Phishing 2026: 7 Red Flags Your Team Should Spot in Under 5 Seconds
Phishing has evolved. AI-generated emails are now grammatically perfect, deepfake voicemails sound like your CEO, and QR codes bypass email security gateways entirely. Your team has 5 seconds before the click. Here are the 7 red flags to train them to spot.
1. Urgency that overrides process. "Wire this today," "Approve before EOD," "Account locked in 1 hour." Any message that pressures someone to skip a normal workflow is the #1 attacker tactic. Real executives rarely demand same-hour wire transfers.
2. Mismatched sender domain. Hover over the sender. A domain like ceoname@longswordsec-urity.com with an extra hyphen is the tell. Lookalike domains are responsible for the majority of Business Email Compromise losses.
3. Unexpected MFA prompt. If a push notification arrives and you didn't just log in somewhere, it's an attacker testing stolen credentials. Always deny and report — never approve to make it stop.
4. QR codes in emails. Quishing (QR phishing) skips email link scanning entirely. Treat any QR code in an email as suspicious unless you're expecting it from a known internal sender.
5. Voice or video that asks for action. Deepfake audio and video can clone an executive in under 30 seconds of sample. Any voice or video request involving money, credentials, or data should be verified through a second channel — a known phone number or in-person.
6. Generic links and shortened URLs. bit.ly, tinyurl, and "click here" buttons that don't show a destination on hover are red flags. Real vendors typically link directly to their full domain.
7. Off-brand attachments. An invoice from a vendor you've never used, a DocuSign you didn't request, or a voicemail .htm file? When in doubt, don't open. Forward to IT or your security partner first.
The 5-second rule: Before clicking, ask — was I expecting this, does the sender match, and is anything pressuring me to act now? If any answer is uncertain, pause and verify. Want a phishing simulation tailored to your team? Longsword Security runs quarterly tests with role-specific lures and trackable click rates.
Authored by Cody West, Owner and Cybersecurity Manager at Longsword
Cody is a father, husband, man of God, and home project destroyer. With one boy, and almost three girls, he leads a busy life. Starting Longsword to help protect small-businesses from evil-doers, he writes these blogs and even this “About the author” to help drive traffic to the company’s website and hopefully help someone along the way. With a passion for people and a deep-rooted desire to keep bad people from doing bad things to good people, he spends a great deal of his time worrying about people he has never met.