What is the most common phishing email in 2026?

The single highest-volume lure category in 2026 is the Microsoft 365 password-expiry notice - a fake notification that the recipient's account password is about to expire and a link to 'verify' it. It accounts for a disproportionate share of credential-harvesting attempts because almost every business inbox is on Microsoft 365 or Google Workspace, both of which receive lookalike treatment from attackers.

Are real phishing examples published openly safe?

Describing the categories of phishing lures is safe and educational; publishing literal copy-pasteable templates is not. This post covers the 10 most-clicked lure categories with the recognition cues to teach employees, but does not include exploitable email bodies. The goal is awareness, not arming attackers.

How fast do phishing trends change year to year?

The top categories are remarkably stable - credential harvesting, document signing and shipping notifications dominate every year. What changes is the surface detail: which brand is impersonated, which AI tools are used to clean up grammar and whether the call to action is a link, a QR code or a callback number. The categories endure; the polish improves.

Should companies show real phishing examples in training?

Yes, but use redacted screenshots from your own simulations or from publicly indexed phishing-report repositories - not copy-pasted live attacks. Training works best when the example matches the lure category employees will actually encounter, and when the recognition cues are highlighted alongside the attack itself.

Where do these lure categories come from?

Aggregated public reporting from the Verizon DBIR, the FBI IC3 annual Internet Crime Report, the Anti-Phishing Working Group (APWG) trend reports, CISA advisories and security-press coverage including Krebs on Security. The list is broadly consistent across these sources from year to year.

Top 10 Phishing Email Examples in 2026

Every year someone publishes a "Top 10 phishing emails" list with screenshots of the actual messages, and every year that list quietly becomes a copy-paste manual for whoever needed one. We're not going to do that. What follows is the ten lure categories that drove the most clicks across simulated and real phishing reporting in 2026 - what each one looks like, why it works and what employees should be trained to spot. The body copy stays in our customers' campaigns; the recognition cues stay public.

The order is rough volume-weighted across reporting from the Verizon DBIR, the FBI IC3 annual Internet Crime Report, the Anti-Phishing Working Group (APWG), CISA advisories and ongoing coverage from Krebs on Security. The categories are stable year over year; the polish keeps improving.

1. Microsoft 365 password expiry

The dominant lure of the last five years and still on top in 2026. A spoofed Microsoft notification telling the user their password expires in 24 hours, with a "Keep current password" or "Verify now" button that lands on a pixel-perfect Office login clone. Recognition cues: the sender domain is never microsoft.com; real password expiries surface inside the OS or browser, not as an external email; and the destination URL almost always contains a hyphenated lookalike or a host-prefix trick.

2. DocuSign signature request

"You have a document waiting for signature" with the DocuSign envelope styling, a recipient name and a "Review document" call to action. Why it works: legitimate DocuSign emails are routine in finance, legal and HR - the user's pattern recognition fires the wrong way. Recognition cues: real DocuSign envelopes come from dse_NA1@docusign.net (or the regional equivalent) and the link domain is docusign.net. Anything else, including docusign-secure[.]com or third-party domains, is suspect.

3. PayPal account hold or unusual activity

The classic financial-pretext lure repackaged: an alert that the user's PayPal account has been "limited" or shows "unusual sign-in activity," with a link to resolve it. Why it works: consumer brand mixed with professional inbox; the user reflexively wants to confirm. Recognition cues: PayPal addresses you by full name in real notifications, not "Dear Customer"; legitimate links go to paypal.com directly; account holds are resolved inside the PayPal app, never via inline email forms.

4. IT helpdesk MFA reset

An email purportedly from "IT Helpdesk" or "Identity Services" claiming the user's multi-factor authentication needs to be re-enrolled, often citing a recent "security incident." It's effective because users have been trained to respect security-team requests. Recognition cues: real IT teams generally do MFA enrollment in person, through a known portal or through the existing identity provider - not by clicking a link in an external email. The legitimate sender, when one exists, comes from the corporate domain, not a lookalike.

5. HR / W-2 / payroll update

A request - often spoofed to look internal - to "review your W-2," "update your direct deposit," or "verify payroll information." Highest-loss category in this list because it routes directly to a fraudulent bank account. Recognition cues: any change to direct deposit must run through the official HR system, not an email link; out-of-band callback verification ("call HR at the number in the directory") is the gold-standard control.

6. Courier / delivery exception

A package "delivery exception" or "address confirmation" from a UPS, FedEx, USPS or DHL impersonator. Drives heavy clicks because everyone is expecting at least one delivery at any given time. Recognition cues: the carriers don't typically resolve delivery exceptions via emailed link; they use carrier app notifications or a tracking-number lookup at ups.com, fedex.com, usps.com, or dhl.com. Any other domain is the lure.

7. Bank fraud alert

"We've detected unauthorized activity on your account - verify recent transactions." Classic urgency play, often paired with a partial card number ("ending in 4471") to feel legitimate. Recognition cues: banks do not link to login pages from fraud-alert emails; they direct you to call the number on the back of your card or to log in directly at the bank's known address. Inline verification flows in email are the tell.

8. Slack or Teams mention

A spoofed notification that "@you" was mentioned in a Slack channel or Teams chat, with a link to "view the message." 2026 is the year this category broke into the top 10 - it's effective because the volume of real Slack and Teams notifications conditions users to click without thinking. Recognition cues: real notifications open the desktop or mobile app via deep link; if the link drops you on a web login page asking for credentials, that's the attack. Slack and Teams session URLs are predictable; deviations should be inspected.

9. Zoom meeting reschedule

"Your scheduled meeting has been moved" or "Your host has updated the meeting link" with a Zoom-styled button to confirm. Recognition cues: real meeting changes propagate through the calendar invite, not as a separate Zoom email; legitimate Zoom links use zoom.us or your organization's Zoom subdomain, never a redirect through a third-party shortener.

10. Calendar invite

An ICS file or calendar invite with a malicious link in the location field or description, so the lure shows up as a meeting on the user's calendar even if they never opened the email. Recognition cues: calendar invites from unknown senders should be declined and reported, not clicked. Modern mail clients show the originating sender on every invite - verify it before accepting.

Why these ten and not others

Ranking lure categories isn't a science. The ten above are the ones that show up most consistently in three independent data sets: aggregated APWG industry reporting, FBI IC3 victim complaint categories and our own anonymized simulated-phishing click data across the customer base. Other lists rotate - "tax refund" rises and falls with the calendar, "vaccine appointment" was a top-three lure for two years and dropped off the chart, "election-themed" lures cluster in election cycles and disappear in the off-years. The ten above are the structural categories that re-fill with whatever brand or pretext the season offers.

Worth noting: lure-category dominance isn't the same as loss dominance. Microsoft 365 password expiry produces enormous click volume but relatively low individual-incident loss. HR / W-2 and BEC-flavored vendor invoice lures have lower click volumes but produce the seven-figure individual losses. A program designed against this list should weight cohort coverage accordingly - the highest-loss categories deserve more campaigns against the highest-risk cohorts even if their raw click rate is lower.

The categories that aren't on this list (and why)

Three categories deserve a mention because they're rising fast but didn't make the volume cutoff for 2026:

QR-code phishing (quishing): covered in our quishing post. Bypasses email gateway scanning by relocating the URL into an image.
AI-generated spear-phishing: not a category so much as a quality multiplier - see our AI-generated phishing post.
Deepfake voice phishing (vishing): covered in our deepfake vishing post.

How to use this list

If you run a phishing simulation program, the takeaway is straightforward: your template library should cover all ten of these categories at varied difficulty levels. A program that only sends Microsoft 365 password-expiry simulations is measuring resilience to one-tenth of the real attack surface. Bait & Phish's simulated phishing library spans every category above with templated content tuned to each tier of difficulty.

If you don't yet run a program, this list is also a useful gut-check for an all-hands awareness session: ten slides, ten lure types, ten recognition cues. Pair it with the five red flags piece for a defensible employee-facing curriculum.

What changes for 2027

Two predictions worth noting now so we can mark them next year. First, the line between phishing and BEC is blurring - the IT helpdesk and HR/W-2 categories are increasingly indistinguishable in their final-stage social engineering. Second, AI-generated content is making the recognition cue of "look for grammar errors" obsolete; we'll keep moving employee training toward verification habits (callback, out-of-band confirmation, hover-to-inspect) and away from copy-and-grammar pattern matching. The Verizon DBIR, FBI IC3, APWG, CISA and NIST will keep publishing the receipts.

Where Bait & Phish fits

Every category above maps to a difficulty-tiered template family in the Bait & Phish library. If you'd like to test your team against the real-world distribution of lures, start a 25-user free trial and run a category-mix campaign this week. Pricing for full-roster programs is on the pricing page; if you want help building a 90-day plan that covers the full top-10, contact us. For broader context on our approach, about us covers the company and our methodology, and security awareness training covers the remediation side that pairs with every campaign.

See also: Phishing Trends 2026 - annual roundup covering AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression and other patterns that defined the year.

4mar