Phishing Email Scam
The email looks perfect. The logo matches. The sender address looks right. It says there’s been suspicious activity on your account and you need to verify your login immediately — or your account will be locked.
You click the link. You enter your username and password. And just like that, a scammer has your credentials.
This is phishing — and despite being one of the oldest scams on the internet, it remains the single most common method scammers use to steal money and identity information in 2026. The FBI’s Internet Crime Complaint Center received over 300,000 phishing complaints last year alone, with losses exceeding $18 million. And with AI now generating emails that are virtually indistinguishable from the real thing, the old advice of “just look for typos” no longer cuts it.
This guide covers every major phishing email type, the red flags that still give them away, exactly what to do if you’ve already clicked, and how to protect yourself going forward.
🛡️ Not Sure If an Email Is Legitimate?
Use Scam Save’s free AI Scam Triage tool — describe what you received and get an instant assessment. No signup required for your first three checks. Members get unlimited access plus daily scam alerts from the FTC and FBI.
→ Try the Free Scam Triage Tool at scamsave.com | Membership from $6.99/month
What Is a Phishing Email?
Phishing is a type of fraud where a scammer sends an email impersonating a trusted source — a bank, a government agency, a well-known company, or even someone you know — to trick you into doing one of three things:
- Clicking a malicious link that takes you to a fake website designed to steal your login credentials or payment information
- Opening a malicious attachment that installs malware, ransomware, or a keylogger on your device
- Responding with personal information — your Social Security number, account numbers, passwords, or other sensitive data
The name comes from “fishing” — scammers cast a wide net with millions of emails and wait for whoever bites. Modern phishing has become far more targeted, however, with attackers researching individual victims before crafting a personalized attack. That more targeted version is called spear phishing, and it’s behind many of the largest fraud losses reported today.
Why Phishing Is Still So Effective in 2026
Phishing has existed since the 1990s. So why are people still falling for it? Because it has evolved dramatically — and AI has supercharged it.
AI-generated phishing emails are now grammatically flawless, tonally accurate, and structured to match exactly how the impersonated company actually writes. The spelling errors and awkward phrasing that used to be reliable red flags are largely gone. Scammers can now generate thousands of personalized, convincing phishing emails per hour using freely available AI tools.
Domain spoofing has become more sophisticated. Scammers register domains that look nearly identical to real ones — paypa1.com, amazon-secure.net, irs-refund.gov.us — and build pixel-perfect copies of real login pages behind them.
Brand impersonation targets the most trusted names. The FTC consistently reports that the most impersonated brands in phishing attacks include Amazon, Apple, PayPal, Microsoft, your bank, and the IRS — specifically because people have real accounts with these companies and are more likely to act on a message that appears to come from them.
People are overwhelmed. The average person receives dozens of legitimate transactional emails every day — shipping notices, account alerts, receipts. Scammers exploit that habit, sending emails that look like one more routine notification.
The Most Common Phishing Email Types
1. Fake Bank and Financial Institution Emails
You receive an email that appears to be from your bank — same logo, same colors, same formatting — saying there has been suspicious activity on your account, your card has been locked, or you need to verify a transaction. A link takes you to a convincing fake login page. When you enter your credentials, they go directly to the scammer.
What the real bank will do: Send you to their official app or website to resolve issues, never ask for your full password via email, and never threaten immediate account closure with a single-click link.
2. Package Delivery Phishing
A fake notification from UPS, FedEx, USPS, or Amazon tells you a package couldn’t be delivered, needs a small redelivery fee, or requires address confirmation. A link takes you to a payment or login page. This scam surges around holidays when people are expecting multiple deliveries and are less likely to question another shipping email.
Check directly: Log into the shipping carrier’s official app or website using your tracking number instead of clicking any link.
3. IRS and Government Impersonation
Emails claiming to be from the IRS, Social Security Administration, or FEMA offer a tax refund, warn of an unpaid tax debt, or claim your benefits need verification. The IRS does not initiate contact with taxpayers via email. Any email claiming to be the IRS is fraudulent — without exception. See our full guide: IRS Scam Call: What the Real IRS Will Never Say
4. Tech Support and Software Alerts
A fake alert from Microsoft, Apple, Google, or your antivirus software claims your device has a virus, your account has been compromised, or your subscription has expired. Some include a phone number to call — where a fake tech support agent will then attempt to gain remote access to your device. See our full guide: Tech Support Scam: How Scammers Are Targeting Your Devices
5. Account Verification and “Confirm Your Information” Emails
Emails from fake versions of Netflix, PayPal, Amazon, Apple, or your email provider claim your payment failed, your account will be suspended, or you need to confirm personal details to keep your account active. These are designed to trigger account anxiety and get you to act before you think.
6. Spear Phishing — The Personalized Attack
Unlike mass phishing, spear phishing targets a specific individual using personal details gathered from LinkedIn, social media, company websites, or previous data breaches. You might receive an email that appears to be from your actual boss, using your real name, referencing a real project — asking you to wire funds to a vendor or click a document link. This is how most major corporate fraud happens. If a financial request arrives by email from any colleague — even your CEO — verify it by phone before acting.
7. Job Offer Phishing
A recruiter emails you about a job opportunity that seems tailored to your background. The email asks you to click a link to apply, complete a form with personal information, or open an attached job description that contains malware. See our full guide: Job Scam: Red Flags Every Job Seeker Must Know
8. Romance and Relationship Email Scam
Scammers initiate contact via email — sometimes posing as someone who found your contact information through a mutual connection — and gradually build a relationship before introducing a financial emergency. See our full guide: Romance Scam: How Fraudsters Exploit Emotions for Financial Gain
9. Charity Phishing
After a natural disaster, major news event, or during the holiday season, fake charity emails solicit donations to causes that don’t exist. Every dollar goes directly to the scammer. See our full guide: How to Verify If a Charity Is Real
10. Invoice and Payment Request Fraud
A fake invoice appears in your inbox — often impersonating a software service like Norton, Geek Squad, PayPal, or a vendor your company uses — claiming you owe money and providing a phone number to dispute the charge. Calling the number connects you to a scammer, not a real company. Some target businesses directly with fake vendor invoices designed to look like ones already in the payment workflow.
10 Red Flags That an Email Is a Phishing Attempt
Even sophisticated phishing emails leave clues. Train yourself to check these before clicking anything.
1. The Sender Address Doesn’t Match the Company
The display name might say “Apple Support” but the actual email address is noreply@apple-support-id.info or apple.verify@gmail.com. Click or hover on the sender name to reveal the actual address. If the domain doesn’t exactly match the company’s real domain — apple.com, amazon.com, paypal.com — it’s a phishing email.
Watch for:
- Extra words: amazon-security.com instead of amazon.com
- Number substitutions: paypa1.com instead of paypal.com
- Lookalike domains: rnicrosoftsupport.com (that’s a lowercase “rn” not “m”)
- Free email providers: any financial institution using @gmail.com or @yahoo.com
2. The Link Destination Doesn’t Match
Hover over any link in the email without clicking it. The actual URL will appear at the bottom of your browser or email client. If it doesn’t match the company’s real domain, don’t click. Even a single character difference — amaz0n.com vs amazon.com — means it’s fake.
3. There’s Urgent, Fear-Based Language
“Your account will be permanently closed in 24 hours.” “Immediate action required.” “Final notice.” Urgency is designed to short-circuit your judgment. Real companies do not threaten immediate, irreversible consequences over email with no prior contact.
4. It Asks for Information a Real Company Already Has
Your bank does not need you to “confirm” your account number via email — they already have it. The IRS does not need you to “verify” your Social Security number by clicking a link. Any email asking you to re-enter information the company logically already has is phishing.
5. It Contains Attachments You Weren’t Expecting
Malicious attachments are one of the primary methods scammers use to install malware. Be especially cautious with .zip, .exe, .docm, or .xlsm files — and even standard PDFs and Word documents, which can contain malicious macros. If you weren’t expecting an attachment, don’t open it.
6. The Greeting Is Generic
“Dear Customer,” “Dear Account Holder,” “Hello User” — mass phishing campaigns can’t personalize greetings because they don’t know your name. Legitimate companies you have accounts with will address you by your actual name.
7. The Design Is Slightly Off
Compare the email carefully with real emails you’ve received from the same company. Phishing emails often have subtle differences — a slightly wrong font, a blurry logo, inconsistent spacing, different button styles, or a footer that doesn’t quite match. These details are easy to miss if you’re not looking, but visible when you are.
8. There’s a Request for Payment by Gift Card, Wire, or Crypto
No legitimate company on earth will ask you to resolve an account issue, pay an invoice, or avoid legal action by purchasing gift cards and reading the numbers over the phone. This is universally a scam, regardless of how official the email looks.
9. The Email Claims You Won Something
You didn’t win a lottery you didn’t enter. You didn’t win a gift card from a survey you didn’t complete. You weren’t randomly selected for a cash prize. These emails are phishing — the “prize” is used to get you to provide personal information or click a malicious link.
10. Something Just Feels Off
Trust your instincts. If an email creates a feeling of unease — even if you can’t immediately identify why — that’s worth paying attention to. Take 30 extra seconds to verify through official channels before clicking anything.
What to Do If You Clicked a Phishing Link
Don’t panic — but act quickly. Here’s exactly what to do.
If you clicked the link but didn’t enter anything:
Close the browser tab immediately. Run a malware scan on your device using reputable software. Monitor your accounts for unusual activity over the next few days.
If you entered a username and password:
Change your password on that account immediately — using a device and network you trust. If you use the same password anywhere else, change it there too. Enable two-factor authentication on the affected account and any linked accounts. Check whether the account shows any login activity from unfamiliar locations.
If you entered financial information (card number, bank account, SSN):
- Contact your bank or card issuer immediately and report potential fraud
- Place a fraud alert with the three credit bureaus (Equifax, Experian, TransUnion)
- If your Social Security number was entered, file an identity theft report at IdentityTheft.gov
- Consider placing a credit freeze to prevent new accounts from being opened in your name
Read our full guide: I Gave a Scammer My Bank Account Number — Here’s What to Do Right Now
If you opened an attachment:
Disconnect from the internet immediately to prevent malware from communicating with the scammer’s server. Run a full malware scan. If you’re on a work device, notify your IT department immediately — some ransomware and credential-stealing malware spreads across networks.
If you sent money:
Contact your bank or payment service immediately. Read our full guide: How to Report a Scam (And Actually Make a Difference)
How to Protect Yourself from Phishing Emails Going Forward
Never Click Links in Emails — Navigate Directly Instead
If you receive any email claiming there’s a problem with an account, open your browser and go directly to that company’s website by typing the address yourself — or open their official app. This one habit eliminates nearly all phishing risk from email.
Enable Multi-Factor Authentication on Every Account
Even if a scammer gets your password through phishing, multi-factor authentication (MFA) prevents them from logging in without also having access to your phone or email. Enable it on every account that offers it — your email, your bank, your payment apps, your social media.
Use a Password Manager
Password managers generate strong, unique passwords for every account, meaning a successful phish of one account can’t be used to access others. Most also flag when you’re on a known phishing site.
Report Phishing Emails
- Forward to the Anti-Phishing Working Group: reportphishing@apwg.org
- Forward to the FTC: spam@uce.gov
- In Gmail: open the email, click the three dots, select “Report phishing”
- In Outlook: use the “Report message” button and select “Phishing”
How Phishing Connects to Other Scam Types
- Text message scam (smishing) — the same tactics delivered via SMS. See: How to Tell If a Text Message Is a Scam
- QR code scam (quishing) — phishing links delivered via QR code. See: QR Code Scam: How a Simple Scan Can Empty Your Bank Account
- WhatsApp scam — phishing attacks delivered through messaging apps. See: WhatsApp Scam: How Scammers Use WhatsApp to Target You
- Fake bank text and Apple Wallet scam — phishing targeting payment credentials. See: Fake Bank Text and Apple Wallet Scam
- AI scam — how artificial intelligence has made phishing more convincing than ever. See: AI Scam: How Scammers Are Harnessing AI for Identity Theft and Fraud
Frequently Asked Questions
What is the difference between phishing, smishing, and vishing?
All three are the same social engineering attack delivered through different channels. Phishing arrives by email. Smishing (SMS phishing) arrives by text message. Vishing (voice phishing) arrives by phone call. The goal in all three is the same: trick you into surrendering credentials, personal information, or money.
Can I get hacked just by opening a phishing email?
Simply opening a plain-text email is generally safe. The risk comes from clicking links, opening attachments, or loading images (which can confirm your email address is active). Most modern email clients block remote image loading by default — keep this setting enabled.
How do I know if a link in an email is safe?
Hover over the link without clicking — the real destination URL will appear in the bottom bar of your browser or email client. Compare that URL carefully against the company’s real domain. If anything looks different, don’t click. When in doubt, navigate to the company’s website directly by typing the address yourself.
Is it safe to unsubscribe from spam emails?
For obvious spam from unknown senders, do not click unsubscribe — it confirms your email address is active, which increases future spam and phishing attempts. Use your email client’s spam/junk report function instead. For legitimate marketing emails from companies you recognize, unsubscribing is safe.
My elderly parent clicked a phishing link. What do I do?
Help them change their password on the affected account immediately, then enable two-factor authentication. Check for any unauthorized account activity. If financial information was entered, call the bank or card issuer right away. See our full guide: How to Protect Elderly Parents from Scam
🛡️ Stay Ahead of Scam Like This One
Scam Save members receive daily scam alerts from the FTC, FBI, and consumer protection agencies — delivered straight to your inbox — so you know about new tactics before they reach your family. Membership also includes:
- Unlimited AI Scam Triage — describe any suspicious email, call, text, or situation and get an instant AI-powered verdict
- Expert guides on the Top 100 scams — including identity protection, financial fraud, and phishing playbooks
- Discounts on identity protection tools
→ Enroll Annual — $49.99/year | Enroll Monthly — $6.99/month
Not ready to enroll? Start with the free AI Scam Triage — no account required for your first 3 checks.
Related Articles
- How to Tell If a Text Message Is a Scam
- QR Code Scam
- AI Scam: How Scammers Are Harnessing AI for Identity Theft and Fraud
- Tech Support Scam
Sources: FBI Internet Crime Complaint Center (IC3) Annual Report 2025, FTC Consumer Sentinel Network Data Book 2025, Anti-Phishing Working Group (APWG) Phishing Activity Trends Report, Verizon Data Breach Investigations Report 2025, Google Transparency Report
