What is the structure of a typical modern phishing email?

Six parts: a sender address that looks legitimate (real domain, lookalike, or compromised account), a subject line designed for trust or urgency, a personalized greeting referencing real context, a body that establishes pretext, a call to action requiring a click or response, and a sign-off that mimics the impersonated party. Each part is engineered to defeat one specific defensive heuristic.

Which part of a phishing email is the easiest to fake?

The body and the personalization. AI tools generate clean prose with contextually appropriate references at near-zero cost. The visible content of the email is the part that has improved most rapidly in the last two years. The technical headers (authentication, routing) are harder to fake without compromising a real account.

Can the sender address always be checked?

Sometimes. The visible from-name can be set arbitrarily; only the underlying email address matters for authentication. The address itself can be a real address from a compromised account, a lookalike domain that differs by a character, or a spoofed display address that fails authentication. Hovering over the sender on most clients shows the real address.

What part of a phishing email cannot be faked?

The economic decision the attacker had to make to send the email at scale. A mass-volume campaign depends on free reach to be profitable. The cost of reaching every additional inbox has to be near zero. A small per-email cover charge changes that economic property and collapses mass campaigns regardless of how clean the content is.

How should the average reader respond to a suspected phishing email?

Do not click links, do not download attachments, do not reply, and do not act on any request the email makes. If the request appears to be from someone you know, verify out of band through a known channel. Report the message to your provider's spam reporting tool, which trains the filter on the pattern.

Anatomy of a Modern Phishing Email (Annotated)

Modern phishing emails are clean, contextual, and hard to spot. Here is a structural breakdown of the parts that matter and what each one signals.

Modern phishing emails are not the awkward Nigerian-prince messages of fifteen years ago. They are clean. They are contextual. They look like real mail because they are engineered to look like real mail. The traditional human heuristics for spotting them no longer reliably work.

This post is a structural breakdown of the parts of a modern phishing email and what each part signals. Recognizing the shapes is one layer of defense. The structural and verification layers that catch what recognition misses come after.

The Six Parts

Almost every phishing email has the same skeleton. The details rotate, but the structure is stable.

Sender identity. The address and display name the message appears to come from.
Subject line. The headline that gets the recipient to open the message.
Greeting. The opening line that establishes who the message is supposedly addressed to.
Pretext. The body content that explains why the recipient is hearing from this sender.
Call to action. The specific thing the email is asking the recipient to do.
Sign-off. The closing that mimics the impersonated party.

Each part is engineered against one defensive heuristic. A reader who knows the structure can audit each part separately. A reader who does not is reacting to the gestalt of the message, which is exactly what the design is optimized to defeat.

Sender Identity: Three Common Tricks

The visible sender field on most email clients shows the display name, not the underlying email address. Display names can be set arbitrarily. The phishing email arriving from “Mark Wilson, Acme CFO” might actually be from notifications@compromised-domain.ru. The display name says one thing; the address says another.

Three common patterns:

Real domain, compromised account. The attacker has compromised a real account at a real organization (often through earlier phishing or password reuse). The email genuinely comes from markwilson@acmecorp.com. Authentication passes. The sender domain is correct. The defense is contextual: does this email look like something Mark would actually send? If Mark is the CFO and the email is asking the recipient to update wire instructions, the defense has to come from a verification protocol, not from the technical authentication of the sender.

Lookalike domain. The attacker has registered a domain that looks similar to the real one. acmecorp.com versus acmec0rp.com versus acmecrop.com. The visual similarity is high enough to slide past a quick read. Authentication passes for the lookalike domain because it is a real domain the attacker controls. The defense is reading the domain character by character, which most readers do not do under time pressure.

Display-name spoofing. The display name says “Mark Wilson” but the underlying address is notifications@unrelated-domain.ru. Authentication often fails on this pattern because the sending IP and domain do not match the displayed identity. Native filters catch most of these. The ones that get through have configured authentication to pass at the connection level even if the displayed identity is misleading.

The sender identity check is the first thing to audit on a suspicious email. Hover over the sender (or expand the headers on a mobile client) and read the underlying address character by character. If anything looks off, the rest of the email does not need detailed analysis.

Subject Line: Trust or Urgency

Phishing subject lines fall into two broad categories.

Trust-establishing. “Updated invoice for your records.” “Q4 vendor agreement.” “Following up on our conversation.” The subject is designed to feel like ordinary business correspondence. The reader opens it because it looks routine. Recognition is hard because routine subject lines are routine.

Urgency-establishing. “ACTION REQUIRED: Your account will be locked.” “URGENT: Wire approval needed.” “Last chance to verify your information.” The subject is designed to short-circuit the reader’s evaluation step. Urgency creates time pressure. Time pressure degrades pattern recognition.

The trust-establishing variant is harder to defend against because it does not raise immediate flags. The urgency-establishing variant is easier to flag (any urgent unsolicited message is suspect by default), but the urgency itself is what reduces the recipient’s recognition rate when they do open it.

The defensive read: a subject line that looks routine is suspect if it comes from an unusual sender. A subject line that creates urgency is suspect by default. Either way, the subject is not a reliable signal of legitimacy.

Greeting: Personalization Without Relationship

Modern phishing emails are personalized. AI tools and breached data make it cheap to generate a greeting that uses the recipient’s real name, their company, sometimes their job title. “Hi Sarah, I was reviewing the Westfield project file and noticed…” The personalization is correct because the personal data is real (scraped from LinkedIn, leaked breach data, public press mentions).

The personalization tells the reader nothing about whether the sender is legitimate. A personalized greeting from someone the recipient has never corresponded with is not a sign of relationship; it is a sign that the personalization step was automated.

The defensive read: a personalized greeting from an unknown sender is the opposite of reassuring. It signals scaled outreach (legitimate or otherwise) rather than genuine prior relationship. Real first contact from a real person usually has a less polished greeting because the sender has not done a database lookup before writing.

Pretext: The Story That Justifies the Request

The pretext is the body of the email, the part that explains why the sender is reaching out. Modern phishing pretexts are well-written and contextually plausible.

Common patterns:

Vendor relationship. “We are updating our payment systems and need to confirm your banking information for the next invoice cycle.” The pretext relies on the recipient believing the sender is a real vendor.

Internal coordination. “I am stepping into a board meeting and need you to handle this transfer for me. Sending the routing details in the next 30 minutes.” The pretext relies on the recipient believing the sender is the boss.

Service notification. “We detected unusual activity on your account. To prevent unauthorized access, please verify your identity by following the link below.” The pretext relies on the recipient believing the sender is the service provider.

Document review. “Please review the attached contract and let me know if you have any questions.” The pretext relies on the recipient opening the attachment.

The pretext is the part of the email that has improved most rapidly with AI assistance. The prose is clean, the references are contextually correct, and the request is plausible. The defensive read here is less about the language quality (which is now uniformly good) and more about the relationship: does the sender have a reason to be making this specific request through this specific channel?

If the answer is “I do not actually know this sender, but the email is plausible,” the email is suspect. Plausibility is necessary for legitimacy but not sufficient.

Call to Action: The Move That Matters

Every phishing email exists to drive a specific action. The action is the goal; the rest of the email is scaffolding around it.

Common calls to action:

Click a link. Almost always to a credential-harvesting page, a malware download, or a payment redirect. The link text often differs from the underlying URL. Hovering reveals the destination.

Open an attachment. Usually a malicious document (Word, PDF, Excel) that triggers a macro or embedded payload when opened. Modern attachments often use cloud-storage links rather than attached files to evade attachment scanning.

Reply with information. Wire transfer details, W-2 forms, banking information, login credentials. The phishing email asks for the data directly, often with a pretext that explains why it is needed.

Move money. Initiate a wire transfer, change banking details, redirect a payment. The most expensive category. BEC attacks live here, and the FBI’s IC3 has tracked $2.9 billion in BEC losses for 2023.

The call to action is the most reliable signal of phishing. Almost every phishing email is asking the recipient to do something the recipient would not do without the email. Real emails request many things, but the combination of unsolicited contact + specific high-stakes request is the pattern phishing depends on.

Sign-Off: The Familiar Closing

The sign-off mimics the impersonated party’s typical closing. “Thanks, Mark” if Mark is being impersonated. “Best regards, Sarah” if the impersonation is at the assistant level. The sign-off is rarely the weak point of a phishing email. Modern attackers know the closings; they have been studying real correspondence.

What sometimes does give the sign-off away is a small inconsistency: a sign-off that does not match the impersonated party’s actual style, a missing email signature where one should be, or a signature with an outdated title or contact information.

These are minor signals. They do not reliably catch sophisticated attacks, but they sometimes catch the lazy ones.

What Recognition Cannot Catch

Even with the structure broken down, the recognition rate against well-crafted phishing in industry simulations is roughly fifty percent. The other half slips through, especially under time pressure, on busy days, when the attack is paired with social pressure or technical urgency.

The defensive layers that compensate:

Verification protocols on financial actions. Out-of-band confirmation of wire transfers, banking changes, and payroll redirections. The protocol catches the attack at the moment of action, regardless of how convincing the email was.

MFA on every important account. Eliminates the credential-theft path even when the recipient enters credentials into a phishing landing page.

Native spam filters. Catch the mass-volume mechanical attacks before they reach the inbox.

Structural inbox filters. Change the cost structure of reaching the inbox so that mass campaigns become uneconomic. A small cover charge on unknown senders does not catch the targeted attacker willing to pay, but it eliminates the cheap, mass version of every pattern above. When a targeted attacker does pay, the email arrives with a PAID label attached, which can itself be a red flag if the sender claims to be someone the recipient already knows (anyone on the recipient’s guest list would not pay a cover charge). We covered the structural layer in why we don’t use AI to fight AI phishing.

Recognition is one layer in the stack, not the whole stack. Anyone selling you “spot the phishing email” training as a complete defense is ignoring the half of attacks that recognition reliably misses. For the full stack, see how to defend your inbox from phishing in 2026. For the seven specific patterns dominating volume, see the 7 phishing patterns every knowledge worker should recognize.

The Bottom Line

A modern phishing email has six parts: sender, subject, greeting, pretext, call to action, sign-off. Each part is engineered to defeat a specific defensive heuristic. Recognition of the structure helps but is insufficient on its own. The realistic defense is layered, with structural filters that change the cost of reaching the inbox in the first place.

Rythm is the consumer-scale structural filter for Gmail and Outlook. The cover charge does not detect phishing in any individual email; it changes the economics of the campaigns that produce most of the volume. That is a different mechanism than recognition, and it works on a different layer of the problem.

The Anatomy of a Modern Phishing Email (with Annotated Examples)