextual errors:

• References to services you do not use (“Your Dropbox account” when you use Google Drive)
• Invoice numbers, order numbers, or tracking numbers you cannot verify
• Inconsistent branding (correct logo but wrong color scheme, unusual formatting)
• Generic greetings (“Dear Customer”) from services that know your name
• Emails arriving at unusual times (3 AM from a US-based company)

Step 8: Report and Delete

If you identify a phishing email:

1. Use your email provider’s “Report Phishing” button
2. Forward the email to [email protected]
3. If it impersonates your employer, forward to your IT security team
4. Delete the email
5. Do not reply, click any links, or open any attachments — including “unsubscribe” links

What No Longer Works as Detection

Checking for spelling and grammar errors. AI eliminates these. Perfect grammar does not indicate a safe email.

Looking for HTTPS padlocks. Phishing sites universally use HTTPS. The padlock indicates encryption between your browser and the server — it says nothing about who operates the server.

Trusting emails from known contacts. Compromised email accounts send phishing to the victim’s contact list. An email from a colleague’s address may not be from that colleague. Verify unusual requests through a different channel.

Relying on email filters. Filters catch the majority of phishing but not all. Targeted attacks using novel content, clean domains, and legitimate hosting platforms bypass filters.

Building Long-Term Detection Skills

Practice with simulations. Organizations running monthly phishing simulations see significant reductions in click rates over time. If your workplace offers simulations, engage with them seriously.

Update your mental model. The question is not “does this email look suspicious?” (AI-generated phishing looks legitimate). The question is “does this email ask me to take an unusual action, and can I verify the request independently?”

Make verification automatic. Any email requesting credentials, financial action, or software installation gets verified through an independent channel before any action. Make this a habit, not a decision.

For comprehensive defense beyond email detection, see our Phishing Protection Guide 2026. For answers to common security questions, visit our Cybersecurity FAQ.

Key Takeaways

• AI has eliminated grammar and spelling errors as reliable phishing indicators — update your detection approach
• The actual sender email address (not display name) remains the most reliable initial indicator
• Independent verification through a separate channel defeats nearly all phishing attacks
• Emotional urgency is the attack — legitimate organizations do not demand instant action
• Report phishing to your email provider and [email protected] to help protect others

Next Steps

• Implement the full defense strategy in Phishing Protection Guide 2026
• Protect credentials with Best Password Managers 2026
• Secure browsing with VPN Comparison 2026
• Review complete protection in the Online Security Checklist
• Recover from compromise with Identity Theft Protection Guide

Phishing tactics evolve continuously. This guide reflects the threat landscape as of early 2026. Review and update your detection skills regularly.

Sources

1. Recognize and Report Phishing — CISA — accessed March 27, 2026
2. How to Recognize and Avoid Phishing Scams — FTC — accessed March 27, 2026
3. How to Spot Phishing Emails — CrowdStrike — accessed March 27, 2026