Last year, I received an email from my “bank” alerting me to suspicious activity on my account. The layout and logo matched other official communications I had received from the bank, and I was naturally alarmed.
But a few things just didn’t add up. Instead of using my name, it addressed me as “Dear valued customer.” After that, I was supposed to verify my account details, which seemed contrary to bank security advice. The brightest red flag, though, was the email address that didn’t match the bank’s domain.
Scammers have become quite smart. Tools like generative AI have made it easy for them to mimic the branding, tone, and even the writing style of legit companies.
But there are still telltale signs that help you identify a phishing attempt. Here, I’ll discuss these signs and share phishing email examples that could fool anyone.
What is a phishing email?
A phishing email is a type of online scam that tricks recipients into providing sensitive information, such as login credentials, credit card numbers, or personal identification details.
For example, here’s an email that Debbie Moran, marketing manager at RecurPost, received:
Cybercriminals design these emails to appear as if they come from legitimate sources — banks, official agencies, or well-known companies to create a sense of urgency or fear to prompt immediate action.
The scammer then uses the stolen information to commit fraud or identity theft, access the victim’s financial accounts, make unauthorized purchases, or even launch further phishing attacks against others.
The Different Types of Phishing Emails
Phishing emails come in all shapes and sizes, each designed to exploit a specific vulnerability or scenario.
Each type of phishing email exploits specific human traits, such as trust, fear, or curiosity. Here are some common types, with phishing email examples of how they might look.
Spear Phishing
Spear phishing targets specific individuals or organizations through highly personalized emails. Attackers use information collected from social media or other sources to make the message seem legitimate.
For example, here’s an email that Phan Sy Cuong, PR specialist at Awesome Motive, the parent brand of WPBeginner, received. At the time the company’s employees received this, they were working with another company for employee insurance.
While the design was professional enough to fool people, the good thing is the company had checks and balances.
“Whenever something strange pops up, we always communicate in our company channel to check if anyone’s receiving the same thing or directly with the one in charge — in this case, it was the HR manager — to ensure it’s something from our company,” says Cuong.
According to Cuong, the team always receives a heads-up if something is coming. “We were also briefed about the insurance we were in touch with before, so we acknowledged that the one in the email wasn’t correct,” Cuong says.
Whaling
A whaling attack is a spear phishing attack that focuses on high-profile targets like CEOs, CFOs, or other senior executives. The goal is usually to steal sensitive information from the company or to initiate fraudulent financial transactions.
For example, the accounting department at the cybersecurity company Heimdal received this series of emails.
The attacker created two email addresses, sent multiple emails between them, and forwarded them to the company’s accounting department. It’s a nice trick to create a series of emails you forward for payment.
Valentin Rusu, the head of research at Heimdal, adds how whaling in particular is “a very dangerous trend since existing security systems work based on a flaw in grammar, suspicious email, suspicious links, and intent.”
When an email doesn’t have any issues like that, a cybersecurity company like Heimdal gives customers a personal, tailored neural network that learns from their data and adapts to their email behavior.
Rusu gives an example. As an incident response manager, Rusu says, it’s normal to receive many malicious URLs and attachments. However, this isn’t normal behavior for a finance department.
“This means you can’t create an email product that works for every scenario, so we built a custom neural network. This personal AI learns from company emails and detects behavior that doesn’t fit the patterns,” Rusu says.
Pharming
Pharming redirects users from legitimate websites to fraudulent ones via DNS hijacking or poisoning to collect personal and financial information. The attack isn’t email-based, but it’s often paired with phishing emails.
Example: An email from your “bank” asking you to log in to your account via a provided link, which then leads you to a fake banking site that looks identical to the real one.
Clone Phishing
Clone phishing involves creating a nearly identical copy of a previously sent email but with malicious links or attachments. The attacker might claim to be resending the email due to a failed delivery attempt or updating the content.
For example, here’s an email imitating a FedEx delivery notification email.
Image Source
Vishing (Voice Phishing)
Vishing, or voice phishing, uses phone calls instead of emails to scam victims. It’s worth mentioning because it often complements email phishing.
For example, a voicemail or direct call claiming to be from your bank, stating suspicious activity on your account and asking you to call back using the provided number, which leads to a scammer.
Smishing (SMS Phishing)
Smishing is similar to phishing but uses SMS texts. It directs users to malicious websites or asks them to provide personal information via text.
For example, here’s a supposed email from the Canadian Revenue Agency that’s enticing me to click the click with a promise of $400.
Phishing emails have become really sophisticated, especially since GenAI tools like ChatGPT have made it quite easy to create personalized phishing emails in seconds.
In fact, here’s an example from Valentin using ChatGPT for the same:
Scary, isn’t it? According to Proofpoint’s 2023 State of the Phish report, around 45% of people don’t know a familiar company brand doesn’t make an email safe.
To increase your chances of being protected against such emails, look out for these six signs:
1. Suspicious Email Addresses
You’ve received an email that looks like it’s from a company you know.
But take a closer look at the sender’s email address and if it’s a jumble of letters or subtle misspellings (like “amaz0n.com”), that’s a red flag. Legit companies have email addresses that match their domain names.
Legit companies also don’t use public domains like @gmail.com, @outlook.com, @yahoo.com, or any other free email service for official communications.
If you receive an email claiming to be from a reputable company but it’s sent from one of these public domains, be wary.
This detail is a key indicator in distinguishing between a genuine email and a potential phishing attempt.
2. Grammar and Spelling Mistakes
Ever cracked open an email and spotted a typo or two? Sure, we all make mistakes, but a message riddled with grammar errors and spelling slip-ups signals a serious problem.
Look out for typos, weird grammar, and sentences that don’t sound right. Also, keep an eye out for awkward phrasing or misuse of common terms — issues like “Dear valued customer, confirm identity by click below.”
Real businesses have proofreaders and spellcheck tools for their emails because they know mistakes don’t make the best impression.
3. Unfamiliar Greetings or Sign-offs
If an email starts with “Dear Customer” or some generic term instead of your name, it might be a scam. The same goes for weird or overly formal sign-offs. It might look formal, but it’s also a sign that the sender doesn’t actually know you.
Legit companies you do business with have your name in their database. The same goes for their sign-offs too. Stiff sign-offs, like a formal “Cordially” from your supposedly casual service provider or an abrupt “Thank you” with no follow-up details, are red flags.
4. Suspicious Links or Attachments
One of the trickiest parts of dealing with phishing emails is sketchy links and attachments. Click on them accidentally, and you might be introducing malware to your computer.
Always check the URL before clicking. If the email says it’s from your bank but the link points somewhere weird (like a random assortment of characters or a site that doesn’t match the bank’s actual URL), that’s your cue to back away.
Also, a common trick is to send a document that claims to be an invoice, a receipt, or a “must-see” offer. But the moment you open it, you could be letting malware or a virus walk right through your system.
The key? Hover over links to see where they’re really taking you (without clicking!). And if there’s an attachment you weren’t expecting, reach out to the sender through a different channel to confirm it’s legit.
5. Requests for Personal Information
No reputable company will ask for sensitive info via email. No matter how official an email looks, remember this — genuine organizations don’t ask for sensitive details like passwords, credit card numbers, or Social Security numbers via email.
For example, an email might say, “We’ve noticed suspicious activity on your account. Please confirm your password to secure your account.” It’s a trap. Real banks and companies have secure processes for handling these situations, and they definitely don’t involve sending sensitive info into the email void.
Here’s what you do: Never, ever reply with your personal info. If you’re even a little bit concerned, go directly to the source. Log into your account through the official website or call the official contact number.
6. Urgent or Threatening Language
Ever gotten an email that makes your heart skip a beat?
“Immediate action required!” or “Your account has been compromised!” — sounds pretty urgent, right? But that’s exactly what phishers want. They use urgent or threatening language to make you react without thinking.
For example, you might see phrases like, “Your account password has expired, update now before you lose access to your account” or “Attempt to deliver your package unsuccessful. Please update your information within the next 24 hours.”
Legit organizations don’t typically scare you into action — they reassure.
Instead, reach out to the company directly using contact information you find through official channels, not email. When someone’s pushing you hard to act fast, it’s probably because they don’t want you to think too much about what you’re doing or consult with anyone else.
Phishing Emails I Could Have Fallen For (And Why I Ultimately Didn’t)
I’ve seen several convincing phishing email examples that could have conned me if not for a few crucial red flags. Here, I’ll share some of those close calls and explain why I ultimately didn’t fall for them.
PayPal
At first glance, the email nails PayPal’s branding with the color scheme and logo to suggest authenticity at a glance. But closer inspection showed numerous spelling errors like “by following link,” “successfuly,” and “at the movement.”
The greeting was also not personal (“Hi dear customer”), which deviates from PayPal’s standard communication style. Plus, the sign-off (“PayPal service”) lacks the professionalism expected from the company.
Netflix
The subject line for this email stated, “Your Membership has been canceled due to payment failed,” which instantly grabbed my attention.
But the content of the email contradicted this message, claiming, “We’ve locked your account, as you asked.” This inconsistency was a clear warning sign.
Apart from this, the closing remark, “Your friends at Netflix,” seemed unusually informal for official Netflix communication.
The most telling sign of a phishing attempt, however, was the sender’s email address: no-reply@talents-connect.fr, a domain distinctly unrelated to Netflix. These signs made it pretty obvious this email was a phishing attempt.
Apple
I got an email that looked a lot like it was from Apple, with the right logo and everything. The greeting was the first red flag — addressed to “Dear Customer” instead of my name.
The email mentioned discrepancies in my account information, threatening to block my iCloud access if not resolved within 24 hours. Phishing attempts use this urgency to trick people into responding quickly and less cautiously.
It gave me a case number, even though I hadn’t contacted Apple regarding anything, so it was irrelevant. Plus, the subject line talked about my AppleID being locked and mentioned changes made from Ontario, which didn’t match the rest of the email’s story.
These things didn’t add up: the weird greeting, the rush to fix my account, the case number out of nowhere, and the mismatched subject line. They all pointed to the email not really being from Apple.
Amazon
I recently received an email from Amazon that, at first glance, appeared to be from the company. The branding seemed accurate and matched Amazon’s color scheme and logo. There were a few discrepancies, though.
The sender’s email address was a nonsensical combination of letters and numbers. There was also an attached file (which is already a red flag) with a random, meaningless name that confirmed the email’s illegitimacy.
The email also attempted to personalize the message using my email address rather than my name.
Plus, the use of “amazon” without proper capitalization, a call-to-action labeled “My Account” that seemed out of context, and an awkward closing remark, “Thank you for doing business with us!”, all contributed to the realization that this email was a phishing attempt.
Phishing No More
Scammers are smart, and they use a lot of tools to make emails that look authentic and convincing. But these tools and attempts are always based on human imagination.
They prey on emotions — fear, urgency, curiosity — to prompt quick, unthinking actions. Recognizing the patterns, like urgent language, requests for personal information, or links that don’t quite match the supposed sender’s website, can be your first line of defense.
Lastly, educate yourself and complement your knowledge with tools like spam filters, antivirus software, and email verification to protect your personal information from falling into the wrong hands.