Published on 05 June 2026 · by Qubit Technologies
Why phishing emails have spelling mistakes on purpose
The spelling mistakes in mass phishing are not carelessness, they are a deliberate filter to find the easiest victims. The targeted phishing aimed at your company, by contrast, has not a single one.
Everyone has received a phishing email full of mistakes. The “dear customer”, the broken grammar, the line no human would ever write. The natural conclusion is that whoever is behind it is sloppy. That conclusion is almost always wrong.
In most of those emails, the mistakes are not carelessness, they are a tool. In the ones that really come after your company, by contrast, there is not a single one.
The mistakes as a filter
Mass phishing is sent to millions of addresses blindly. Whoever sends it is not trying to fool everyone, they are trying to find the few people who will go all the way, hand over their details or make the transfer. That is the trick.
Following up with someone who gets suspicious halfway through and backs out costs time. A clumsy email, full of mistakes and warning signs, scares off exactly those people. Only the person who notices none of it keeps going, which is exactly the victim the scammer wants. The worse the bait is written, the better it selects who will actually take it.
The email that comes after you
Targeted phishing plays a different game. It is not sent to millions, it is sent to one specific person in your company, chosen for their role or their access. Whoever writes it has done their homework first.
They know the name of your finance director, they know your usual supplier and they know you are closing a deal this week, because much of that is public. With that, they build an email that does not stand out, with the sender you expect, the usual tone and a subject that fits what you have on your desk. Without a single mistake, because one mistake would give it away.
Falling for it is not about being stupid
This is the deeper flaw in the usual advice. “Check for typos, do not trust strange links” works against mass phishing, not against the targeted kind. Against a well-made email, looking for typos gets you nowhere.
Falling for it is not about being clever or stupid either, it is about context. If the email arrives at the moment you were expecting something like it, from the sender you were expecting it from, with an excuse that fits, anyone clicks. Attackers do not exploit ignorance, they exploit hurry, trust and routine.
What actually works
Technical filters stop a lot, but they do not stop everything. One getting through is enough. So the last line of defence is always a person in front of the screen. That person is not protected by a poster that says “beware of phishing”, they are protected by having seen a real one before.
That is why phishing simulations work better than talks. When someone clicks a fake email, controlled and with no consequences, they learn in thirty seconds what no presentation is going to teach them. The training that works is not told, it is practised.
The email you will not see coming
Phishing with mistakes will keep filling your spam folder. It is the least dangerous kind, because it gives itself away. The one to take seriously is the one that does not look like phishing, the one written to fit you with the information you leave in plain sight.
Where that information comes from is something we already covered in what an attacker learns about your company before attacking. Targeted phishing is the next step, the moment when all that reconnaissance turns into an email someone on your team opens without thinking.
If you want to test your team with a controlled phishing simulation, write to us at [email protected].