Progress 0 / 12

Chapters (12)

Email phishing scams

Email remains one of the most common attack vectors for scammers. In this chapter, you’ll learn to identify phishing emails, understand how attackers craft convincing messages, and protect yourself from this pervasive threat.

The Scale of Email Phishing

The numbers tell a compelling story:

989,123 phishing attacks observed by APWG in Q4 2024 alone
5.3 billion phishing emails sent daily worldwide
Microsoft screens 5 billion emails daily for malware and phishing
Gmail blocks 100 million phishing emails every day
70% of phishing emails come from free webmail providers (Gmail, Yahoo, etc.)
Phishing is responsible for 44% of recorded data breaches

Email phishing isn’t going away—it’s getting more sophisticated and harder to detect.

Common Email Phishing Tactics

1. Account Verification Scams

The Setup: You receive an email claiming your account needs verification or will be suspended.

Example:

Subject: “Urgent: Your PayPal account has been limited”

Dear Customer,

We’ve detected unusual activity on your account. Click here to verify your identity within 24 hours or your account will be permanently suspended.

Why it works:

Creates urgency and fear
Exploits trust in familiar brands
Threatens negative consequences

Red flags:

Generic greetings (“Dear Customer” instead of your name)
Urgent timeframes (24-48 hours)
Threats of account suspension
Links to verify information

2. Fake Invoices and Receipts

The Setup: Email appears to be a receipt for a purchase you didn’t make, hoping you’ll click to dispute it.

Example:

Subject: “Your Amazon order #12345 has shipped”

Thank you for your purchase of Sony Headphones ($299.99). View your order details or cancel if this wasn’t you.

Why it works:

You want to check if it’s fraudulent
Creates concern about unauthorized charges
Looks like legitimate receipts

Red flags:

Order for items you didn’t buy
From email addresses slightly different from official domains
Links don’t match official website URLs
Poor formatting or grammar

3. Prize and Lottery Scams

The Setup: Congratulations! You’ve won a prize, lottery, or gift card you never entered.

Example:

Subject: “Congratulations! You’ve won a $500 Amazon Gift Card”

You’ve been randomly selected as a winner! Claim your prize by clicking here and entering your information.

Why it works:

Exploits desire for free money
Creates excitement that overrides caution
Appears to require quick action

Red flags:

Winning contests you never entered
Requests for personal information to claim prize
Requires “small processing fee”
Too good to be true offers

4. Banking and Financial Institution Phishing

The Setup: Email appears to be from your bank about suspicious activity or required updates.

Example:

Subject: “Security Alert: Unauthorized login attempt”

We detected a suspicious login from an unknown device. Please verify your account immediately to prevent unauthorized access.

Why it works:

Banking security is important to everyone
Creates fear of account compromise
Looks official with logos and branding

Red flags:

Email from addresses not matching bank domain
Asks you to click links to verify
Requests sensitive information via email
Generic account information (not your actual account details)

5. Tech Support Scams

The Setup: Email claims to be from Microsoft, Apple, or antivirus companies about security issues.

Example:

Subject: “Microsoft Security Alert: Virus Detected”

Our systems have detected malware on your device. Download this security tool immediately or call our support number.

Why it works:

Fear of computer viruses
Appears to be helping you
Uses official-looking branding

Red flags:

Unsolicited security warnings via email
Phone numbers to call (tech companies don’t operate this way)
Downloadable “security tools”
Pressure to act immediately

Major Brand Impersonations

Microsoft - 35% of All Phishing

Microsoft is the most impersonated brand in phishing attacks:

Fake Office 365 login pages
“Your password is expiring” emails
OneDrive file sharing notifications
Fake account verification requests

What real Microsoft emails do:

Never ask for passwords via email
Don’t send login links
Use consistent official domains
Include your actual account information

Amazon Phishing

Common tactics:

Fake order confirmations
“Account on hold” messages
Prime membership expiration notices
Package delivery problems

What real Amazon emails do:

Show actual orders in your account
Use amazon.com domain (not amazon-secure.com)
Include order numbers you can verify
Never ask for payment information via email

Banking Institution Phishing

All major banks are frequently impersonated:

Wells Fargo, Chase, Bank of America, etc.
Credit card companies (Visa, Mastercard, Amex)
Payment processors (PayPal, Venmo, Zelle)

What real banks do:

Initial contact via mail, not email
Never request passwords or full account numbers
Don’t send login links via email
Use secure messaging within their app/website

The Anatomy of a Phishing Email

Red Flag #1: Sender Address

What to check:

Hover over sender name to see actual email address
Look for slight misspellings (paypa1.com instead of paypal.com)
Free email providers for “business” emails
Extra characters or hyphens (pay-pal.com, paypal-secure.com)

Examples of fake addresses:

support@amazоn.com (using Cyrillic ‘о’)
[email protected]
[email protected]
[email protected] (should be .com)

Red Flag #2: Generic Greetings

Legitimate companies use your name:

❌ “Dear Customer”
❌ “Dear User”
❌ “Dear Account Holder”
✅ “Dear John Smith”

Red Flag #3: Urgent Language

Scammers create artificial urgency:

“Act within 24 hours”
“Immediate action required”
“Your account will be closed”
“Verify now or lose access”

Reality check: Legitimate companies give reasonable timeframes and multiple notifications.

Red Flag #4: Suspicious Links

How to check links safely:

Hover over link without clicking (desktop)
Long-press on link to preview (mobile)
Check if displayed text matches actual URL
Look for legitimate domain names

Example of link mismatch:

Displays: “www.paypal.com/verify”
Actual: “paypal-verify.suspicious-site.com”

Red Flag #5: Poor Grammar and Spelling

While AI has improved scam writing, mistakes still occur:

Awkward phrasing
Inconsistent capitalization
Spelling errors
Translation artifacts

Red Flag #6: Unusual Attachments

Be suspicious of:

Unexpected attachments from “known” senders
File types: .exe, .scr, .zip, .js, .iso
“Invoice.pdf.exe” (double extensions)
Password-protected documents from unknown sources

Red Flag #7: Requests for Sensitive Information

Legitimate companies never request via email:

Passwords or PINs
Social Security numbers
Credit card numbers (full number)
Account credentials
Copies of ID documents

Red Flag #8: Too Good to Be True

If it sounds amazing, it probably is:

“You’ve won $10,000!”
“Free iPhone for taking survey”
“Inheritance from unknown relative”
“Work from home - earn $5000/week”

Red Flag #9: Mismatched Information

Check for inconsistencies:

Email says “Your Apple account” but you don’t have one
Bank name you don’t use
Services you’ve never subscribed to
Orders you never placed

Verification Procedures

Before Clicking ANY Link:

Step 1: Pause Don’t click immediately, even if it seems urgent.

Step 2: Check the Sender Verify the actual email address, not just the display name.

Step 3: Independently Verify

Type the company website yourself
Use official app instead
Call using phone number from company’s official website
Check your account directly (not through email link)

Step 4: Look for Red Flags Review the checklist above—any red flags?

Step 5: When in Doubt, Don’t If something feels off, don’t click. Delete it.

Safe Practices:

For Important Accounts:

Bookmark official websites
Use official apps instead of email links
Enable two-factor authentication
Set up account alerts for unusual activity

For Email Links:

Never click links in unsolicited emails
Type URLs manually
Use bookmarks for frequent sites
Verify through independent channels

For Attachments:

Don’t open unexpected attachments
Scan with antivirus first
Verify sender through alternative method
When in doubt, ask sender directly (not via reply)

Real-World Examples

Example 1: The PayPal Phish

Email received:

From: PayPal Security <[email protected]>
Subject: Urgent: Verify your account

Dear Valued Customer,

We have detected unusual activity. Click here to verify within 24 hours
or your account will be limited.

[Verify Account Now]

Red flags:

Wrong domain (paypal-verify.com)
Generic greeting
Urgent 24-hour deadline
Link to verify account

Correct action:

Don’t click link
Log into PayPal directly via browser
Check for actual notifications there

Example 2: The Amazon Order

Email received:

From: Amazon <[email protected]>
Subject: Your order of iPhone 15 has shipped

Order #123-4567890-1234567
iPhone 15 Pro - $1,199.99

Track your package or cancel if you didn't order this.

Red flags:

Wrong domain (.net instead of .com)
Expensive item you didn’t order
Designed to create panic

Correct action:

Log into Amazon account directly
Check actual orders
Don’t click email links

Example 3: The Microsoft Security Alert

Email received:

From: Microsoft Security Team <[email protected]>
Subject: Security Alert: Password expiring

Your password will expire in 2 hours. Click here to renew or
you will lose access to your account.

Red flags:

Wrong domain (microsoft-365.com)
Artificial 2-hour urgency
Passwords don’t expire in hours
Link to “renew” password

Correct action:

Ignore the email
Microsoft doesn’t operate this way
Change password directly if concerned

What Legitimate Companies Actually Do

They DON’T:

Send unsolicited emails with login links
Request sensitive information via email
Create artificial urgency (hours/days)
Threaten account suspension without warning
Ask for passwords or full account numbers
Send verification links via email

They DO:

Use your actual name
Send secure messages through their app/website
Provide reasonable timeframes
Send multiple notifications before actions
Use consistent official email domains
Include verifiable account details

If You’ve Clicked a Phishing Link

Immediate actions:

Don’t enter information - Close browser immediately
Change passwords - For the affected account (from secure device)
Enable 2FA - If not already active
Monitor accounts - Check for unauthorized activity
Run antivirus scan - Check for malware
Report it - Forward to [email protected]

Within 24 hours:

Check bank statements - Look for unauthorized charges
Monitor credit - Watch for identity theft signs
Update passwords - For accounts using same password
Alert contacts - If your email was compromised

Key Takeaways

989,123 phishing attacks observed in Q4 2024
70% come from free email providers like Gmail
Microsoft is most impersonated brand (35% of attacks)
Always verify independently before clicking links
Hover over links to see actual destination
Generic greetings and urgent language are red flags
Legitimate companies never request passwords via email
Type URLs manually instead of clicking email links
Enable 2FA on all important accounts
When in doubt, don’t click - verify through official channels

Remember: Scammers are professionals who craft convincing emails. Even tech-savvy people can be fooled when caught at the wrong moment. The best defense is to pause, verify, and never trust email links for sensitive actions.

Next chapter: We’ll explore smishing (SMS phishing) - text message scams that have an even higher success rate than email phishing.