AI has made phishing emails better-looking than ever — perfect grammar, real logos, matching design. But the underlying tricks haven't changed. Here are the five checks we run in about five seconds on any suspicious message, and the two rules that make it almost impossible to fall for one.
The 5-second checklist
- Hover over the sender's name — does the actual email address match the brand? 'Apple Support <noreply@apple-sec-team.co>' is not Apple.
- Hover (don't click) every link. Read the true destination in the status bar. A link that says 'chase.com' but goes to 'chase-secure-login-verify.xyz' is phishing.
- Look for urgency + fear ('Account locked in 24 hours!'). Legitimate brands almost never rely on countdown-timer pressure.
- Check whether they know your details. A real bank uses your name; a phishing 'bank' says 'Dear Customer'.
- Ask yourself: does this action make sense? Real Amazon never asks you to log in via an email to check on a delivery.
The 2025 twist: AI-personalised phishing
In 2025 we started seeing phishing emails that quote your real LinkedIn job title, mention your actual boss's name and reference a real project. Attackers scrape public data and use AI to personalise. Rule of thumb: if the message is unexpected and asks you to click or pay, verify by a different channel — phone, in-person or a fresh browser tab.
Common 2026 phishing themes
- Fake courier delivery updates (USPS, FedEx, DHL) asking for a small handling fee.
- 'Your Apple ID has been used to sign in on a new device' with a suspicious verify link.
- Fake invoices from suppliers you actually use — a favourite for small businesses.
- 'Payroll update — verify your bank details' emails targeting HR staff.
- Fake Microsoft 365 login screens with your real company logo scraped from LinkedIn.
What to do if you clicked one
- If you entered a password anywhere — change it immediately on the real site, from a different device.
- Enable MFA on the affected account, then revoke all active sessions.
- Check the account's recent sign-in activity and any auto-forwarding email rules (attackers often set these to hide traces).
- Scan the device with Windows Defender Offline or a reputable Mac scanner in case malware was dropped.
- If it's a work account — tell IT within an hour. The clock matters.
For small businesses
One employee clicking one phishing link is still the #1 way small businesses get breached. A 30-minute team training + Microsoft 365 or Google Workspace hardening reduces the risk by around 90%. We include this in every Fleet Maintenance Plan.
Suspicious email in your inbox right now? Forward it to us and we'll verify it within one business hour — free, no obligation.
Related service
Antivirus Installation, Consultation & Removal · $69 flat
Honest advice on the right antivirus for you — plus clean install, configuration and safe removal of unwanted security software.
Book this service
