Phishing Scams via Email
How email phishing impersonates banks, retailers, and government agencies to harvest credentials, install malware, and commit financial fraud.
Part of: Phishing
Last reviewed: 1 June 2026
Email remains the single largest phishing vector globally. Despite widespread awareness, phishing emails continue to successfully deceive victims because they have become increasingly sophisticated — using genuine brand assets, personalised details, and technical tricks such as domain spoofing to appear credible.
This guide covers the specific mechanics of email phishing — the tactics that make fake emails convincing, the types most commonly encountered, and the steps that protect you regardless of which brand is being impersonated.
How this scam works on Email
Phishing emails typically impersonate a trusted brand — a bank, an online retailer, a parcel courier, or a government tax authority. The message creates urgency: an account suspension, a failed payment, a refund waiting, or a security alert. A prominent link or button leads to a lookalike site where credentials or payment details are entered.
More targeted 'spear phishing' uses personal information gleaned from data breaches or social media to personalise the attack — addressing you by name, referencing your employer, or mentioning a recent transaction. Business email compromise (BEC) is a high-value variant where an employee receives an email appearing to be from their CEO or finance team, instructing an urgent payment. These emails often arrive with display names that match real colleagues while the sending address is a subtle variation.
Common red flags
- Unexpected email from a bank or retailer urging immediate action on your account
- Sender address that differs from the brand's real domain by one letter or uses a subdomain
- Link destination (visible in hover) that does not match the brand's known domain
- Request for your password, full card number, or account PIN via email
- Unusual payment instruction from a colleague or executive arriving with slight address differences
How to protect yourself
- Enable multi-factor authentication on all important accounts to limit damage from harvested credentials
- Check the sender's full email address character-by-character before acting on any financial request
- Hover over links before clicking to see the real destination URL
- Go directly to the official website in a new browser tab rather than clicking links in emails
- Use email filters and your mail provider's spam/phishing reporting to protect others
How to report it
- Report phishing emails using your email client's 'Report phishing' or 'Report spam' button
- Forward phishing emails impersonating UK organisations to [email protected]; US users can forward to [email protected]
- Report to your national cybercrime agency with the full email headers
Frequently asked questions
Can opening a phishing email (without clicking) compromise my device?
In most modern email clients, opening an email without clicking links or downloading attachments does not execute malicious code. The risk comes from following links and downloading files. However, email tracking pixels can confirm your address is active, which may lead to more targeted follow-up attacks.