Phishing in 2026: How to Spot Fake Emails and Websites

Phishing in 2026: No Longer the "Nigerian Prince"

Phishing has evolved. If in the past fake emails could be spotted by grammatical errors and strange formatting, in 2026 attackers are armed with AI. A modern phishing attack:

• Written in flawless language without a single mistake

• Personalized — contains your name, job title, company name from public sources

• Comes from a domain differing by one character from the real one

• May be accompanied by a deepfake call supposedly from your CEO

According to IBM X-Force, phishing remains the #1 vector for 41% of all cyber incidents in 2025. The average time between opening an email and clicking a malicious link — 28 seconds.

Evolution of Phishing Attacks

Spear Phishing (Targeted Phishing)

An attack aimed at a specific person or company. The attacker studies LinkedIn, Facebook, and public documents to make the email look as convincing as possible. For example: "Ivan, as we discussed at Thursday's meeting — please confirm the transfer to the account..."

Whaling (Targeting Executives)

The "whale" — an attack on top management. CEO Fraud: a fake email from the "CEO" to the accountant asking for an urgent transfer. Damage from a single successful attack — from $50,000 to millions.

Vishing and Smishing

Vishing — voice phishing. In 2026 AI voice cloning can call you in your "CEO's" voice asking to confirm a payment. Smishing — phishing via SMS: "Your package is delayed, confirm your address" with a link to a fake postal service site.

QR Phishing (Quishing)

QR codes in emails lead to phishing sites. Most antivirus software doesn't scan QR content — the person scans and lands on a fake login page.

How to Verify a Suspicious Email: Step-by-Step

1. Check the Sender's Address

Not the "sender name" — the actual email address. Common techniques:

• [email protected] instead of [email protected]

• [email protected] — the actual domain is security-alert.xyz

• Homoglyphs: paypa1.com (digit 1 instead of l), аpple.com (Cyrillic "а")

2. Check Links Before Clicking

Hover (don't click) over a link and look at the actual URL in the browser's bottom left corner. Or copy the link and check it through:

• VirusTotal — scans URLs through 70+ antivirus databases

• Google Safe Browsing — transparencyreport.google.com/safe-browsing/search

• URLVoid — domain reputation check

3. Analyzing Email Headers

In any email client you can view full headers (Gmail: three dots → "Show original"). Look for:

• Return-Path — the actual return address, may differ from From

• Received — the chain of servers the email passed through

• X-Originating-IP — sender's IP address (you can check geolocation)

4. Signs of a Fake Website

• URL doesn't match the official site (even HTTPS — everyone can get a certificate)

• No contacts, address, or legal information

• Login form requests more data than usual (e.g., also your card CVV)

• Errors in text, strange formatting, mismatched logos

• Domain registered recently (check via whois.domaintools.com)

SPF, DKIM, DMARC: Protecting Your Domain from Spoofing

If an attacker sends emails supposedly from @yourcompany.com — that's domain spoofing. Three DNS records protect against this:

SPF (Sender Policy Framework)

A DNS TXT record specifying which servers are authorized to send mail from your domain. Example:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

~all — "soft" rejection (mark as suspicious). -all — hard rejection.

DKIM (DomainKeys Identified Mail)

A digital signature for your email. The sending server signs the email with a private key; the receiving server verifies the signature via a public key in DNS. If the email is modified in transit — the signature won't match.

DMARC (Domain-based Message Authentication)

Specifies what to do with emails that fail SPF or DKIM: none (report only), quarantine (move to spam), reject (block). Also sends reports on spoofing attempts against your domain.

v=DMARC1; p=reject; rua=mailto:[email protected]

Check your domain now: MXToolbox DMARC Checker, dmarcian.com

What to Do If You Clicked a Suspicious Link

1. Don't panic, act quickly

2. Disconnect the device from the internet (Wi-Fi, cable)

3. Notify your IT person or manager

4. If you entered a password — change it on all services where it's used

5. If you entered card details — block the card through your banking app

6. Run a full antivirus scan

7. Document: time, URL, exactly what you did

Employee Training: Practical Approaches

• Quarterly phishing simulations — not for punishment, but for measuring risk

• Two-channel rule — any request to transfer funds from the "CEO" via email is confirmed by a call to a known number

• Culture of "better to ask" — an employee isn't responsible for reporting a suspicious email, but is responsible for clicking silently

• Clear reporting channel — a dedicated inbox or Slack channel for suspicious email reports

Conclusion

Phishing becomes more precise and sophisticated every year. Technical solutions (SPF/DKIM/DMARC, anti-phishing filters) are the necessary foundation. But the main defense — trained employees who know what to look for and aren't afraid to report suspicious activity.

Want to set up anti-phishing protection for your domain or train your team? Contact us.