The conventional advice — "look for typos," "check the grammar," "be suspicious of foreign senders" — was calibrated for a previous era of phishing. In 2025–2026, generative AI ensures that phishing emails are grammatically perfect, tonally accurate, and formatted to match exactly the brand they are impersonating. The old tells are dead.
What remains are structural and behavioral tells — things about the situation and the request that reveal the scam regardless of how polished the email looks.
A Real Example, Annotated
Dear Customer,
Your Netflix account has been temporarily suspended due to a billing issue. Please update your payment information within 24 hours to avoid permanent suspension.
[Update Payment Method]
Netflix Support Team
Three tells in under 10 seconds: the sender domain contains "netfliix" with a doubled letter. The subject creates urgency. The 24-hour deadline is manufactured pressure to prevent careful examination.
The 7 Tells That Still Work
The URL double-take: In documented phishing cases, victims describe a consistent moment of realization — often 30 seconds after entering their credentials — when they notice the URL was subtly wrong. "wellsfarg0.com" instead of "wellsfargo.com." By then, the credentials are gone. The 10-second check is the one that changes the outcome.
SMS Phishing (Smishing): The Same Attack by Text
The link is not usps.com. The message does not know your name. There is no tracking number you actually recognize. The urgency ("held") drives clicks before those observations register.
The Universal Defense
Do not use the links in the communication. Go directly to the official website yourself.
If you receive an email claiming your Netflix account has a billing issue, open a new browser tab, type netflix.com, log in, and check your account directly. If there is a real issue, it will appear there. Legitimate companies survive you typing their URL yourself. Phishing links do not.
If You Have Already Clicked
- Change the password for the affected account immediately — on the real website
- Enable two-factor authentication if not already active
- Check for any account changes (email, phone, payment method) and reverse them
- If you entered financial credentials, contact your bank's fraud department
- Run a malware scan if you opened an attachment
- Report the phishing email to the company being impersonated and to the FTC at reportphishing.antiphishing.org
"In phishing, it's often 30 seconds after entering credentials when the victim notices the URL was 'wellsfarg0.com' instead of 'wellsfargo.com.'"
— Fraud Investigation Report, Behavioral Psychology DivisionThe quiz includes a phishing email scenario.
See exactly how you respond when a time-pressured email lands in your inbox — and what the psychology behind your reaction reveals.
Take the free quiz →