ETNTech Managed IT Services
About Services Team Reviews Partners Blog Contact (423) 779-8196
Cybersecurity

How to Spot Grammatical Errors That Signal a Scam Email

April 23, 2026 ETTC Team 13 min read
← Back to Blog

How to Spot Grammatical Errors That Signal a Scam Email

Scam emails signal themselves through four grammar patterns: wrong word choice from machine translation, missing articles, inconsistent verb tense, and tone that swings between overly formal and weirdly casual — often in the same paragraph. But here’s what changed: in 2026, 82.6% of phishing emails use AI and are grammatically flawless. Grammar errors are still worth catching — but they’re only half the picture now.

Sandra runs a three-location dental practice in Hixson. Last spring she got an email that looked like it came from her payroll software vendor. The greeting was professional, the logo looked right, and the writing was clean. No typos. No awkward phrasing. She was three clicks from entering her credentials when her IT provider flagged it as a phishing attempt. The grammar was perfect. That was the point.

This guide covers both sides: the classic grammar patterns that still give cheap scams away, and the newer signals you need when the writing looks flawless.

Key Takeaways
– Grammar errors in scam emails are often intentional — scammers use them to filter out skeptics and dodge spam filters
– Four grammar patterns give away most low-grade scams: wrong word in context, missing articles, inconsistent tense, and mismatched formality
– In 2026, 82.6% of phishing emails are AI-generated and grammatically perfect — perfection itself is now a red flag
– AI phishing emails achieve a 54% click-through rate, compared to 12% for traditional phishing
– Real organizations never request passwords, payment info, or credentials by email — regardless of how well-written the message is

Why Scam Emails Have Grammar Errors (It’s Not Incompetence)

Most people assume scammers make grammar mistakes because they can’t write English well. Some do. But research from Microsoft computer scientist Cormac Herley explains why many of those errors are fully intentional.

Herley’s analysis found that scammers deliberately write badly — not because they can’t do better, but because it works as a filter. An email full of obvious errors gets ignored by educated, skeptical readers. That’s the goal. The only people who respond to a badly written scam are the ones least likely to question it later.

As Herley put it, anyone who doesn’t immediately see the email as suspicious “is exactly who they want to talk to.”

There’s a second reason errors appear: spam filter evasion. Email security tools scan for known phishing phrases. Misspelling those phrases — writing “acc0unt” instead of “account,” or “Micros0ft” instead of “Microsoft” — gets the message past filters that would otherwise catch it.

The result: bad grammar in a scam email isn’t an accident. It’s either a targeting mechanism, a filter bypass, or the product of a non-English speaker running text through a translation tool. Knowing why errors appear helps you recognize the specific patterns they leave behind.

The 4 Grammar Patterns That Signal a Scam Email

These four patterns show up consistently in phishing emails that haven’t been polished by AI. When you see two or more in the same message, treat it as a serious red flag.

1. Wrong Word in Context (Translation Artifacts)

A spellchecker won’t catch a word that’s spelled correctly but used in the wrong situation. Scam emails translated from another language are full of these.

Real examples:
– “Kindly verify your credential below” — should be “credentials”
– “Your account has been suspended for safety” — oddly vague; real companies say why
– “We noticed unusual activities on your profile” — “activities” instead of “activity”
– “Please do the needful” — common in South Asian English, almost never in legitimate US business email

These errors slip past automated tools because each individual word is spelled correctly. The meaning is just off — like something was run through Google Translate and left unedited.

2. Missing or Misused Articles (A, An, The)

In English, we say “update your account,” not “update account.” We say “click the link,” not “click link.” For non-native English speakers working from translated templates, articles are the first thing to get dropped.

Watch for:
– “Click button to verify” (should be “the button”)
– “There is problem with your subscription” (should be “a problem”)
– “Please check inbox” (should be “your inbox”)

Legitimate company email templates are written and proofread by native speakers. Missing articles almost never appear in official correspondence from a bank, software vendor, or shipping company.

3. Inconsistent Verb Tense

Scam emails often shift tense mid-message — sometimes within a single sentence. This happens when a template gets pieced together from multiple translated sources or when different people (or tools) wrote different paragraphs.

You might see: “Your account was flagged for unusual activity. We are lock your access until you verify. This will protects your data.”

Three sentences, three different tense problems. No professional communication team at a real company produces that.

4. Tone That Doesn’t Match the Situation

Legitimate business email has consistent register. A bank doesn’t start professional and then drop into informal slang. A shipping company doesn’t sound casual and then add legal-sounding threats.

Scam emails often swing between extremes: overly formal phrases like “We hereby notify you of the following irregularities” followed by oddly casual sentences like “Just click here and it be fixed fast.” Neither the formality nor the informality is what a real company would write — and seeing both in the same email is a reliable signal.

The 2026 Problem: AI-Generated Phishing Has No Grammar Errors

Here’s the complication. Everything above still applies to cheap, volume phishing. But the threat landscape shifted dramatically in the last two years.

A 341% surge in malicious emails between 2023 and 2024 coincided with scammers adopting large language models to write their emails. As of 2025, 82.6% of phishing emails include AI-generated content. These emails have native-level grammar, natural tone, appropriate formality, and correct article usage throughout.

AI-generated phishing achieves a 54% click-through rate. Traditional phishing — the kind with obvious errors — gets about 12%.

That gap tells you everything about why scammers upgraded.

The “Flaw of Perfection” — New Red Flags in AI-Written Scam Emails

The irony is that AI writing leaves its own fingerprints. When an email is suspiciously clean, start looking for these signals:

Excessive transition words. AI models over-use “furthermore,” “moreover,” “consequently,” “therefore,” and “it is important to note that.” Real people writing business email don’t talk like this. If an email from your bank sounds like an academic paper, something is off.

Verbose explanations for simple requests. A real IT vendor asking you to reset your password sends you a link. An AI-generated phishing email explains at length why your password needs resetting, what the policy implications are, and how this will benefit you. The over-explanation is a tell.

Vague specifics. AI-generated emails often reference invented policy names, generic case numbers, and ambiguous timeframes. “Your account case #[CASE-482] has been flagged under our Security Compliance Initiative” — none of those details are real, but they sound plausible.

No personal detail you’d expect. Your actual bank knows your account number, your branch, your last transaction. A phishing email — however polished — typically can’t include that. A suspiciously clean email that addresses you generically (“Dear Valued Customer”) from a company that should know your name is worth scrutinizing.

5 Other Red Flags to Check When the Grammar Looks Fine

Grammar is one signal. When an email passes the grammar test, run it through these checks before clicking anything.

1. The sender domain doesn’t match the company. A legitimate email from Microsoft comes from a microsoft.com address — not microsoft-support.net, not micro-soft-help.com. Look at the full sending address, not just the display name. Display names can be faked; the actual domain is harder to spoof.

2. The greeting is generic. Your bank, your payroll provider, your Microsoft 365 subscription — they all know your name. “Dear Account Holder” or “Dear Valued Customer” from a company you have a relationship with is a yellow flag.

3. There’s artificial urgency. “Your account will be permanently deleted in 24 hours.” “Respond immediately or your service will be suspended.” Urgency is a pressure tactic designed to stop you from thinking. Real organizations give you reasonable notice and multiple communication channels.

4. The link doesn’t go where it claims. Hover over any link before clicking. The URL that appears in your browser’s status bar should match where the email says you’re going. A button that says “Log in to your account” pointing to a URL with a long string of random characters is a phishing link.

5. You weren’t expecting it. This is underrated. If you get a shipping notification for a package you didn’t order, an invoice for a service you didn’t buy, or a password reset email you didn’t request — those are almost always phishing. The hook is designed to create enough confusion that you click before you think.

What to Do When You Spot a Suspicious Email

Don’t click anything. Don’t reply. Don’t call a phone number listed in the email.

If the email claims to be from a company you actually use, go to that company’s website directly — type the address yourself, don’t use any link in the email — and log in from there. If there’s a real problem with your account, it will show up.

Report it. Most email platforms (Outlook, Gmail) have a “Report phishing” option. Use it. This helps protect other users in your organization and improves the platform’s filters.

If you’re a business owner and the email targeted an employee, tell your IT provider immediately. The faster a potential compromise is investigated, the smaller the damage. For businesses in Chattanooga and East Tennessee, ETTC’s team is available to assess incidents and walk you through your next steps.

How ETTC Protects Chattanooga Businesses from Phishing

Recognizing a scam email yourself is valuable. But at the volume businesses receive today, personal vigilance isn’t enough.

ETTC provides email security and cybersecurity monitoring for small and mid-sized businesses across the Chattanooga region. Our approach includes:

  • Email filtering and spam protection — catching phishing emails before they reach your inbox, including AI-generated variants
  • Dark web monitoring — alerting you if your business credentials appear in a breach so you can act before an attacker does
  • Employee security awareness — training your team to recognize the patterns covered in this article, so the odds of a successful attack drop significantly
  • Incident response — if something does get through, we investigate fast and help contain the damage

If your business relies on a managed IT partner for cybersecurity services in Chattanooga, make sure email security is part of that conversation. Phishing is the entry point for most ransomware attacks, business email compromise incidents, and data breaches. Filtering it properly isn’t optional.

Frequently Asked Questions

Do scammers intentionally write with bad grammar?
Often yes. Microsoft researcher Cormac Herley found that obvious errors serve as a filter — anyone who doesn’t immediately dismiss the email is a more viable target. Errors also help bypass spam filters that flag known phishing keywords.

Can I trust an email just because the grammar is perfect?
No. As of 2026, 82.6% of phishing emails use AI and are grammatically flawless. A clean email still needs to pass the sender domain check, the link check, and the “does this make sense” check before you click anything.

What grammar mistakes are most common in scam emails?
Wrong word in context (translation artifacts), missing articles like “a” or “the,” inconsistent verb tense across a message, and tone that swings between overly formal and oddly casual.

What should I do if I clicked a link in a suspicious email?
Don’t enter any information on the page that opened. Close the browser immediately. Change the password for any account that email appeared to be from, using a different device. Contact your IT provider — for Chattanooga businesses, call ETTC at (423) 779-8196.

How do I check if a sender email address is fake?
Look at the full sending address, not just the display name. In most email clients, you can hover over or click the sender name to see the actual address. If an email claims to be from Microsoft but came from a Gmail address or an unfamiliar domain, it’s fake.

Is email training enough to protect my business?
Training helps, but it’s not enough on its own. Businesses that rely solely on employee vigilance get compromised when someone has a distracted moment or when an AI-generated email is convincing enough. Layered protection — filtering, monitoring, and training together — is the standard that managed IT providers like ETTC implement.

The Bottom Line

Grammar errors in scam emails are real signals — just not the only ones anymore. The patterns haven’t gone away: wrong word choices, missing articles, tense problems, and mismatched tone still show up in the high-volume, low-effort phishing that hits inboxes every day. Learn to recognize them.

But also learn what perfect looks like when it’s suspicious. Excessive transition words, vague specifics, generic greetings, artificial urgency, and mismatched sender domains are the new tells. AI has cleaned up the writing. It hasn’t fixed the context.

If you’re a business owner in Chattanooga wondering whether your email security is actually keeping up with what attackers are sending in 2026, that’s exactly the kind of question a free IT assessment can answer. Call ETTC at (423) 779-8196 or reach out through our contact page — no commitment, no sales pitch, just a straight answer.

ETTC offers IT consulting and managed IT support in Fort Oglethorpe, East Brainerd, and throughout Hamilton and Catoosa counties. Call (423) 779-8196 or request a free assessment.