Phishing Scams on Email
Fraudulent emails impersonate banks, retailers, and government agencies to steal login credentials, financial data, and personal information.
Part of: Phishing
Last reviewed: 1 June 2026
Email remains the primary delivery channel for phishing attacks. Criminals send messages that mimic the exact branding, tone, and layout of trusted organisations — banks, parcel carriers, tax authorities, and subscription services — to trick recipients into clicking malicious links or entering sensitive details on fake websites.
Unlike phone or social-media scams, email phishing scales effortlessly: attackers send millions of messages at near-zero cost, so even a tiny response rate produces significant returns. Filters catch many attempts, but socially engineered emails crafted to evade detection still reach inboxes every day.
How this scam works on Email
A typical phishing email creates urgency — 'Your account will be suspended in 24 hours', 'Unusual sign-in detected', or 'Action required: verify your payment method'. The email contains a button or hyperlink that appears to point to a legitimate domain but resolves to an attacker-controlled site designed to harvest credentials.
More sophisticated variants (spear-phishing) address the victim by name, reference real recent transactions, and tailor the lure to the victim's employer or industry. Attackers harvest names and context from data breaches and social-media profiles to make these highly convincing.
Business email compromise (BEC) is an advanced form where attackers hijack or spoof a corporate email account and instruct finance staff to transfer funds or change payment details — often resulting in large losses before anyone notices.
Common red flags
- Sender address domain does not exactly match the genuine organisation (e.g. 'support@[bank]-secure.com' instead of '@[bank].com')
- Urgent or threatening language demanding immediate action
- Links whose hover-text URL differs from the displayed link text
- Generic greeting ('Dear Customer') when the real company knows your name
- Requests for passwords, PINs, or one-time codes via email
- Unexpected attachments, especially .zip, .docx, or .html files
How to protect yourself
- Never click email links to log in — go directly to the organisation's website by typing the address yourself
- Enable multi-factor authentication on all important accounts so stolen passwords alone are useless
- Hover over links before clicking to check the actual destination URL
- Use an email client or service with strong spam and phishing filters
- Report suspected phishing to your email provider and to the relevant national cyber authority
- If you entered credentials on a suspicious site, change your password immediately and enable MFA
How to report it
- Forward the phishing email to your email provider's abuse address or use the built-in 'Report phishing' button
- Report to the national cyber-crime authority in your country (e.g. NCSC Suspicious Email Reporting Service, FTC ReportFraud.ftc.gov)
- If financial details were compromised, contact your bank immediately and report to your national financial regulator
Frequently asked questions
Can I get infected just by opening a phishing email?
Simply opening a plain-text email is usually safe, but HTML emails with embedded tracking pixels can confirm your address is live. Clicking links or opening attachments is where real risk begins, so avoid both if you suspect the email is fraudulent.