How to Spot a Phishing Email in 2026 — When AI Makes Fakes Look Real

Phishing email detection used to be relatively straightforward — look for spelling errors, suspicious sender addresses, and generic greetings. In 2025-2026, AI has fundamentally changed this. Modern phishing emails are grammatically perfect, highly personalised, and virtually indistinguishable from legitimate communications without technical analysis. The old advice is dangerously outdated.

What Has Changed With AI-Generated Phishing

AI language models can generate a convincing, grammatically perfect phishing email in seconds. More concerning, these models can be given information scraped from LinkedIn, your company website, or social media and generate personalised emails that reference your real colleagues by name, mention actual projects, and reflect your company's genuine communication style. "Check for spelling mistakes" no longer works as a detection technique — modern phishing emails have none.

The Signs That Still Work

The sender domain: Look very carefully at the actual email address, not just the display name at the top. The display name can be set to anything — "The ATO," "CommBank Security Team," "Your CEO." The actual sending address will reveal the truth. Hover your mouse over the sender's name to see the actual email address. Watch for lookalike domains — ato.gov.au-notifications.com is not the ATO, it is a criminal domain. Hover over links before clicking: On a computer, hover your mouse over any link before clicking it. The actual destination URL appears in the status bar at the bottom of your browser. Unexpected requests for action: Any email requesting urgent action — clicking a link to log in, downloading a file, or providing information — should be treated with suspicion regardless of how legitimate it looks.

The Categories of Phishing You Are Most Likely to Encounter

In 2025-2026, the most common phishing themes targeting Australians are: ATO and myGov impersonation (particularly around tax time), parcel delivery notifications from Australia Post, Toll and other logistics providers, bank security alerts, Microsoft 365 and Google Workspace login warnings, and LinkedIn connection and message notifications. Understanding that these are the most common themes helps you approach emails in these categories with appropriate caution.

What to Do When You Receive a Suspicious Email

Do not click any links or open any attachments. If the email claims to be from an organisation you deal with, close the email and contact that organisation directly through a phone number or website you already know to be genuine — not anything provided in the email. If you are at work, forward suspicious emails to your IT security team or report them using your email client's "Report Phishing" function, which helps train email filters.

The Most Reliable Check

When in doubt about any email, do not click the link. Close the email. Navigate directly to the organisation's official website by typing the address yourself. Check your account there. This approach renders phishing emails completely harmless — they can only succeed if you click the link they provide. IntrusionX provides email security and staff phishing awareness training for Melbourne businesses — contact us for a free consultation.

Email Security Tools That Help

Several technical controls help identify phishing emails before they reach your inbox. Microsoft 365 Business Premium and Google Workspace include advanced phishing detection that analyses email content and sender reputation. These tools are not perfect — sophisticated targeted phishing can still get through — but they catch the majority of mass phishing campaigns. An external email warning banner that flags all emails coming from outside your organisation — configured in Microsoft 365 or Google Workspace — helps staff immediately see that a message claiming to be from their CEO or IT team is actually from an external sender. DMARC configuration on your domain prevents spoofed emails using your domain name from reaching your recipients.

Reporting Suspicious Emails

If you receive a suspicious email that you did not click on, report it. Microsoft Outlook has a "Report Phishing" button in the ribbon that sends the email to Microsoft's security team for analysis. Google Gmail has a "Report Phishing" option in the three-dot menu. Your IT team or security provider should also receive reports of suspicious emails — even if they did not fool you — because the same attack may be targeting colleagues who may be less vigilant. Reporting phishing attempts helps improve email filters for your entire organisation. IntrusionX provides email security configuration and staff awareness training for Melbourne businesses — contact us for a free assessment.