You already know what a bad phishing email looks like. Broken English, a generic "Dear Customer" greeting, an attachment from a sender you have never heard of. For years, those were the signals security teams told everyone to watch for.

The problem is that attackers know what bad phishing emails look like too. They have studied every checklist, every awareness campaign, and every "what to look for" guide published in the last decade. The result is a new generation of phishing emails engineered specifically to pass every test you have been trained to apply.

So how do you spot a phishing email when it looks completely real? The answer requires a different way of thinking — one that focuses less on the appearance of a message and more on the context, the request, and the behavior patterns that even the most convincing fakes cannot hide.

Why Phishing Emails Look Real Now

Before getting into how to spot them, it helps to understand why modern phishing emails are so convincing. Three developments have changed the game entirely.

AI-generated content allows attackers to produce flawless, natural-sounding email copy at scale. There are no grammar errors, no awkward phrasing, and no telltale signs of a non-native English speaker. An attacker can prompt an AI tool to write a message that sounds exactly like your CFO, your IT department, or your payroll provider — and get a polished result in seconds.

Open-source intelligence (OSINT) gives attackers access to a wealth of personal and organizational information. Your LinkedIn profile, your company website, press releases, social media posts, and even public job listings can tell an attacker your name, your role, who you report to, what projects your team is working on, and which vendors your company uses. That information gets woven directly into phishing messages to make them feel specific and credible.

Look-alike infrastructure means attackers invest in sending domains that closely resemble legitimate ones. A message from [email protected] or [email protected] looks correct at a glance. Combined with spoofed display names and professional email templates copied directly from real companies, the result is a message that clears every visual inspection.

The Signals That Give Phishing Emails Away

Even the most convincing phishing email leaves traces. The key is knowing where to look — and training yourself to look there instinctively.

1. Inspect the Actual Sending Domain

The display name in an email can say anything. "Microsoft Support," "Your IT Team," or "Carl from Payroll" cost an attacker nothing to set. What matters is the actual email address behind the display name, and specifically the domain — the part after the @ symbol.

Hover over or tap the sender name to reveal the full address. Then read the domain carefully, character by character. Attackers use several techniques to make domains look legitimate at a glance: replacing letters with numbers (0 for o, 1 for l), adding words (microsoft-support.com, paypal-security-center.com), using different top-level domains (company.net instead of company.com), or inserting hyphens. If the domain does not exactly match the organization's real domain, treat it as suspicious regardless of how the rest of the email looks.

The link text in a phishing email can read https://www.microsoft.com while the actual destination is something completely different. On desktop, hovering over a link reveals the real URL in the bottom of the browser or email client. On mobile, press and hold the link to see the destination before opening it.

Look at where the link actually goes. Does the domain match the organization sending the email? Does it start with https? Is there anything unusual in the path — random strings of characters, unfamiliar subdomains, or URL shorteners that obscure the real destination? A legitimate company will not send you to a link that does not match their domain.

3. Question Every Urgent Request

Urgency is the most consistent feature of phishing emails — and it is there by design. Phrases like "your account will be suspended in 24 hours," "immediate action required," or "respond before end of business today" are engineered to trigger a stress response that bypasses careful thinking.

The most important habit you can build is to treat urgency as a warning sign rather than a reason to act fast. Slow down. A real request from your bank, your IT team, or your CEO can withstand a two-minute delay while you verify it through a separate channel. Phishing attempts cannot — verification is exactly what they are trying to prevent.

4. Be Suspicious of Any Request That Bypasses Normal Process

One of the clearest signals that an email is not legitimate is when it asks you to do something outside normal procedure. "Process this payment directly without going through AP." "Reply to my personal email for this one." "Do not mention this to anyone else yet." These instructions exist for one reason: to prevent you from doing the verification that would expose the fraud.

Legitimate business requests — even urgent, sensitive, or confidential ones — do not require you to bypass the processes your organization has in place. When a message asks you to circumvent normal channels, that request itself is the red flag, regardless of how credible everything else looks.

5. Verify Through a Separate Channel

This is the single most effective defense against phishing emails, including AI-generated ones: if an email asks you to take a significant action — clicking a link, entering credentials, approving a payment, sharing sensitive information — verify the request through a channel that is completely independent of the email itself.

Call the person using a number you already have on file, not one provided in the email. Send a new message in your company's messaging platform rather than replying to the email thread. Walk over to their desk. The method does not matter as long as it is independent. This one habit defeats the vast majority of even the most sophisticated phishing attempts, because it takes the interaction out of the attacker's controlled environment entirely.

6. Watch for Requests Targeting Your Credentials

A large percentage of phishing emails have a single goal: capturing your username and password. They do this by directing you to a login page that looks identical to a real one — Microsoft 365, Google Workspace, your company VPN, your bank — but is controlled by the attacker.

Be skeptical of any email that links to a login page, even if that login page looks completely legitimate. Ask yourself: did I initiate this? Did I request a password reset, try to access a resource, or trigger some action that would logically result in a login prompt? If the answer is no, the login request itself is suspicious. Navigate directly to the service by typing the URL yourself rather than clicking through from the email.

What Good Phishing Awareness Training Teaches

Knowing how to spot a phishing email is a skill that has to be developed and regularly refreshed — it does not come from reading a checklist once a year. Effective phishing awareness training builds the habits and instincts that make the right response automatic, even under pressure.

Strong training programs cover not just email phishing but the full range of social engineering attacks: vishing (phone-based attacks using cloned voices), smishing (SMS phishing), and the AI-specific techniques that make modern attacks so much harder to detect. Our free Module 2: Phishing and AI Threats was built specifically to address this — it covers how AI is used to craft convincing attacks, what the new red flags look like, and the practical verification habits that protect against even the most sophisticated attempts.

If You Are Not Sure, Report It

One of the most important things any organization can do is make it easy and culturally acceptable to report suspicious emails. Employees who are unsure about a message should feel empowered to flag it without worrying about being wrong or wasting their security team's time.

The cost of reporting a legitimate email as suspicious is essentially zero. The cost of not reporting a real phishing attempt — or worse, acting on it — can be catastrophic. Build a culture where reporting is encouraged, recognized, and rewarded. Employees who report frequently are the ones who click least.

The Bottom Line

The era of obvious phishing emails is over. The messages arriving in inboxes today are polished, personalized, and specifically designed to defeat the instincts that older training programs built. Spotting them requires a shift from visual inspection to contextual judgment — questioning the request, verifying independently, and treating urgency as a signal to slow down rather than speed up.

Start building those instincts now. Our free phishing and AI threats training module gives individuals and teams the knowledge they need to recognize and respond to modern phishing attacks — at no cost, with a certificate available on completion.