GACS Logo
Phishing Guide · 2026

How to spot a phishing email (and website) in 2026

Phishing is the #1 way attackers steal money and accounts. The good news: every phishing message gives itself away if you know what to look for. Here are the seven signals that work in 2026 — plus what to do if you already clicked.

7 red flags that mean phishing

  1. 1

    Check the sender's email domain — not the display name

    Phishing emails fake the display name ("PayPal Support") but the actual address is always something off (paypa1-help@gmail.com, support@paypal-billing.net). Hover or tap-and-hold to see the real address before doing anything.

  2. 2

    Look for urgency or fear language

    "Your account will be closed in 24 hours", "Suspicious login from Russia", "Last chance to claim your refund". Real companies do not threaten you. Urgency exists to stop you from thinking.

  3. 3

    Hover every link before clicking — match the visible domain

    A link can say www.netflix.com but point anywhere. Hover (or long-press on mobile) and check the URL bar that appears. If it does not exactly match the brand's real domain — including the suffix — do not click. When in doubt, paste the URL into the GACS website checker.

  4. 4

    Watch for requests for seed phrases, passwords, or one-time codes

    No legitimate company — bank, exchange, wallet, government, or support team — will ever ask for your password, seed phrase, or 2FA code. If an email or chat asks for any of these, it is a scam, full stop.

  5. 5

    Be suspicious of unexpected attachments

    Invoice you did not request, shipping label for a package you did not order, "contract" from a recruiter you never spoke to. PDF and .doc attachments can carry malware. Open in a preview tool, not your normal application.

  6. 6

    Cross-check with the company directly

    If the email says your bank, exchange, or service has a problem, do not click the email's link. Open a new tab, type the URL yourself, and log in. Any real notice will be waiting in your account dashboard.

  7. 7

    Run the URL through a website checker before entering anything

    Even after all the above, paste the link into the free GACS website checker. It cross-references 12,000+ confirmed scam sites and live community reports — catching freshly-spun-up phishing pages that browser warnings have not seen yet.

Already clicked? Read this.

  1. Close the tab. Don't enter anything else on the page.
  2. If you entered a password, change it on the real site immediately — and everywhere else you reused it.
  3. If you signed a wallet transaction or shared a seed phrase, follow the 15-minute panic guide.
  4. Report the URL at /report so the next person doesn't fall for it.

FAQ

What is phishing in simple terms?

Phishing is when an attacker pretends to be a trusted person or company — your bank, your boss, a delivery service, a friend — to trick you into giving up a password, seed phrase, credit card, or money. It usually arrives by email or SMS but increasingly by chat (WhatsApp, Telegram, LinkedIn DM) and even phone call.

What is the easiest way to spot a phishing email?

Look at the actual sender address (not the display name) and hover over every link to see where it really points. If either looks even slightly off — a misspelled domain, a sub-domain you don't recognize, a .net instead of .com — assume it is phishing and delete it.

What should I do if I already clicked a phishing link?

If you only clicked but did not enter anything, close the tab and clear your browser cookies. If you entered a password, change it immediately on the real site and on every other site where you reused it. If you entered crypto credentials or signed a wallet transaction, follow the GACS panic guide at /panic-guide — speed matters in the first 15 minutes.

Are phishing texts (smishing) really a thing?

Yes — phishing over SMS ("smishing") is now more common than email phishing in the US. Same rules apply: do not click the link, do not call the number. If a delivery, bank, or government text feels off, open the company's real app instead.

How are crypto phishing scams different?

Crypto phishing often skips the email step entirely — the attacker DMs you on Discord, X, or Telegram with a link to a fake "airdrop", "support form", or "wallet recovery" page. The page asks you to connect a wallet or paste your seed phrase. Treat any wallet-connect prompt from a link in a DM as a scam by default.

Will antivirus software catch phishing?

Partially. Browser anti-phishing lists (Google Safe Browsing, Microsoft SmartScreen) catch known bad URLs, but the average phishing page lives less than 24 hours — too short for those lists to react. Community-driven checkers like GACS catch fresh sites much faster.

Check any link in 5 seconds.

When in doubt, paste the URL into the free GACS website checker before you click.

Open website checker

Cite this page / Press kit

Journalists, researchers and educators are welcome to cite this page. Use the permalink below or copy a ready-made citation.

Permalinkhttps://gacs.app/how-to-spot-phishing
APA

GACS. (2026). How to Spot a Phishing Email (and Website) in 2026. GACS — Global Anti-Crypto-Scam. Retrieved June 6, 2026, from https://gacs.app/how-to-spot-phishing

MLA

"How to Spot a Phishing Email (and Website) in 2026." GACS — Global Anti-Crypto-Scam, GACS, 2026, https://gacs.app/how-to-spot-phishing. Accessed June 6, 2026.

Chicago

GACS. "How to Spot a Phishing Email (and Website) in 2026." GACS — Global Anti-Crypto-Scam. Accessed June 6, 2026. https://gacs.app/how-to-spot-phishing.

BibTeX
@misc{gacs_how_to_spot_phishing,
  author = {GACS},
  title = {How to Spot a Phishing Email (and Website) in 2026},
  howpublished = {GACS — Global Anti-Crypto-Scam},
  year = {2026},
  note = {Accessed: June 6, 2026},
  url = {https://gacs.app/how-to-spot-phishing}
}

Press / media enquiries: About GACS · Editorial policy · Methodology