The Most Dangerous Email Scams in 2026 (And How to Protect Yourself)

Every year, email scams get harder to spot. But 2026 is different. We've crossed a threshold where the old advice — "look for bad grammar" or "check if it feels off" — no longer works. AI has given scammers tools that make their emails indistinguishable from legitimate ones, and entirely new attack types have gone mainstream.

Here are the scams that security researchers, law enforcement, and our team are most worried about this year — with real examples and specific advice for each.

1. AI-generated phishing emails

The threat level: Critical

Remember when you could spot a phishing email because of the dodgy grammar, weird phrasing, or "Dear Esteemed Customer" salutations? Those days are over.

Large language models — the same technology behind ChatGPT and similar tools — are now being used to generate phishing emails that are grammatically perfect, contextually appropriate, and even personalised to you. A 2024 study by SlashNext found that malicious email and messaging threats increased by 856% year-on-year, driven in large part by AI tools making it easier to craft convincing phishing at scale.

What this looks like in practice:

• An email from "your bank" that references the town you live in, your approximate account type, and a recent news event about banking changes
• A "colleague" email that matches the writing style of someone you actually work with
• Customer service responses to complaints you never made but sound exactly like they're from the company

Why it's so dangerous: The old tells are gone. These emails read naturally. They use your name (scraped from data breaches or social media). They reference real events and real companies. The only remaining tells are technical — the sender domain, the link destination, and the underlying intent.

How to protect yourself:

• Stop relying on "does this email look right?" and start checking the sender address and link destinations every time
• Be especially suspicious of any email that asks you to do something urgently — log in, update payment, verify identity
• When in doubt, contact the supposed sender through a different channel (phone, their real website)

2. QR code phishing (quishing)

The threat level: High and rising fast

"Quishing" — phishing via QR codes — exploded in 2025 and shows no signs of slowing down. HP Wolf Security has tracked a rapid rise in QR code attacks across their threat reports, with quishing becoming one of the fastest-growing email attack vectors.

The brilliance of quishing is that it bypasses most email security tools. Traditional filters scan links in emails. But a QR code is just an image — and the malicious URL is encoded within it, invisible to many scanners.

How it works:

1. You receive an email with a QR code — often disguised as a document to sign, a multi-factor authentication setup, or a parking fine

2. You scan the code with your phone

3. Your phone opens a phishing page — but now you're on your mobile, which typically has fewer security tools and a smaller screen that hides the full URL

4. You enter your credentials on a tiny mobile screen where the dodgy URL is truncated

Real examples we've seen:

• "Your Microsoft 365 MFA is expiring. Scan this QR code to re-authenticate" — sent to corporate email addresses, leading to a convincing Microsoft login page
• "You have a document to sign via DocuSign" — QR code leads to a credential-harvesting page
• Fake parking fines and EV charging station stickers with QR codes leading to payment-harvesting sites (these are physical, not email, but the concept crosses over)

How to protect yourself:

• Treat QR codes in emails with extreme suspicion. Legitimate companies rarely ask you to scan a QR code from an email — if you're already on your computer reading the email, why would they need you to scan something?
• If you do scan a QR code, check the URL preview your phone shows before opening it
• Never enter login credentials on a page you reached via QR code from an email

3. Business email compromise (BEC) — now with AI

The threat level: Critical for businesses, growing for individuals

BEC isn't new, but AI has supercharged it. The FBI's Internet Crime Complaint Centre reported that BEC caused $2.9 billion in losses in 2023 — making it the single most financially damaging type of cybercrime. And that was before AI tools made it dramatically easier.

The classic BEC playbook:

1. Scammers compromise or impersonate a senior executive's email

2. They send an urgent message to someone in finance: "I need you to wire £50,000 to this account for a confidential acquisition. Don't discuss this with anyone."

3. The finance person complies because the email looks legitimate and the request sounds like something the CEO might actually say

How AI has changed it in 2026:

• Better research: AI tools scrape LinkedIn, company websites, and news to craft emails that reference real projects, real people, and real business context
• Style matching: AI can analyse a CEO's previous emails (from breaches or social engineering) and replicate their writing style
• Longer cons: Instead of a single urgent email, scammers now conduct multi-email conversations, building trust before making the financial request
• Voice cloning: Some BEC attacks now include a follow-up voicemail or phone call using an AI-cloned voice of the executive (more on this below)

How to protect yourself:

• Any request to transfer money or change payment details needs verification via a different channel — call the person directly using a known number
• Establish clear financial procedures that require multi-person approval for large transfers
• Be suspicious of urgency and secrecy — "do this now" and "don't tell anyone" are the two biggest red flags in BEC

4. Deepfake video and voice call scams

The threat level: High and mostly underestimated

In January 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million (£20 million) after attending a video call where every other participant — including the company's CFO — was a deepfake. The scammers had used publicly available video footage to create real-time deepfakes of multiple senior executives.

Let that sink in. A video call with your colleagues, where you can see and hear them, is no longer proof that they're real.

How this plays out via email in 2026:

• You receive an email from "your CEO" requesting a meeting about a confidential matter
• You join a video call and see and hear someone who looks and sounds exactly like your CEO
• They instruct you to make an urgent payment, share confidential data, or approve an action
• The entire call is AI-generated

Voice cloning alone is even more common and easier to pull off. With just a few minutes of audio (easily harvested from conference talks, YouTube videos, or podcast appearances), an AI can clone someone's voice convincingly enough to fool colleagues and even family members.

How to protect yourself:

• Verify any unusual financial or data request through a separate, trusted communication channel — not through the same email chain or call
• Establish code words or verification questions for high-stakes requests within your organisation
• Be aware that seeing someone on video is no longer a guarantee of identity
• If something feels off about a video call — slightly unnatural movements, audio sync issues, odd lighting — trust that instinct

5. Supply chain email attacks

The threat level: High and growing

This is the sneakiest category because the email genuinely comes from a legitimate, trusted sender — their account has just been compromised.

How it works:

1. Attackers compromise the email account of a company in your supply chain — your accountant, your IT provider, a supplier you regularly work with

2. They monitor the email account for weeks, learning about relationships, invoices, and payment schedules

3. At exactly the right moment, they send a perfectly timed email from the real compromised account: "Our bank details have changed. Please update your records and send the next payment to this new account."

4. Because the email comes from a known, trusted sender, it bypasses both technical filters and human suspicion

Real-world scale: The UK's National Cyber Security Centre highlighted supply chain attacks as one of the top threats facing UK businesses in their 2025 Annual Review. Supply chain email attacks can be devastating, with individual incidents regularly causing losses of tens or hundreds of thousands of pounds.

Why it's so effective:

• The email comes from a real, trusted email address
• The content is contextually accurate (correct invoice numbers, project names, payment amounts)
• It arrives at a time when a payment is actually expected
• The only change is the bank account number

How to protect yourself:

• Always verify bank detail changes by phone — call using a number you already have on file, not one from the email
• Be suspicious of any "our bank details have changed" email, even from known contacts
• Ask your suppliers what their process is for communicating bank changes — ideally it should never be email-only
• Consider implementing confirmation of payee checks through your bank

6. The "helpful" AI assistant scam

The threat level: Emerging

This is new for 2026 and worth watching. Scammers are sending emails that offer "AI-powered" tools and assistants — free PDF summarisers, AI email writers, meeting transcription tools — that either:

• Harvest your data when you sign up (email, password, sometimes payment details for a "free trial")
• Install browser extensions that monitor your activity
• Require OAuth access to your email or cloud storage, then exfiltrate your data

Why it's timely: Everyone wants AI tools right now. The demand is real. And scammers are exploiting the gap between people's eagerness to try new AI products and their ability to evaluate which ones are legitimate.

How to protect yourself:

• Stick to well-known AI tools from established companies
• Never grant email or cloud storage access to an app you found through an unsolicited email
• Be extremely cautious about browser extensions from unknown developers
• If an AI tool is "free" and asks for your email login, that's a major red flag

The big picture: what's changed in 2026

The shift that's happened over the past two years is fundamental:

• Grammar and spelling are no longer tells. AI writes perfect English (and perfect French, German, Spanish...).
• Personalisation is cheap. Data breaches have made personal information readily available, and AI makes it easy to craft personalised messages at scale.
• Multi-channel attacks are common. An email followed by a voice call, or a text followed by an email, creates a sense of legitimacy that a single message can't.
• The targets are everyone. These aren't just aimed at Fortune 500 companies. Small businesses, individuals, and families are all in scope.

Your protection checklist for 2026

Here's what actually works:

1. Check sender domains obsessively. This is now the single most reliable indicator.

2. Never trust links in emails. Go to websites directly by typing the URL.

3. Verify unusual requests through a different channel. Phone call, text message, in person — anything except replying to the suspicious email.

4. Use unique passwords everywhere. A password manager makes this easy.

5. Enable two-factor authentication on every account that offers it, especially email.

6. Keep software updated. Many attacks exploit known vulnerabilities that patches have already fixed.

7. Be suspicious of urgency. Scammers need you to act before you think. Legitimate requests can wait for verification.

8. Talk about scams openly. Share examples with family and colleagues. The more familiar people are with tactics, the less likely they are to fall for them.