How to Detect Phishing Emails and Fake Websites

Published June 2026 · 7 min read

Phishing is no longer the work of bored teenagers in basements. In 2026, it is a $10+ billion criminal industry powered by AI-generated emails, cloned websites that are nearly pixel-perfect, and sophisticated social engineering that targets everyone from individual consumers to Fortune 500 executives. The Anti-Phishing Working Group recorded over 5.7 million phishing attacks in 2025 — an all-time high. Learning to spot a phish is one of the most important digital safety skills you can develop.

What Phishing Looks Like in 2026

Modern phishing attacks have evolved far beyond the "Nigerian prince" emails of the early internet. Today's phishers use:

• AI-generated copy: Grammatically perfect emails that mimic a brand's tone, written by large language models that generate convincing subject lines and body text in seconds.
• Clone websites: Entirely fabricated login pages that mirror the real site's CSS, logos, and layout — hosted on lookalike domains like "amaz0n-security.com" or "paypa1-verify.net."
• QR-code phishing ("quishing"): Physical QR stickers placed on parking meters, restaurant tables, and even in mailed documents that redirect to credential harvesting pages.
• Voice phishing ("vishing"): Phone calls from AI-cloned voices of colleagues or customer support agents, asking for verification codes or password resets.
• SMS phishing ("smishing"): Text messages with urgent shipping or security alerts containing shortened links that bypass email filters.

The Five Red Flags of a Phishing Email

While attackers get more sophisticated every year, they still leave traces. Here are the five most reliable red flags to check before clicking anything in an email:

1. The Sender Address Doesn't Match the Brand

The display name in your inbox can say anything — "Amazon Support" or "Netflix Billing." What matters is the actual email address behind it. Hover over or tap the display name to reveal the full address. A genuine email from Amazon comes from @amazon.com, not @amaz0n-help.co, @amazon-security.ru, or — as in a real 2025 campaign — @amaz0ndelivery-services.top. When in doubt, open a new browser tab and visit the site directly rather than clicking anything in the email.

2. Urgency or Threatening Language

Phishers live by creating panic. "Your account will be closed in 24 hours," "Unusual login detected — verify now," "Your payment failed — update your card." These messages are designed to override your rational thinking with fear. Legitimate companies rarely threaten immediate account suspension via email, and they never ask you to click a link to enter sensitive information. If you're worried, open your browser and log into the service directly — you'll see any genuine alerts in your account dashboard.

3. The Link Doesn't Go Where It Claims

This is the single most important phishing check. Always hover before you click. On desktop, hover your mouse over any link in the email — the destination URL appears in a tooltip or status bar at the bottom of your browser. On mobile, press and hold the link to see the preview. Ask yourself: does this URL look like the real company's domain? Watch for:

• Typos in the domain (goggle.com, faceb00k.com)
• Subdomains that look like the real domain (paypal.com.verify-now.xyz — the real domain here is verify-now.xyz, not paypal.com)
• Encoded URLs with "&" parameters that mask the real destination
• URL shorteners (bit.ly, tinyurl) used in place of direct links — these can redirect anywhere

4. Grammar and Spelling Errors

AI has made phishing copy far better, but mistakes still slip through — especially in emails that originated in other languages and were machine-translated. Watch for awkward phrasing, unusual word choices, and inconsistent capitalization. A real bank email uses professional copy that has passed through multiple editorial reviews. Anything that reads oddly is worth a second look — and probably a delete.

5. Requests for Sensitive Information

No legitimate company will ask you to send your password, Social Security number, credit card PIN, or two-factor authentication code via email. If an email asks for any of these, it is 100% a phishing attempt. Similarly, be suspicious of any email that asks you to "confirm" or "update" payment details by clicking a link — especially if you didn't recently make a purchase.

How to Inspect a Suspicious Email Step by Step

1. Don't open attachments or click links. If the email is suspicious, treat it as dangerous until proven otherwise.
2. Check the full sender header. Most email clients let you view the raw headers. Look for "Received from" paths and SPF/DKIM authentication results that don't match the claimed sender.
3. Copy the suspicious link into a phishing scanner. Use a tool like VirusTotal or URLScan.io to check if the URL is known to be malicious. Never visit it in your own browser first.
4. Contact the company directly. If the email claims to be from your bank, call the number on the back of your card — not any number in the email. Ask them to verify whether the communication is legitimate.
5. Report the phishing attempt. Forward the email to the company's abuse address (e.g., abuse@amazon.com, phishing@paypal.com, reportphishing@antiphishing.org). This helps protect others.

What to Do If You Click a Phishing Link

Even security professionals have fallen for well-crafted phishes. If you realize you've clicked a phishing link or entered credentials on a fake site, act immediately:

1. Change the password on the affected account — but do it from a different, trusted device, not from the device where you clicked the link.
2. Enable 2FA if it wasn't already active. If it was, check whether your 2FA recovery codes are still valid — attackers may have changed your 2FA settings.
3. Check for new sessions or devices in your account security settings. Revoke any unrecognized sessions.
4. Run a malware scan on your device. Some phishing pages deploy session hijackers or info-stealer malware just by visiting the page.
5. Monitor your financial accounts for unauthorized transactions for the next 30 days. Set up transaction alerts if you haven't already.
6. Check Have I Been Pwned to see if your email is circulating in new breach dumps. If it is, change passwords on all connected accounts.

Protecting Yourself Long-Term

The best defense against phishing is a combination of healthy skepticism and technical safeguards. Use a password manager that offers phishing-resistant autofill — it will only fill credentials on the exact domain you registered for, so even if you land on a fake site, your password won't be submitted. Enable two-factor authentication on every account that supports it, and prefer hardware security keys (FIDO2/WebAuthn) that are physically immune to phishing. And always, always generate unique passwords so that one phished credential doesn't compromise your entire digital life.

---

← Back to PassGenerator