Table of Contents
- Phishing in 2026: More Dangerous Than Ever
- Pattern 1: The Urgent Account Suspension
- Pattern 2: The Package Delivery Notification
- Pattern 3: The Password Reset Request
- Pattern 4: The Invoice or Payment Confirmation
- Pattern 5: The CEO or Boss Impersonation
- Pattern 6: The Tax Refund or IRS Notice
- Pattern 7: The Crypto Wallet Alert
- Pattern 8: The Job Offer from HR
- Pattern 9: The Cloud Storage Sharing
- Pattern 10: The AI-Generated Personalized Phish
- What to Do If You Clicked a Phishing Link
- Complete Protection Guide
- Resources
Phishing in 2026: More Dangerous Than Ever
Phishing remains the number one cybercrime technique in 2026, responsible for more data breaches, identity theft incidents, and financial losses than any other attack vector. The Anti-Phishing Working Group documented over 5 million phishing attacks in 2025 -- the highest annual total ever recorded. And those are only the attacks detected by their monitoring systems.
What has changed is the sophistication. The phishing emails of 2020 -- riddled with spelling errors, sent from obviously fake addresses, making absurd claims -- still exist, but they have been joined by a new generation of attacks that are virtually indistinguishable from legitimate communications. AI-powered phishing tools can now generate perfectly written, contextually appropriate emails tailored to individual targets using information harvested from social media, data breaches, and public records.
Understanding the patterns that phishing emails follow is your best defense. While specific details change, the underlying structures remain consistent because they exploit fundamental aspects of human psychology: urgency, fear, authority, curiosity, and greed.
Never click a link in an email to access a sensitive account. Instead, open your browser and type the website address directly, or use a bookmark you created previously. This single habit prevents the vast majority of phishing attacks.
Pattern 1: The Urgent Account Suspension
The Pattern
Subject line: "Urgent: Your [Bank/Amazon/Apple] Account Has Been Suspended"
Body: Claims unusual activity was detected on your account. States your account has been temporarily suspended for security purposes. Provides a link to "verify your identity" and restore access. Creates urgency with a 24-hour deadline.
What happens: The link leads to a perfect clone of the real login page. When you enter your credentials, they are captured by the attacker. Many modern phishing pages also relay your credentials to the real site in real time, allowing them to capture your 2FA code and gain immediate access.
How to Spot It
- Check the sender address carefully. The display name may say "Bank of America Security" but the actual email address will be something like security@bankofamerica-alerts.com (not a real bank domain) or a random string of characters.
- Hover over links without clicking. The displayed text may say "bankofamerica.com/verify" but the actual URL points to a completely different domain.
- Real banks never email login links. If your bank detects suspicious activity, they will ask you to call them or visit a branch -- not click a link in an email.
- Check your account directly. Open a new browser tab, type your bank's URL manually, and log in. If there is a real issue, you will see an alert within your account.
Pattern 2: The Package Delivery Notification
The Pattern
Subject line: "Your package could not be delivered - Action required" or "USPS/FedEx/UPS: Delivery attempt failed"
Body: Claims a package delivery was attempted but failed. Asks you to click a link to reschedule delivery or update your address. May request a small "redelivery fee" of $1-$3 to capture your credit card information.
What happens: The link installs malware, captures payment card details, or leads to a credential harvesting page. The small fee amount is designed to make you think the risk is minimal -- the real cost is the credit card information they capture.
How to Spot It
- Check if you are expecting a package. If you did not order anything, delete the email immediately.
- Go directly to the carrier's website. Copy any tracking number from the email and paste it directly into USPS.com, FedEx.com, or UPS.com.
- Carriers never charge redelivery fees via email. USPS, FedEx, and UPS do not send emails requesting payment for redelivery.
- Check the sender domain. Real USPS emails come from @usps.com, not @usps-delivery-update.com.
Pattern 3: The Password Reset Request
The Pattern
Subject line: "Password reset requested for your account" or "Someone requested a password change"
Body: Claims that a password reset was requested for your account (Google, Microsoft, Facebook, etc.). Includes a link to "reset your password" or "cancel this request if you did not initiate it." Both links lead to the same phishing page.
What happens: You enter your current password on the fake page, giving the attacker access to your real account. Particularly dangerous because it exploits a security-conscious mindset -- you want to protect your account from unauthorized changes.
How to Spot It
- Did you request a reset? If you did not initiate a password reset, there is nothing to cancel. Ignore the email.
- Never click "cancel request" links. If someone else requested a reset, the link expires on its own. You do not need to take action.
- If concerned, change your password directly. Go to the service's website manually and change your password from your account settings. Do not use any link from the email.
Pattern 4: The Invoice or Payment Confirmation
The Pattern
Subject line: "Payment confirmation: $499.99 charged to your account" or "Invoice #INV-2026-xxxx attached"
Body: Claims a large purchase was made on your account -- often for electronics, software subscriptions, or gift cards. Provides a phone number to "dispute the charge" or a link to "view the invoice." The attached "invoice" is a malware-laden PDF or Word document.
What happens: Calling the phone number connects you to a scam call center that walks you through installing remote access software, giving them control of your computer. Opening the attachment installs malware. Clicking the link leads to credential harvesting.
How to Spot It
- Check your actual bank or PayPal account. If the charge is real, it will appear in your transaction history. If it does not, the email is fake.
- Never call numbers from suspicious emails. Find the company's customer service number from their official website.
- Do not open unexpected attachments. Legitimate payment confirmations from Amazon, PayPal, and similar services are displayed in the email body, not as attachments.
Pattern 5: The CEO or Boss Impersonation
The Pattern
Subject line: "Quick favor" or "Urgent - need this handled today" or simply "Hey"
Body: Appears to come from your CEO, manager, or a senior colleague. Makes a simple request that escalates: starts with "Are you available?" and progresses to "I need you to purchase gift cards for a client event" or "Process this wire transfer for a confidential acquisition."
What happens: Business email compromise (BEC) resulted in $2.9 billion in reported losses in the US in 2025. The attacker either spoofs the boss's email address or has compromised their actual email account. The authority dynamic between employee and supervisor makes victims reluctant to question the request.
How to Spot It
- Verify via a different channel. Call your boss directly or walk to their office. Never rely on the email alone for financial requests.
- Check the email address character by character. Spoofed addresses often substitute similar-looking characters (lowercase L for uppercase I, rn for m).
- No legitimate boss asks employees to buy gift cards. This is a universally recognized scam pattern.
- Unusual urgency or secrecy. "Do not tell anyone about this" is never a legitimate business instruction for financial transactions.
Pattern 6: The Tax Refund or IRS Notice
The Pattern
Subject line: "Your tax refund of $3,847.00 is ready" or "IRS Notice: Action required on your 2025 return"
Body: Claims you are owed a tax refund and need to provide bank account information for direct deposit, or that there is an issue with your tax return requiring immediate attention. Uses official-looking IRS branding, case numbers, and legal language.
What happens: Links lead to fake IRS pages that harvest SSNs, bank account details, and other personal information used for identity theft and tax fraud.
How to Spot It
- The IRS never initiates contact via email. This is their official policy. All initial IRS communications are sent by physical mail. If the IRS emails you, it is a scam.
- The IRS never requests personal information via email. They will never ask for SSNs, bank accounts, or credit card numbers via email.
- Check at IRS.gov directly. Use the "Where's My Refund" tool on the official IRS website to check your refund status.
Pattern 7: The Crypto Wallet Alert
The Pattern
Subject line: "Security Alert: Unauthorized access to your [MetaMask/Coinbase/Ledger] wallet" or "Action required: Verify your wallet to prevent suspension"
Body: Claims suspicious activity was detected on your cryptocurrency wallet or exchange account. Directs you to a fake website to "verify your wallet" by entering your seed phrase, private key, or exchange login credentials.
What happens: Entering your seed phrase gives the attacker complete control of your wallet. All funds are drained immediately. Unlike traditional banking, cryptocurrency transfers are irreversible -- there is no fraud department to call and no chargeback to initiate.
How to Spot It
- No legitimate service will ever ask for your seed phrase. Not MetaMask, not Coinbase, not Ledger, not any wallet or exchange. Your seed phrase should never be entered into any website.
- Hardware wallets do not send emails. Ledger and similar hardware wallets communicate only through their desktop applications, never via email asking for wallet verification.
- Access your exchange directly. Type the URL manually or use a bookmark. Check for any security alerts within your authenticated account.
Protect Your Crypto from Phishing Attacks
A hardware wallet keeps your private keys offline and immune to phishing. Even if you accidentally visit a phishing site, your hardware wallet will not sign a transaction without your physical confirmation.
Get a Ledger Wallet Secure Exchange: CoinbasePattern 8: The Job Offer from HR
The Pattern
Subject line: "Job opportunity - Remote position available" or "Your resume has been selected"
Body: Claims your resume was found on a job board and you have been selected for a remote position with excellent pay. Asks you to fill out an "employment application" that collects personal information, or to click a link to schedule an interview.
What happens: Personal information is harvested for identity theft. Links may install malware. Some variants ask for upfront payment for training materials or background checks. See our complete guide to fake remote job scams for detailed analysis.
Pattern 9: The Cloud Storage Sharing
The Pattern
Subject line: "[Name] shared a document with you" or "You have a new file in Google Drive/OneDrive/Dropbox"
Body: Mimics a legitimate Google Drive, OneDrive, or Dropbox sharing notification. The "Open Document" button leads to a fake login page that captures your Google/Microsoft credentials.
What happens: Your cloud account is compromised, giving attackers access to all your stored files, contacts, and connected services. For Google accounts, this can include Gmail, Google Drive, Google Photos, and any service using Google SSO.
How to Spot It
- Check who shared the document. Is it someone you know? Even if the name is familiar, verify by contacting them through a separate channel.
- Go to your cloud storage directly. Open drive.google.com or onedrive.live.com and check your "Shared with me" folder. If the document is real, it will appear there.
- Look at the sharing notification format. Compare it with previous legitimate sharing notifications. Fake ones often have subtle differences in formatting, sender address, or button styling.
Pattern 10: The AI-Generated Personalized Phish
The Pattern
Subject line: Varies -- highly personalized based on your recent activity, interests, or professional context
Body: AI-generated emails that reference your real colleagues, recent projects, industry events, or personal interests scraped from social media. The email is grammatically perfect, contextually appropriate, and nearly impossible to distinguish from legitimate communication.
What happens: These hyper-personalized attacks have dramatically higher success rates because they bypass the mental shortcuts we use to identify generic phishing. The attacker uses AI to generate unique emails for each target, making each attack essentially bespoke.
How to Spot It
- Verify through another channel. For any email requesting action -- especially involving money, credentials, or sensitive data -- verify with the sender through a phone call, text, or in-person conversation.
- Check the email headers. Even perfect AI-generated content cannot fake email authentication headers (SPF, DKIM, DMARC). If these checks fail, the email is spoofed.
- Be suspicious of any unexpected request. The content may be perfectly written and highly relevant, but if you were not expecting the communication, treat it with caution.
- Use email security tools. Enterprise email security solutions that analyze behavioral patterns and authentication signals are more effective against AI phishing than content-based filters.
What to Do If You Clicked a Phishing Link
If you have clicked a phishing link or entered credentials on a suspicious page, act immediately. Speed matters -- the sooner you respond, the better your chances of limiting damage.
- 1. Disconnect from the internet. If you suspect malware was downloaded, disconnect your device from WiFi and cellular data to prevent data exfiltration.
- 2. Change your passwords immediately. If you entered credentials, change the password for that account from a different, clean device. Use a password generator to create a strong, unique replacement.
- 3. Enable or update 2FA. Set up two-factor authentication using an authenticator app (not SMS) on any compromised account.
- 4. Check for unauthorized access. Review recent account activity, login history, and connected devices. Remove any sessions or devices you do not recognize.
- 5. Scan your device for malware. Run a full system scan with updated antivirus/anti-malware software.
- 6. Notify your bank. If you entered financial information, contact your bank immediately to freeze your card and monitor for unauthorized transactions.
- 7. Monitor your credit. Place a fraud alert on your credit file with Equifax, Experian, or TransUnion.
- 8. Report the phishing. Forward phishing emails to reportphishing@apwg.org and report to the FTC at ReportFraud.ftc.gov. Report to scam.ink to help others.
Complete Protection Guide
- Never click email links to access accounts. Type URLs directly or use bookmarks. This single habit prevents most phishing attacks.
- Use a password manager. Password managers autofill credentials only on legitimate domains. If the password manager does not offer to fill your credentials, you may be on a phishing site.
- Enable 2FA on every account. Use authenticator apps or hardware security keys. Even if your password is phished, 2FA provides a second barrier.
- Use unique passwords everywhere. Generate them with a password generator. If one account is compromised, the breach is contained.
- Verify unexpected communications. Call the sender through a known number. Do not use contact information provided in the suspicious email.
- Keep software updated. Browser and OS updates include security patches that block known phishing techniques and malware.
- Use email filtering. Enable spam and phishing filters in your email client. Gmail, Outlook, and most providers have built-in protection.
- Check email authentication. Learn to read email headers for SPF, DKIM, and DMARC pass/fail indicators.
- Report phishing emails. Reporting helps email providers improve their filters and protects other users.
- Protect crypto with hardware wallets. Use a Ledger hardware wallet to keep your keys offline and immune to phishing-based theft.
Resources
- scam.ink -- Search our scam database and report phishing emails to protect the community.
- scam.wiki -- Comprehensive encyclopedia of scam types and prevention strategies.
- AI Scams & Deepfakes -- How AI powers the next generation of phishing attacks.
- AI Voice Clone Scams -- When phishing extends to phone calls with cloned voices.
- Password Security Guide -- Build an unbreakable password strategy.
- Fake Remote Job Scams -- Phishing that targets job seekers specifically.
- spunk.codes -- 290+ free security tools including password generators and privacy utilities.
Stay Ahead of Phishing Attacks
Bookmark scam.ink to check suspicious emails. Use hardware wallets and strong passwords to minimize damage if you are ever compromised.
Get a Ledger Wallet Search Scam Database"The best phishing email you will ever see is the one you almost fall for. Slow down. Verify. Never click links in emails to access sensitive accounts." -- @SpunkArt13