← Blog

How to spot a phishing email in 2026 — a five-point gut check for your whole team

Tenant Strike4 min read

Phishing emails used to be easy to spot. In 2026, they are not. Here is a short, teachable checklist any employee can use before they click.

A few years ago, phishing emails were pretty easy to recognize. Odd spelling, broken English, a vague threat about your account being suspended. Most people learned to spot them.

That era is over. Phishing emails in 2026 arrive with correct grammar, real company logos, names pulled from LinkedIn, and a tone that matches whoever is supposedly sending them. The playbook has changed. The gut-check needs to update with it.

The five-point check below is short enough to share with anyone on your team. You don't need a security background to use it — just a habit of pausing for 30 seconds before clicking anything that asks you to do something.

1. Did you expect this email?

Unexpected is the first word to hold onto. An email arrives saying your invoice is ready, or a package couldn't be delivered, or your password needs resetting — and you weren't expecting any of that. That mismatch is the simplest signal.

Real services send emails in response to things that happen. If nothing happened on your end, something might be wrong on theirs — or the email isn't from them at all.

2. Is it asking you to log in, pay, or change something?

Phishing emails have a job to do. They want a credential (log in here), money (pay this invoice or update bank details), or access (approve this app, click this link). That's almost always what the email is leading toward.

A general-information email — "here's our new product" — is very different from one that has a button you need to press right now. The ones with buttons deserve more scrutiny.

3. Does the sender address actually match?

The display name in your email client — the bit that says "Microsoft Support" or "Your Bank" — is trivially easy to fake. What matters is the actual email address behind it.

Click or tap on the sender name to reveal the real address. Then ask: does this domain match the company it claims to be from? Attackers register look-alike domains: micros0ft.com, paypa1.com, yourbank-secure.com. Sometimes it's one wrong character. Sometimes it's a completely unrelated domain dressed up with a familiar name.

If the address doesn't match the company, stop there.

4. Does the link go where it says it goes?

Before clicking any link in a suspicious email, hover over it (on desktop) or long-press it (on mobile) to preview the actual URL. The link text might say microsoftonline.com but the actual destination is something else entirely.

What you're checking: does the destination URL belong to the company the email claims to be from? A login page for Microsoft will be on a Microsoft domain. A link that goes somewhere generic, unfamiliar, or slightly off is a red flag.

When in doubt, don't click the link in the email. Instead, go directly to the website by typing the address yourself.

5. Does something just feel off?

Phishing relies on pressure. The email says your account will be closed in 24 hours, or a payment is overdue, or someone is waiting on you right now. That urgency is manufactured — it's there to make you act before you think.

Real companies rarely demand immediate action via email alone. If you feel rushed, that's worth noticing.

Similarly, if you receive a request from someone you know — a colleague asking you to buy gift cards, your manager requesting an urgent wire transfer — and the request feels slightly out of character, trust that instinct. BEC (business email compromise) attacks often impersonate people you work with.

When in doubt, verify on a channel you trust. A phone call to the person's known number, or a direct message in Teams or Slack, takes 30 seconds and stops almost every social-engineering attack cold.

How to use this with your team

You don't need a formal training program. A quick run-through at a team meeting, a printed copy on the wall near desks, or a shared note in your team channel is enough to make this a habit.

The goal isn't to make everyone paranoid — most emails are legitimate. The goal is to create a short pause before acting on anything that ticks two or more of these boxes: unexpected, asks for action, odd sender, mismatched link, or unusual urgency.

That pause is the whole defense.

Microsoft 365 has built-in tools that help — external-sender banners, safe-link scanning, quarantine filters — but those settings have to be configured correctly to work. Tenant Strike checks your Microsoft 365 setup in read-only mode and flags the email-security settings that aren't doing what they should, with plain-English notes on each one. Worth running before you assume the defaults are covering you.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.