Date:Posted By:

We at vali.now regularly analyze current phishing campaigns and support organizations in building effective detection capabilities. Phishing remains the most common initial access vector in 2026.

Attackers now frequently use AI to produce grammatically perfect messages, so older tell-tale signs such as spelling mistakes are becoming less reliable. Below, we outline the most relevant detection criteria that still work effectively today.

Core Detection Criteria

  1. Sender address and display name mismatch
    Hover over (or tap and hold) the sender name. Compare the real email address with the expected domain.
    Common tricks: look-alike domains (e.g. micr0soft.com, amaz0n-de.com), extra characters, or free email providers (gmail.com / outlook.com) pretending to be corporate senders.
    Legitimate internal or vendor emails rarely come from free webmail services.
  2. Reply-to address differs from From address
    Many phishing emails set a forged “From address” but use a different “Reply-To”. Check both fields – this remains one of the strongest technical indicators.
  3. Urgent, threatening, or emotionally charged language
    Phrases such as:
    • “Immediate account suspension”
    • “Final warning – action required in 24 hours.”
    • “Confidential – do not forward.”
    • “Your manager / CEO requests this urgently.”
      Legitimate organizations rarely create artificial panic in email communication.
  4. Unexpected requests for credentials, MFA approval, payment data, or remote access
    Real IT departments, banks, HR, or payment providers rarely ask you to:
    • Enter passwords via email links
    • Approve unusual MFA push notifications without context
    • Provide sensitive data outside established channels
    • Install software or grant remote access unexpectedly
  5. Suspicious links – always verify the destination
    • Hover over (do not click) to see the real target URL
    • Look for typosquatting, subdomains (login-mycompany.godaddy Phishing sites), URL shorteners without clear context
    • Many campaigns use legitimate services (open redirects, compromised SharePoint / OneDrive links) – context matters more than the domain alone
  6. Unexpected or unusual attachments
    Common malicious extensions in current campaigns: .iso, .js, .zip containing .lnk / .scr, HTML smuggling files. Even .docx / .pdf can contain malicious macros or exploits – treat unexpected documents with high caution.
  7. Generic greetings in supposedly personal messages
    “Dear Customer”, “Dear User”, “To Whom It May Concern” in messages claiming to come from your direct manager, colleague, or known contact.

Modern Developments – What Has Changed Recently

AI-generated emails often contain:

  • Perfect grammar and spelling
  • Realistic tone and formatting that matches previous legitimate communication
  • Hyper-personalization pulled from public sources (social media, data leaks, company websites)

This means you must place greater weight on context and expectation:

  • Were you expecting this message?
  • Does the timing and content make business sense?
  • Would this normally come through email instead of an internal ticket/phone / verified channel?

Quick Decision Checklist

Ask yourself these four questions before clicking or replying:

  1. Do I know/expect the sender and the exact content?
  2. Does the sender address match the claimed organization 100 %?
  3. Is there urgency/threat language?
  4. Does the link/attachment lead to a sensible destination/file type?

If any answer is “no” or “unsure,” → pause.

Recommended Actions When in Doubt

  • Do not click links or open attachments
  • Open a new browser tab and navigate manually to the official site (e.g., office.com, banking portal)
  • Contact the supposed sender via a known phone number or internal chat – never reply to the suspicious email
  • Forward to your security team or report via your email provider’s phishing button
  • Use multi-layered protection: strong email filtering + phishing-resistant MFA (FIDO2/WebAuthn) + endpoint detection

More research has to be done on the long-term effectiveness of certain AI-based detection tools against the newest generation of agentic phishing kits, but the human verification steps listed above remain among the most reliable controls available today.

If in Doubt: vali.now

Your best defense is healthy skepticism. If something seems just a little off or a bit too good to be true, it probably is. Your best option is to forward the details to help@vali.now. Our cybersecurity professionals have been recognizing and fighting off such attacks for decades. Your first case (up to one hour of research) on our side is free, with affordable rates after that. You’ve got nothing to lose, and you might just prevent catastrophic losses by reaching out.

Stay vigilant – phishing effectiveness still depends heavily on bypassing the first line of defense: the recipient.

Leave a comment

Your email address will not be published. Required fields are marked *