Smart. Focused. Email.
Fast, cross-platform email designed to filter out the noise - so you can focus on what's important.
Definition
💡 Phishing email: A fraudulent message designed to trick you into revealing sensitive information like passwords, credit card numbers, or account credentials. Scammers impersonate banks, companies, or people you know to make the email look legitimate.
How phishing works
Someone sends you an email that looks like it's from your bank. Subject line: "Urgent: Suspicious activity on your account." The email includes your bank's logo, uses their colors, and tells you to click a link to verify your identity immediately. You click, land on what looks exactly like your bank's login page, enter your username and password, and boom. You just handed your credentials to a scammer.
That's phishing. The email isn't actually from your bank. The login page is fake. The scammer now has your password and can drain your account.
These attacks work because they exploit urgency and trust. "Your account will be suspended in 24 hours." "We detected unusual activity." "Confirm your identity now or lose access." They pressure you into acting fast without thinking. And they're getting sophisticated. Modern phishing emails often have perfect grammar, legitimate-looking sender addresses, and convincing branding. The days of obvious "Nigerian prince" scams are mostly over.
How to identify a phishing scam email
Urgent or threatening language is the first giveaway. Legitimate companies don't threaten to close your account if you don't respond within hours. Scammers create artificial urgency to bypass your skepticism.
Look closely at the sender address. "support@amaz0n.com" (with a zero) isn't Amazon. "accounts@paypa1.com" (with the number one) isn't PayPal. Hover over the sender name to see the actual email address. Better yet, check the email header information.
Generic greetings like "Dear Customer" or "Dear User" instead of your actual name suggest mass phishing. Though some sophisticated attacks do use your real name, so this alone isn't definitive.
Watch for unexpected attachments or links. Your bank isn't going to send you an invoice as a ZIP file. Your coworker probably didn't send you a random PDF document if you weren't expecting it. When in doubt, contact the supposed sender through a different channel before opening anything.
No legitimate company will ever email you asking for your password, Social Security number, credit card details, or two-factor authentication codes. Never. If an email asks for this stuff, it's fake.
Poor grammar or formatting is less reliable now, but lots of phishing emails still have weird phrasing or awkward translations. Professional companies proofread their emails.
Hover over links before clicking (don't click, just hover). If the URL shown doesn't match where the link claims to go, it's phishing. A link that says "mybank.com" but actually points to "mybank-verify-login-2024.ru" is obviously fake.
Types of phishing attacks
Some phishing is targeted, some is spray-and-pray.
Spear phishing hits specific people with personalized info. Scammers research you on LinkedIn, find your coworkers, maybe notice you just started a new job. Then they craft messages that feel eerily accurate. Way more convincing than generic blasts.
Then there's whaling. That's when they go after executives. Someone impersonates the CEO and emails finance requesting an urgent wire transfer. These attacks cost companies millions because executives have access to serious money.
Clone phishing is sneakier. They take a legitimate email you got before (maybe a receipt or notification), copy it, swap the links for malicious ones, and resend it. You recognize it because you got the real version last week, so you trust it without thinking twice.
Vishing and smishing? Those aren't email, but they're related. Vishing is phone calls, smishing is texts. Same scam tactics, different channels.
Recent phishing scams from 2026
Microsoft Power BI phishing scam
This one was pretty clever. Scammers used Microsoft Power BI's actual notification feature to send phishing emails from real Microsoft addresses. You'd get a message claiming someone charged $400 to $700 to your PayPal account, with a phone number to call and "dispute" it.
Here's where it got nasty: when you called, the person on the other end claimed they were from Microsoft. They'd walk you through installing remote access software to "fix the problem." That gave them complete control of your computer. PCWorld documented the full attack in early 2026.
The emails looked legitimate because they were legitimate, just abused. That's what made this one work.
Tycoon 2FA operation
Tycoon 2FA was basically phishing-as-a-service. Pay a subscription, get access to a platform that could send convincing phishing emails that bypassed two-factor authentication. At its peak, it was hitting over 500,000 organizations monthly with tens of millions of messages.
Healthcare and education got hammered the worst. More than 100 Health-ISAC members were phished, causing real operational problems (delayed patient care in New York hospitals, disrupted schools). Microsoft tracked 96,000 distinct victims worldwide before law enforcement took it down in March 2026.
By mid-2025, Tycoon was responsible for 62% of all phishing attempts Microsoft blocked. In one month alone, they stopped more than 30 million emails from this single platform. That's how industrial-scale phishing works now.
ClickFix and fake CAPTCHA attacks
You know those "I'm not a robot" CAPTCHA checks? Attackers figured out how to fake them. You'd land on what looks like a legitimate verification page, but instead of clicking boxes, you're tricked into copying and running malicious PowerShell commands on your computer.
The Hacker News reported that roughly 147,500 systems got infected between late August 2025 and early 2026. Recent campaigns targeted social media creators by claiming they're eligible for verified badges. Victims would watch instructional videos showing them how to copy "authentication tokens" from their browser cookies, which actually installed remote monitoring software.
In 2025, 30% of these attacks used fake verification prompts to install remote access tools. The success rate? High enough that attackers kept using the same playbook.
Why does this work? Because people are trained to complete CAPTCHAs without thinking. You see "verify you're human," you click through. That instinct is exactly what makes it dangerous.
What to do if you get a phishing email
Don't click anything. Don't open attachments. Don't follow links. Don't reply. Just delete it.
Report it: Most email clients have a "Report Phishing" button. Gmail, Outlook, and other providers use these reports to improve their spam filters and protect other users.
Verify independently: If the email claims to be from your bank, close the email and log into your bank directly through their website or app. Don't use links from the suspicious email. If everything's fine in your actual account, the email was fake.
Check with the sender: If the phishing email claims to be from someone you know, contact them through a different method (call them, text them, Slack them). Don't reply to the suspicious email itself.
What should I do if I already clicked on a phishing email?
Change your passwords immediately, especially if you entered credentials on a fake site. Enable two-factor authentication if you haven't already. Monitor your accounts for unauthorized activity. If you entered credit card info, contact your bank to cancel the card.
How to protect yourself
SPF, DKIM, and DMARC
If you control a domain, implement SPF, DKIM, and DMARC to prevent scammers from spoofing your email address to others. While this won't protect you from receiving phishing attempts, it protects others from phishing attacks that impersonate you.
Enable two-factor authentication everywhere possible.
Even if someone steals your password through phishing, they can't access your account without the second factor, making you a significantly harder target. Stay skeptical of unexpected emails, especially urgent requests involving money or credentials. When something feels off, it usually is—trust your instincts.
Keep your software updated.
Modern browsers and email clients have built-in phishing detection that improves with each update, so staying current helps you benefit from the latest security features. If you're responsible for a company, run phishing simulations regularly. Employees are often the weakest link in security, and education through realistic testing helps them recognize and avoid real attacks.
Consider using a password manager.
These tools autofill passwords only on legitimate sites, which means if your password manager doesn't autofill on what looks like your bank's site, that's a red flag that the site is fake. This extra layer of verification can catch phishing attempts that might otherwise fool you.
Disable loading remote images
In some email clients like Spark Desktop, you can even disable loading remote images for further protection: Open Spark Desktop Settings > General > Load remote images > Disable the toggle.
Related content
Related terms