The End of "Look for Bad Grammar": Why Phishing Emails in 2026 Are Almost Impossible to Spot

For two decades, the standard advice on phishing was the same. Watch for bad spelling, awkward English, a strange greeting, an implausible story. Train people to notice the tells, add a decent spam filter, and most scams stopped at the door. That advice is now out of date, and continuing to rely on it is one of the more dangerous habits a business can keep.

The reason is generative AI. The same tools that help your staff write a tidy email also let scammers produce flawless, personalised messages in seconds. The grammar mistakes that gave the game away have gone, and the emails arriving now are polished, specific, and written in the kind of natural British English that no longer raises an eyebrow. This article explains what changed, why the old checklist fails, and what to look for instead.

Why Does "Look for Bad Grammar" No Longer Work?

Because the thing it relied on no longer exists. Older phishing emails were often written by people working in a second or third language, churning out generic messages at volume. The errors were a by-product of that, and spotting them was a reasonable defence. AI has removed the errors entirely. As security researchers put it, the grammar-error tell, one of the most reliable signals employees were ever taught, has simply stopped working.

The shift shows up in how employees themselves now rank the warning signs. Recent KnowBe4 research found poor spelling or grammar has dropped to around 20% as a concern, unknown sender addresses sit at 23%, and the signal employees now rate highest, at 34%, is pressure to act quickly. The red flags have moved from how an email is written to what it asks you to do.

How Are Scammers Making Phishing Emails So Convincing?

Two things combined. The first is fluency. The FBI has warned that criminals are using AI to run highly targeted phishing campaigns, producing messages tailored to each recipient with perfect grammar and tone. The cost of writing a convincing email has collapsed. A quality spear-phishing email once took something like 16 hours of human effort to craft; generative AI removed that limit, producing the same standard in seconds.

The second is personalisation, and this is the part that should worry you most. Attackers scrape public sources, your LinkedIn profile above all, to build a picture of you before they write a word. They pull details from LinkedIn, company websites and social media to create messages that reference your real role and projects, and tools can replicate the exact tone and phrasing of your boss, a colleague or a trusted supplier. The result is an email that mentions your job title, nods to a post you put up last week, names a real teammate, and asks for something that fits your actual work. It does not look like spam, because it has none of the qualities of spam.

How Much More Convincing Are These Emails?

Convincing enough that most workers have noticed the change themselves. In a 2026 survey, 72% of workers said phishing attempts are more convincing than a year ago because of AI-written language, and 66% said an AI-generated message could plausibly impersonate someone they work with. The effect on success rates is sharp. In testing, AI-generated phishing reached a 54% click-through rate against 12% for traditional campaigns, and the volume has exploded alongside the quality. The uncomfortable conclusion is that these messages now routinely beat both trained readers and the filters built to catch the old style.

What Should You Look For Now?

Since you can no longer judge an email by how it reads, you have to judge it by what it asks and how it arrives. The new signals are about behaviour and context, not language. These are the ones worth drilling into yourself and your team:

• Unexpected urgency. Almost every scam now leans on pressure: pay this today, the account closes in an hour, the boss needs it before the meeting. Real urgency exists, but a message engineering panic and discouraging you from checking is the single most reliable warning sign left.

• Changes to payment details. Any email that asks you to update bank details, redirect an invoice, or send money to a new account deserves outright suspicion. This is how the most expensive frauds work, and it should never be actioned on the strength of an email alone.

• Mismatched or lookalike sender domains. Read the actual email address, not the display name. Attackers use addresses that are a character off, or a different domain dressed up to look familiar. The display name can say anything; the domain is harder to fake convincingly.

• Requests that skip the normal process. A message asking you to bypass the usual sign-off, keep something quiet, or handle it outside the standard channel is using your helpfulness against you. Genuine requests rarely need you to break the rules.

Notice that none of these depend on bad English. They depend on the request itself looking off, which is the only ground left to stand on.

Why Is "Verify Through a Second Channel" the New Golden Rule?

If there is one habit to build, it is this. When an email asks you to move money, change payment details, or hand over credentials, confirm it through a different channel before you act. Phone the person on a number you already have, not one in the email. Message them on your internal chat. Walk to their desk. The point is to use a route the attacker does not control.

This works because it sidesteps the whole problem. The realistic defence now is to accept that detection will fail some of the time and build verification into your processes, so that even a convincing fake cannot move money or credentials without a human confirming through a second channel. An email can be perfect in every way and still fall apart the moment you ring the supposed sender and they have no idea what you are talking about. Out-of-band verification turns a judgement call about an email into a quick factual check, and it is the most reliable protection a business has left.

What Can Businesses Do Beyond Training Staff?

Training still matters, but it needs updating to teach the new signals rather than the dead ones, and it should include examples of realistic AI-written phishing so people meet it in a safe setting first. Beyond that, the strongest moves are about process and technology working together.

On process, make second-channel verification a written rule for anything involving money or access, so following it is the expected behaviour rather than an awkward exception. On technology, modern email checks that verify the sending infrastructure, not just the words, are more useful now than ever, because an AI-written email with perfect prose but unauthorised sending infrastructure fails authentication just as reliably as a clumsy one. None of this is foolproof, though, and the sensible mindset is to assume one will eventually get through. That makes your ability to contain and recover from an incident just as important as your ability to block it, which is why the conversation about phishing leads naturally into one about resilience.

The Bottom Line

The old game was about reading an email well. The new game is about checking before you act, no matter how good the email looks. Scammers have taken away the easy tells, so the defence has shifted from your eye for a typo to your discipline around urgency, money and verification. Treat any message that pressures you to move fast on something sensitive as suspect until you have confirmed it another way. That single habit will protect you against the great majority of what is now landing in inboxes, polished, personal and almost impossible to spot on sight.