Blog/ Email security & privacy

Email security & privacy

15 Real Email Phishing Examples (and Exactly Why Each One Works)

AI Emaily Team·· 33 min read

The short answer

Email phishing examples follow a handful of repeatable scripts: a fake invoice, a locked account, a CEO asking for gift cards, a delivery fee, a password reset. Each leans on urgency, a lookalike sender, and a single link. Once you know the script, you can spot a new variant in seconds.

15 real email phishing examples for 2026 — fake invoices, locked accounts, CEO fraud, delivery scams — with the exact red flags that give each one away.

On this page
  1. 01How do you read a phishing email before you click?
  2. 02Example 1: The fake invoice / payment-due email
  3. 03Example 2: The "your account has been locked" email
  4. 04Example 3: The CEO / executive-fraud email (BEC)
  5. 05Example 4: The package-delivery scam (USPS, FedEx, UPS)
  6. 06Example 5: The fake password-reset email
  7. 07Example 6: The IRS / tax-refund scam email
  8. 08Example 7: The gift-card request
  9. 09Example 8: The Microsoft 365 credential-harvest email
  10. 10Example 9: The Google / Gmail security-alert email
  11. 11Example 10: The subscription auto-renewal scam
  12. 12Example 11: The bank fraud-alert email
  13. 13Example 12: The shared-document / file-share lure
  14. 14Example 13: The MFA-code / verification-fatigue lure
  15. 15Example 14: The spear-phishing email (targeted and personal)
  16. 16Example 15: The QR-code phishing email (quishing)
  17. 17What patterns repeat across every phishing example?
  18. 18What should you do when a phishing email lands?
  19. 19How AI Emaily catches these phishing examples automatically
  20. 20The bottom line on spotting phishing examples

The fastest way to stop falling for phishing is to read a lot of it. Not the theory — the actual emails. Once you have seen twenty fake invoices, the twenty-first announces itself. The urgent tone, the slightly-wrong sender address, the one button that wants your password: the pattern repeats because it works, and because attackers reuse the templates that convert.

This guide is a field collection of email phishing examples — fifteen of them, drawn from the scripts security teams and government agencies report most often in 2026. Each one is laid out the way it would actually land in your inbox, followed by the specific tells that expose it. The point is not to memorize fifteen emails. It is to learn the moves underneath them so any new message that pulls the same levers feels off before you click.

We will keep this practical. No jargon you do not need. By the end you will have a working mental checklist, a cross-pattern table you can screenshot, and a calm, repeatable response for the moment one of these shows up — because it will. Phishing is still the entry point for the large majority of email-based attacks, and the lures have only gotten more polished as attackers fold AI into their writing.

If you want the companion pieces, start with our breakdown of how to spot a phishing email — twelve red flags that apply to every example below — and our running roundup of the most common email scams in 2026, which widens the lens from phishing to the full catalog of inbox fraud.

How do you read a phishing email before you click?

Every example in this guide is a variation on the same six-part anatomy. Learn the parts and you can dissect any suspicious message in under a minute, regardless of which brand it impersonates or which emotion it pulls.

Read in this order. Most phishing fails one of the first three checks, so you rarely need to get to the bottom.

  1. 1

    The real sender address, not the display name

    Display names are free to fake. Tap or hover to reveal the actual address behind "PayPal" or "Microsoft." Look for lookalike domains (paypa1.com, micosoft-secure.net), public domains pretending to be a company (apple-support@gmail.com), or a reply-to that differs from the from.

  2. 2

    The link destination, before you visit it

    Hover over every link (long-press on mobile) and read the real URL. The visible text can say anything. Watch for misspelled brands, an unrelated domain, a long subdomain that buries the real host (login.microsoft.attacker.com), or a link shortener hiding the destination entirely.

  3. 3

    The emotional push — urgency, fear, or authority

    Phishing manufactures a reason you cannot pause. Account suspended in 24 hours, payment overdue, your boss needs this now. Legitimate organizations rarely demand instant action by email. The pressure itself is the tell.

  4. 4

    The greeting and the details

    Generic openers ("Dear Customer," "Dear user") suggest a blast to thousands. Real services that hold your account usually know your name. But note the reverse trap: a spear-phishing message that does use your name and job title is more dangerous, not safer — see example 14.

  5. 5

    The ask

    What does this email actually want you to do? Confirm a password, pay a fee, buy gift cards, open an attachment, approve a login. Map the ask to the channel. No bank fixes "suspicious activity" by having you enter your full password into an emailed link, and no executive settles vendor invoices over text.

  6. 6

    The mismatch between story and mechanics

    Step back and ask whether the story holds up. A package you never ordered. A renewal for software you do not use. An invoice from a vendor you have never heard of. When the narrative does not match your reality, the polish of the email is irrelevant.

Authentication can pass and the email can still be fake

In 2026, security researchers documented credential-harvesting forms hosted on Microsoft's own forms.cloud.microsoft domain — emails that passed SPF, DKIM, and DMARC because they were sent from genuinely compromised Microsoft 365 accounts. "It passed the spam filter" and "the headers check out" are not proof of safety. The ask and the destination still matter most.

Example 1: The fake invoice / payment-due email

The fake-invoice lure is one of the most durable scripts in email fraud, and it works on both consumers and businesses. The email attaches or links to an "invoice" for a purchase you do not remember, then offers a phone number or link to "dispute" the charge. Sometimes there is no attachment at all — just a number to call, which routes you to a fake support agent (a hybrid known as callback phishing).

The genius of the script is reverse psychology: it does not ask you to pay. It bets you will panic at being charged for something you never bought and reach out to cancel it — handing your details, or remote access to your computer, to the "agent" on the other end.

  • Lookalike sender domain (gkqsquad-renewals.com) that is not the company's real address.
  • A charge you do not recognize, designed to make you act before you think.
  • A phone number instead of a real account dashboard — the call is the trap.
  • A 24-hour deadline and a threat that refunds expire, manufacturing urgency.
  • Generic "Dear Customer" greeting and a large, round dollar amount.
Fake invoice email
FromGeek Squad Billing <support@gkqsquad-renewals.com>
SubjectYour subscription has been renewed — INV-90817734
Toyou@example.com
BodyDear Customer, thank you for renewing your annual protection plan. Your card has been charged $429.99 for the 2026 term.
If you did not authorize this renewal, call our cancellation desk within 24 hours to receive a full refund: +1 (888) 555-0142.
Invoice attached. Refunds cannot be processed after the billing window closes.

The reflex that defeats fake invoices

Never use the phone number, link, or attachment in the email itself. If you genuinely have an account with the company, open a new browser tab, type the address yourself, and check your billing there. A charge that exists will show up; one that does not was never real.

Example 2: The "your account has been locked" email

This is the workhorse of credential phishing. The message claims your account has been suspended, locked, or limited because of "suspicious activity" or a "failed security check," and the only way to restore it is to click a button and verify your identity. The button leads to a near-perfect copy of the real login page, which captures whatever you type.

PayPal, Apple, Amazon, and major banks are impersonated this way constantly because almost everyone has at least one such account, so the lure lands on enough real customers to pay off. The 2026 versions are visually flawless — pixel-matched logos, correct fonts, valid-looking footers.

  • Domain that bolts an extra word onto the brand (paypal-account-review.com is not paypal.com).
  • Vague "unusual activity" with no specifics — no date, device, or amount.
  • A countdown to permanent suspension to short-circuit your judgment.
  • A button that takes you to a login page off the real domain.
  • The real fix for a limited account is always inside the official app or site, never a one-click email link.
Account-locked email
FromPayPal Service <service@paypal-account-review.com>
Subject[Action Required] Your account access has been limited
BodyWe detected unusual activity on your account and have temporarily limited some features for your protection.
To restore full access, confirm your information within 24 hours. After this period your account may be permanently suspended.
ButtonConfirm My Account → (links to paypal-account-review.com/verify)

Example 3: The CEO / executive-fraud email (BEC)

Business email compromise is the most expensive form of phishing by a wide margin, and the CEO-fraud variant is its signature move. An employee — usually in finance, HR, or an executive assistant role — receives a short, urgent note that appears to come from the CEO or a senior leader, asking for an unusual favor: a wire transfer, a batch of gift cards, a change to vendor payment details, or a copy of employee payroll data.

What makes it work is not technical sophistication but social engineering. The message is brief, slightly informal, and leans on authority and time pressure. There is no link or attachment to flag — just a request that feels plausible inside a real workflow. The sender address is often a free account spoofing the executive's name, or a lookalike domain one character off the company's.

  • Executive's name on a free email account (gmail.com) instead of the company domain.
  • Urgency plus secrecy — "time-sensitive," "discreet," "between us" — to keep you from verifying.
  • An excuse for why they cannot be reached by phone, blocking your easiest check.
  • A request that bypasses normal approval steps for payments or sensitive data.
  • "Sent from my iPhone" to excuse the terse tone and any odd phrasing.
CEO-fraud email
FromDana Whitfield <dana.whitfield.ceo@gmail.com>
SubjectQuick favor — are you at your desk?
BodyHi, I'm stuck in back-to-back meetings and can't take calls. I need you to handle something time-sensitive and discreet for me.
We need to process a payment to a new vendor today before the deadline. How quickly can you do a wire? Reply here and I'll send the details. Keep this between us for now.
Sent from my iPhone

Verify on a second channel, every time

BEC defeats inbox-only checks because there is nothing malicious to scan — just a believable request. The fix is procedural: any payment, payroll change, or gift-card request that arrives by email gets confirmed through a different channel you already trust (a known phone number or in person), never by replying to the email. For a full breakdown, see our guide on business email compromise.

Example 4: The package-delivery scam (USPS, FedEx, UPS)

Delivery scams exploded with online shopping and have not slowed. The lure claims a package could not be delivered because of an "incomplete address" or an "unpaid fee," and asks you to click a link to reschedule or pay a small charge. The fee is tiny on purpose — a dollar or two feels too small to be a scam — but the real goal is the card details and personal information you enter on the fake delivery site.

These often arrive as texts (smishing) as well as emails, and the volume is staggering: Americans reported losing roughly $470 million to package-delivery and related text scams in 2024 alone, according to FTC data summarized in consumer-protection reporting. The single most useful fact to remember: USPS and the major carriers do not send unsolicited texts or emails with tracking links unless you specifically signed up for them.

  • Carrier name welded onto an unofficial domain (the real one is usps.com).
  • A package you may not be expecting — or a tracking number you cannot match to an order.
  • A tiny "redelivery fee," which legitimate carriers do not collect by text or email link.
  • Urgency (24 hours) and a threat to return the package.
  • Carriers do not send tracking links you did not request.
Delivery scam email
FromUSPS Delivery <notice@usps-redelivery-track.com>
SubjectUSPS: Your package is on hold — action needed
BodyWe attempted to deliver your parcel (tracking #US9514901185421) but were unable to complete delivery due to an incomplete address.
Please confirm your address and pay the $1.99 redelivery fee within 24 hours, or your package will be returned to sender.
ButtonUpdate Address & Pay → (links to usps-redelivery-track.com)

Example 5: The fake password-reset email

A password-reset notice is one of the most effective phishing lures because it inverts the usual fear. Instead of telling you something is wrong, it tells you someone is trying to break in — "a password reset was requested for your account" — and offers two buttons: one to continue the reset, one to cancel it if it wasn't you. Either button leads to the same harvesting page.

The "this wasn't me" button is the clever part. A cautious person who would never click "reset password" out of nowhere will gladly click "secure my account," because they are trying to do the right thing. Both routes ask you to log in, and the fake login page captures your real credentials.

  • Sender domain that rearranges the brand name (id-apple-verify.com is not apple.com).
  • A reset you never requested, used to trigger a protective reflex.
  • Both buttons lead to a login page designed to capture your password.
  • If you are worried about a reset notice, go directly to the official site and change your password there — never through the email.
  • Real reset emails contain a code or link to set a new password, not a demand to "log in to secure" the account.
Fake password-reset email
FromApple ID <appleid@id-apple-verify.com>
SubjectYour Apple ID password reset request
BodyWe received a request to reset the password for your Apple ID. If you made this request, you can ignore this email.
If you did NOT request this, your account may be at risk. Secure it now to prevent unauthorized access.
ButtonThis wasn't me — secure my account →

Example 6: The IRS / tax-refund scam email

Tax-themed phishing spikes every filing season and features prominently on the IRS "Dirty Dozen" list of top scams for 2026. The email impersonates the IRS or a tax-prep service and either dangles a refund you can claim by "verifying" your details, or threatens penalties, audits, or arrest over an unpaid balance. Both versions push you to a fake form that collects your Social Security number, date of birth, and bank details — everything needed for identity theft.

The defining fact here is simple and worth memorizing: the IRS does not initiate contact by email or text to request personal or financial information, and it never demands payment by gift card, cryptocurrency, or wire transfer. Any email that does either is fake, no matter how official the seal looks.

  • A .com domain dressed up to look governmental — the real IRS uses irs.gov, never irs-gov-treasury.com.
  • An unexpected refund used as bait, or a threat of penalties used as a stick.
  • A request for your SSN, date of birth, or bank details over an emailed form.
  • Awkward phrasing ("your fiscal activity") and a tight deadline.
  • The IRS never asks for gift cards, crypto, or wire transfers — and never opens contact by email.
IRS refund scam email
FromInternal Revenue Service <refunds@irs-gov-treasury.com>
SubjectNotice: You are eligible for a tax refund of $1,284.00
BodyAfter the latest review of your fiscal activity, we have determined that you are eligible to receive a tax refund.
To receive your refund, please submit the refund form with your verified information within 48 hours. Failure to do so may result in forfeiture of the amount.
ButtonClaim My Refund → (links to irs-gov-treasury.com/refund)

Where to report a tax scam

Forward suspected IRS-impersonation emails to phishing@irs.gov, then delete them. Do not reply, click, or open attachments. If you think your tax identity has been exposed, the IRS Identity Protection PIN program and IdentityTheft.gov are the official next stops.

Example 7: The gift-card request

Gift-card scams are a flavor of business email compromise pointed at a single, fast-moving ask. The message — often impersonating a boss, a pastor, a school principal, or a familiar colleague — claims to be in a meeting or traveling and needs you to buy gift cards quietly on their behalf, promising to reimburse you. Once you scratch off the cards and send the codes, the money is gone instantly and is effectively unrecoverable.

Gift cards are the perfect instrument for fraud: they are anonymous, instant, and irreversible. That is precisely why no legitimate employer, agency, or institution will ever ask you to pay for anything — a debt, a bill, a favor — with gift-card codes. The request itself is the entire red flag.

  • A familiar name on the wrong email address (a personal outlook.com instead of the work domain).
  • An excuse for being unreachable by phone, so you cannot verify.
  • The specific ask to buy gift cards and send the codes — never legitimate.
  • Secrecy framing ("keep it quiet," "it's a surprise") to discourage you from checking.
  • A promise to reimburse "today," which never comes.
Gift-card request email
FromMarcus Bell <m.bell.director@outlook.com>
SubjectNeed your help with something
BodyAre you available? I'm tied up in a meeting and can't talk right now, but I need a quick favor.
I need to get some gift cards for a client appreciation gift and I'm out of the office. Can you grab five $200 Apple gift cards from the store? Scratch the back and send me the codes — I'll reimburse you today. Keep it quiet, it's a surprise.

Example 8: The Microsoft 365 credential-harvest email

Microsoft 365 is the single most-impersonated brand in phishing, because a working set of M365 credentials unlocks email, files, and chat for an entire organization. The classic lure is a fake notification: your mailbox is over quota, your password expires today, you have quarantined messages to review, or you must "re-authenticate" to keep access. The button leads to a login page that mirrors Microsoft's, and your password — plus, increasingly, your multi-factor code — flows straight to the attacker.

The 2026 versions are alarming because they bypass old defenses. Researchers documented campaigns that hosted the credential form on Microsoft's own forms.cloud.microsoft domain and arrived from compromised-but-legitimate M365 accounts, so they passed SPF, DKIM, and DMARC. The FBI separately warned about Kali365, a phishing-as-a-service kit that steals OAuth access tokens — meaning attackers can hijack a session without ever capturing your password or tripping your MFA. "The login page looked real" is no longer a safe standard.

  • Not a microsoft.com address — m365-secure-notice.com is attacker-controlled.
  • A manufactured deadline ("expires in 4 hours") and a threat of losing email access.
  • "Keep your current password" is a nonsense action that still routes you to a login page.
  • Be suspicious of any message asking you to re-enter your work password from a link.
  • Even a page on a real Microsoft domain can be a harvesting form — judge the ask, not just the URL.
Microsoft 365 phishing email
FromMicrosoft 365 <no-reply@m365-secure-notice.com>
SubjectAction required: your password expires today
BodyYour Microsoft 365 password for you@company.com expires in 4 hours. To avoid interruption to your email and Teams, keep your current password using the link below.
ButtonKeep Current Password → (links to m365-secure-notice.com/login)
Microsoft Corporation · Please do not reply to this message.

Example 9: The Google / Gmail security-alert email

Google's own security-alert design is so widely recognized that attackers copy it directly. The fake version mimics the familiar "Critical security alert" or "New sign-in on Windows" email, complete with a device, location, and time, then offers a "Check activity" or "Was this you?" button. The button leads to a counterfeit Google sign-in page, and entering your password — and any 2-step code — hands over your account.

Because a Gmail account is often the recovery address for everything else you own, a successful Google phish is a master key. The attacker resets your other passwords from your own inbox. Real Google alerts do appear in your inbox, which is exactly why the fakes are so effective — the safe move is to ignore the email's buttons and check your account activity directly at myaccount.google.com.

  • Sender domain that is not google.com (accounts-google-security.com is fake).
  • A scary far-away sign-in location to trigger an immediate, fearful click.
  • A "Review Activity" button that lands on a fake sign-in page.
  • The real version of this alert exists — which is why you should verify at myaccount.google.com, not via the link.
  • Any prompt to re-enter your Google password after clicking an email link deserves suspicion.
Fake Google security alert
FromGoogle <no-reply@accounts-google-security.com>
SubjectCritical security alert — new sign-in on Windows
BodyYour Google Account was just signed in to from a new Windows device in Lagos, Nigeria. If this wasn't you, your password may have been compromised.
ButtonReview Activity → (links to accounts-google-security.com)
You received this email to let you know about important changes to your Google Account.

Example 10: The subscription auto-renewal scam

Subscription-renewal phishing is a close cousin of the fake invoice, usually impersonating antivirus brands (Norton, McAfee), streaming services, or productivity software. The email confirms that your subscription has "auto-renewed" for a hefty annual fee and provides a number or link to cancel or dispute it. As with fake invoices, the renewal you never authorized is the bait, and the cancellation step is the trap.

Antivirus brands are favored impersonations for a cynical reason: the lure plays on your sense of security. "You're protected — and here's the bill" feels routine, so the surprising part is only the price. When you call to dispute the charge, a fake agent walks you through installing remote-access software or reading out your card number for a "refund."

  • Brand name on an off-brand domain (norton-renewal-center.com).
  • A renewal and a large charge you do not remember authorizing.
  • A phone number to "cancel" instead of a real account portal — the call is the scam.
  • A 24-hour window to pressure you into calling before you can think.
  • Refunds and cancellations for real subscriptions happen inside your account, not via a number in the email.
Subscription renewal scam email
FromNortonLifeLock <billing@norton-renewal-center.com>
SubjectYour Norton 360 Deluxe has been renewed — Order #NRT5589021
BodyThank you for being a valued customer. Your Norton 360 subscription has been automatically renewed for 1 year.
Amount charged: $389.99 · Payment method: card on file
To cancel this subscription or request a refund, contact our billing support at +1 (877) 555-0198 within 24 hours.

Example 11: The bank fraud-alert email

Bank-alert phishing mimics the genuine fraud notifications that banks really do send, which makes it especially convincing. The email claims a large or unusual transaction was just attempted and asks you to confirm or decline it. Whether you click "Yes, this was me" or "No, block it," you land on a fake banking login that captures your credentials — and often a follow-up page that asks for your full card number, PIN, or one-time passcode "to verify your identity."

The strongest tell with bank phishing is the demand for information your bank already has or would never request by email: your full card number, your PIN, your online-banking password, or a security code you received by text. Banks investigate suspected fraud through their app and their published phone number, not through a form linked in an email.

  • Domain that is not the bank's real one (chase-secure-alerts.com is not chase.com).
  • A specific, alarming charge engineered to make you act on instinct.
  • Both response buttons lead to a fake login designed to capture your credentials.
  • A follow-up request for your full card number, PIN, or one-time code — your bank never asks for these.
  • The safe move is to call the number on the back of your card, not the one in the email.
Bank fraud-alert email
FromChase Fraud Alert <alerts@chase-secure-alerts.com>
SubjectDid you authorize a $642.00 payment?
BodyWe've detected a transaction that may be fraudulent on your account ending in 4471: $642.00 to ELECTRONICS DIRECT LLC.
If you do not recognize this transaction, verify your identity immediately to block the payment and secure your account.
ButtonThis Was Not Me → (links to chase-secure-alerts.com/verify)

Example 12: The shared-document / file-share lure

File-sharing phishing rides on tools people use all day: a notification that a colleague, client, or vendor has "shared a document with you" via a service like SharePoint, Google Docs, Dropbox, or DocuSign. The email looks like a routine collaboration notice, and the "View document" or "Review and sign" button leads to a fake login page for the file service — once again harvesting your work credentials.

These thrive in busy workplaces because opening shared files is muscle memory. The most convincing versions name a real coworker or a recent project, which means they often follow an earlier account compromise — the attacker is already inside one mailbox and is using it to phish the rest of the company from a trusted address.

  • Service name on a fake domain (sharepoint-docshare.com is not a Microsoft address).
  • A document or sender that may look familiar — a sign the attacker has inside knowledge or a hijacked account.
  • A prompt to "sign in with your work account" on a page reached from an email link.
  • Genuine shares from your tools open without re-entering your password on an unfamiliar page.
  • When in doubt, open the file service directly and check your shared-with-me list there.
Fake shared-document email
FromMicrosoft SharePoint <no-reply@sharepoint-docshare.com>
SubjectJordan Reyes shared "Q2 Budget Final.xlsx" with you
BodyJordan Reyes has shared a file with you. This link will only work for the intended recipient.
ButtonOpen in SharePoint → (links to sharepoint-docshare.com/auth)
Please sign in with your work account to view this file.

Example 13: The MFA-code / verification-fatigue lure

As more accounts require multi-factor authentication, attackers have shifted to stealing the second factor too. One email variant claims there was a suspicious sign-in and asks you to reply with, or enter, the verification code you are about to receive by text — a code the attacker triggered by trying to log in as you. Another pairs the email with a flood of real push prompts (MFA fatigue), betting you will eventually approve one just to make the buzzing stop.

The rule is absolute: a one-time code is yours alone. No legitimate company — not your bank, not Microsoft, not your email provider — will ever ask you to share a verification code by email, text, or phone. If a code arrives that you did not request, someone has your password and is trying to get past your MFA. Do not enter it anywhere or approve any prompt; change your password instead.

  • Asks you to hand over a one-time code — which no real service ever does.
  • Arrives right as a real code lands, because the attacker is trying to log in as you.
  • Frames sharing the code as a "security step," reversing its actual purpose.
  • A code you did not request means your password is already compromised.
  • Never approve an unexpected push prompt — deny it and change your password.
MFA-code phishing email
FromAccount Security <security@account-verify-team.com>
SubjectVerify it's you — confirmation code required
BodyWe blocked a sign-in attempt to your account. To confirm your identity and unlock access, enter the 6-digit verification code we just sent to your phone.
ButtonEnter Verification Code →
This step protects your account from unauthorized access.

Example 14: The spear-phishing email (targeted and personal)

Spear phishing is the tailored cousin of the mass-blast examples above. Instead of "Dear Customer," it uses your name, your job title, your employer, a recent conference you attended, or a vendor you actually work with — details scraped from LinkedIn, your company website, or a prior breach. The personalization disarms the usual "generic greeting" red flag and makes the request feel legitimate.

These campaigns have grown sharply more convincing as attackers use AI to write clean, context-aware messages at scale and to mimic a specific person's tone. A spear-phishing email might reference a real project and ask you to review an attached "updated contract," or pose as a recruiter with a tailored offer. Because the details are right, the only reliable defenses are the mechanics — the sender address, the link destination, and out-of-band verification of any unusual ask.

  • Uses your name and a real-sounding project — personalization is the disguise, not a safety signal.
  • A near-miss domain (northgate-partners-llp.com) that resembles a real partner's address.
  • A plausible business request — updated banking details — that quietly redirects payments.
  • An attachment that may carry malware or new payee information.
  • Verify any change to payment details by calling the contact on a number you already have, not the one in the signature.
Spear-phishing email
FromPriya Nadkarni <priya@northgate-partners-llp.com>
SubjectRe: Northgate vendor agreement — updated terms
BodyHi Sam, great speaking at the Tuesday review. As discussed, I've attached the revised vendor agreement with the updated payment terms for the Q3 rollout.
Could you confirm receipt and forward to accounts payable today so we don't miss the cycle? Let me know if the new banking details on page 3 look right.
AttachmentNorthgate_Vendor_Agreement_v3.docx

Personalization makes phishing more dangerous, not less

The instinct that "it knew my name, so it must be real" is exactly what spear phishing exploits. In 2026, AI-written lures routinely include accurate names, roles, and project references. Treat the sender address, link destination, and any unusual ask as the deciding factors — never the friendliness or specificity of the message.

Example 15: The QR-code phishing email (quishing)

QR-code phishing — "quishing" — swaps the clickable link for an image of a QR code, and it has become a favorite precisely because it sidesteps the link-scanning that catches ordinary phishing. The email asks you to scan the code to view a voicemail, reset your password, complete an MFA setup, or read a "secure document." Because the malicious URL is encoded inside an image, many email filters never see it, and you complete the scan on your phone — a device that may have weaker protection than your work computer.

Quishing also exploits the trust gap between devices: an email arrives on your monitored corporate laptop, but the scan and the credential entry happen on your personal phone, outside many security controls. The defense is to treat any unexpected QR code in an email exactly like an unexpected link — do not scan it, and reach the service directly instead.

  • A QR code in place of a normal link, which slips past many email link scanners.
  • Pushes you to complete the action on your phone, away from work-device protections.
  • Impersonates internal IT with a lookalike domain (company-it-portal.com).
  • Urgency ("by end of day") plus a threat of losing email access.
  • Treat unexpected QR codes like unexpected links — never scan; go to the source directly.
QR-code phishing email
FromIT Service Desk <helpdesk@company-it-portal.com>
SubjectAction required: re-enroll your Microsoft Authenticator
BodyOur security policy requires all employees to re-enroll multi-factor authentication by end of day. Scan the QR code below with your phone to complete setup and avoid losing email access.
[ QR CODE IMAGE ]Scan to re-enroll → (encodes a link to company-it-portal.com/mfa)
Thank you, IT Service Desk

What patterns repeat across every phishing example?

Lay the fifteen examples side by side and the disguises fall away. Almost all of them combine the same three ingredients: a sender pretending to be someone trusted, a single emotional lever, and one action that compromises you. The table below maps each example to its core lure and its sharpest tell — a quick-reference you can screenshot.

Phishing examplePretends to beEmotional leverSharpest red flag
Fake invoiceA retailer or serviceSurprise chargePhone number to "dispute," not a real account
Account lockedPayPal, Apple, bankFear of losing accessLookalike domain + login link
CEO fraud (BEC)Your executiveAuthority + urgencyBoss on a free email asking for money/data
Package deliveryUSPS, FedEx, UPSMissed packageTracking link or fee you never requested
Password resetApple, Google, etc.Account at riskA reset you never started
IRS / taxInternal Revenue ServiceRefund or penaltyGov agency emailing for SSN / payment
Gift cardA boss or leaderHelpfulness + secrecyAny request to buy gift cards
Microsoft 365MicrosoftLosing email accessRe-enter work password from a link
Google alertGoogleScary new sign-inVerify via link, not myaccount.google.com
Subscription renewalNorton, McAfee, etc.Surprise chargeNumber to "cancel," not your account portal
Bank alertYour bankPossible fraudAsks for full card number, PIN, or code
Shared documentSharePoint, DocuSignRoutine collaborationSign in to view a file from a link
MFA code requestAccount securitySuspicious sign-inAsks you to share a one-time code
Spear phishingA real contactFamiliarityRight details, wrong sender address
QR code (quishing)IT or a serviceMandatory deadlineA QR code instead of a normal link

Three takeaways carry across the whole table. First, the sender's display name is theater; the real address is the evidence. Second, urgency is engineered — almost every example invents a deadline, because a calm person checks and a rushed person clicks. Third, the dangerous action is almost always one of five: log in here, pay this, buy gift cards, open this file, or approve this code. If a message combines a pretend-trusted sender, a deadline, and one of those five asks, you are looking at phishing until proven otherwise.

What should you do when a phishing email lands?

Recognizing the lure is half the job; the other half is a calm, repeatable response. The single most important habit is to slow down — phishing depends on speed, so removing the urgency removes most of the threat. Here is the sequence that works whether you spotted the email early or only after a moment of doubt.

  1. 1

    Do not click, reply, call, or scan

    Treat every link, button, phone number, attachment, and QR code in the message as hostile. Replying confirms your address is live; calling reaches the scammer's "support"; scanning loads the payload on your phone.

  2. 2

    Verify through a channel you already trust

    If the email claims to be from a company or person you deal with, contact them independently — type the website address yourself, use the number on the back of your card, or call a colleague on a known number. Never use the contact details inside the suspicious email.

  3. 3

    Report it, then delete it

    At work, use your provider's "Report phishing" button so the security team can warn others. Forward government impersonations to the right address (IRS phishing goes to phishing@irs.gov) and consumer scams to reportfraud.ftc.gov. Reporting helps shut down the campaign for everyone.

  4. 4

    If you clicked, act fast and in order

    Disconnect the device from the internet. Change the password for any account you may have exposed — from a different, trusted device — and turn on multi-factor authentication if it is not already on. If you entered card details, call your bank to freeze or replace the card.

  5. 5

    Watch for the follow-up

    Falling for one scam often triggers a second wave — a "fraud recovery" service or a fake official offering to get your money back for a fee. Treat any unsolicited follow-up about the incident as another scam.

Build the pause into your routine

Pick one rule and make it automatic: "I never log in, pay, or share a code from a link in an email — I open the app or site myself." That single habit neutralizes the majority of the examples in this guide, because every one of them needs you to act inside their controlled page.

How AI Emaily catches these phishing examples automatically

Knowing the patterns is the durable defense, but no one wants to forensically dissect every message before breakfast. That is the gap AI Emaily is built to close: it reads incoming mail with the same instincts you have just learned and surfaces the risky ones before they reach the part of your brain that reacts to a deadline.

AI Emaily is an AI-native email client that works with every provider — Gmail, Outlook, iCloud, Yahoo, or any IMAP account — so you can keep your existing address and add a layer of judgment on top of it. The goal is not to replace your attention but to give it a head start.

  • AI phishing and scam detection that reads each message for the exact signals in this guide — lookalike senders, urgency framing, mismatched links, and asks like gift-card requests or password re-entry — and flags the suspicious ones.
  • Plain-language suspicious-email warnings: instead of a silent score, you get a clear note on what looks off ("this sender domain doesn't match the brand it claims"), so you stay in control of the decision.
  • Automatic tracking-pixel blocking, so the invisible images that confirm your address is live — and feed follow-up scam waves — don't load by default.
  • Private by design: AI Emaily never trains its models on your email. Your messages are yours, used only to help you triage your own inbox.
  • Works across every account you connect, so the same protection covers your personal Gmail and your work Outlook alike.

Pricing is straightforward. The Free plan is $0 and includes the core AI-assisted inbox so you can try the detection on your own mail. Pro is $17.99/month billed annually for people who want the full assistant across all their accounts. You can connect an account and start in a couple of minutes at app.aiemaily.com/signup.

AI Emaily is not a silver bullet, and we will not pretend it is — the strongest protection is always an alert person plus a tool that flags what slips through. But pairing the habits in this guide with automatic detection means the next fake invoice or locked-account email is far more likely to arrive pre-labeled as suspicious than to catch you mid-rush.

Detection assists judgment — it doesn't replace it

Treat AI Emaily's warnings as a smart second opinion, not a guarantee. Especially for high-stakes asks like payments and credentials, keep the out-of-band verification habit. The combination — your awareness plus automatic flagging — is what makes phishing reliably miss.

The bottom line on spotting phishing examples

Fifteen examples, one lesson: phishing is a small set of scripts wearing different costumes. A fake invoice, a locked account, a CEO in a hurry, a package on hold, a password reset, a refund, a gift-card favor, a login alert. Strip the branding away and you find the same skeleton every time — a trusted-looking sender, a manufactured deadline, and one action that hands over money, credentials, or access.

You do not need to recognize every scam to be safe; you need to recognize the moves. Check the real sender address. Read the link before you visit it. Notice when an email is trying to rush you. And keep one rule sacred: never log in, pay, or share a code from a link in an email — go to the source yourself. That habit alone defeats most of what is in this guide.

From here, sharpen the skill with our twelve red flags for spotting a phishing email and widen the view with the most common email scams in 2026. And if you would like your inbox to flag the suspicious ones before you even open them, you can try AI Emaily's phishing detection free at app.aiemaily.com/signup — clear warnings, tracking-pixel blocking, every provider, and no training on your mail.

Frequently asked

Keep reading

How to Spot a Phishing Email: 12 Red Flags to Catch in 2026The Most Common Email Scams in 2026 (and How to Avoid Every One)What Is Business Email Compromise (BEC)? Attacks, Examples, and Prevention

Sources

Let your inbox flag the fakes for you

Start free

AI Emaily reads every message for phishing signals and shows a clear warning before you click — across Gmail, Outlook, and any account. Tracking pixels blocked, never trained on your mail. Free to start.