← All guides
June 3, 2026 · 9 min read

Phishing Email Examples: 8 Real-Looking Scams and How to Spot Each

Eight realistic phishing email examples — from fake invoices to password resets and gift-card requests — each dissected so you can recognize the same tricks in your own inbox.

The fastest way to recognize a phishing email is to study a stack of them side by side. Once you've seen the same handful of tricks — the lookalike domain, the manufactured deadline, the "verify your account" link, the request for a code — you start spotting them in your own inbox in seconds.

Below are eight realistic phishing email examples, grouped by the lure they use, each with the exact tells dissected. None target a specific person; they're composites of the patterns that show up most. If you want the underlying theory first, what does a scam email look like covers the red flags; this guide is the worked examples.

The one habit that beats all of them: never act inside a suspicious email. Don't click its links, call its numbers, or reply. Open the company's app or type its address yourself and check there. Every example below collapses the moment you do that.

In this guide

Example 1 the fake invoice you must call to dispute

From: Billing <support@secure-billings-desk.com>
Subject: Receipt: Your order #PA-77192 ($499.99) was charged

Thank you for your purchase. Your account was charged $499.99
for a 1-year subscription. If you did not authorize this, call
our billing department within 24 hours: +1 (8XX) ...

The lure: a charge you don't recognize. The tells: a vague sender domain, no product you actually bought, and — the giveaway — a phone number instead of a link. The goal is to get you on a call where a "support agent" can talk you into a refund scam or remote access. Real charges show up in your actual account, not in an email demanding a phone call. This pattern drives the Geek Squad / Norton renewal scam and the PayPal DocuSign invoice scam.

Example 2 the account suspended verification

From: Account Security <no-reply@account-verify-center.net>
Subject: Your account has been temporarily suspended

We detected unusual activity. To avoid permanent suspension,
verify your identity within 24 hours:

      [ Verify My Account ]

The lure: fear of losing access. The tells: a lookalike "security" domain, a generic greeting, a countdown, and a button that hides a link to a fake login page. No real company suspends your account and then emails you a link to "verify" by entering your password. See account suspended email scams for the full breakdown.

Example 3 the password reset you didnt request

From: Password Assistance <no-reply@id-security-mail.com>
Subject: Reset your password

We received a request to reset your password. Click below to
choose a new one. If you didn't request this, click here to
cancel:

      [ Reset Password ]   [ This wasn't me ]

The lure: it mimics a message you'd normally trust. The tells: you didn't request a reset, the domain isn't the real service, and both buttons often lead to the same phishing page. Rule: if you didn't start a password reset, don't click anything in the email — and never read a reset code to anyone who calls.

Example 4 the boss gift card request

From: Dave Whitman <d.whitman.exec@gmail.com>
Subject: Quick favor

Are you at your desk? I'm in a meeting and need you to grab
five $100 Apple gift cards for a client. I'll reimburse you.
Send me the codes as soon as you have them. Thanks!

The lure: authority plus urgency. The tells: a personal Gmail impersonating an executive, a request that bypasses normal process, secrecy ("I'm in a meeting"), and the unmistakable ask for gift-card codes. This is business email compromise. No real boss asks for gift cards by surprise email. Verify through a known channel — a quick call or a walk to their desk — never by replying.

Example 5 the delivery fee

From: Delivery Notice <track@parcel-redelivery-fee.com>
Subject: Your package is on hold — $1.95 fee required

We attempted delivery but a small unpaid fee is holding your
parcel. Pay $1.95 to release it:  [ Pay & Release ]

The lure: a tiny, "reasonable" charge. The tells: a courier you can't verify, a lookalike domain, and a fee so small you don't think twice — which is the point. The fee page exists to capture your full card number, not to collect $1.95. Real carriers don't collect surprise fees by email link. See the USPS email scam for the postal version.

Example 6 the refund that needs your card

From: Returns <refunds@shop-care-support.com>
Subject: Your $86.40 refund is ready

Good news — your refund of $86.40 has been approved. To receive
it, confirm the card you'd like it deposited to:

      [ Claim My Refund ]

The lure: free money. The tells: an unexpected "refund," a generic sender, and a form asking for card details to "receive" money — backwards from how refunds actually work. Real refunds go back to your original payment method automatically; you never "confirm a card" to receive one.

Example 7 the sextortion threat

From: <random string>@mail-relay-447.com
Subject: I have access to your device

I placed malware on a site you visited and recorded you through
your webcam. Pay $1,400 in Bitcoin within 48 hours or I send the
video to all your contacts. Don't bother replying.

The lure: fear and shame. The tells: no actual proof, a Bitcoin demand, a deadline, and a threat designed to make you panic-pay. These are sent in bulk to thousands of addresses; the "we recorded you" claim is a bluff. Don't pay, don't reply — delete it. Full guidance in sextortion email scams.

Example 8 the shared document login

From: Document Share <no-reply@docs-share-portal.com>
Subject: Jenny shared "Q3 Payroll.xlsx" with you

A document has been shared with you. Sign in to view it before
it expires:

      [ Open Document ]

The lure: curiosity and a familiar-seeming workflow. The tells: a sender domain that isn't the real document platform, a vague or enticing file name, and a "sign in to view" button that leads to a fake login harvesting your work credentials. Verify by going to the real platform directly, not the email's button — and be extra wary of "payroll," "invoice," or "contract" files you weren't expecting.

If one of these lands and you genuinely can't tell — some are very well made — don't make the call alone. Forward the email to FraudRoom and get a plain-English verdict (safe, suspicious, or scam) before you click a link, call a number, or enter a password.

The tells that repeat across all of them

Notice how the same fingerprints show up again and again:

  • A lookalike or unrelated sender domain standing in for a real brand.
  • Manufactured urgency — "24 hours," "within 48 hours," "before it expires."
  • An action that lives inside the email — a button, a phone number, a reply.
  • A request for something sensitive — a password, a code, a card number, gift cards, or crypto.
  • A generic greeting and small grammar slips.
  • An emotion as the lever — fear, greed, curiosity, or authority.

Learn the fingerprints, not the specific wording. Scammers rewrite the words constantly; the underlying moves barely change.

How to check an email you are unsure about

  1. Don't click anything yet. Decisions first, clicks never.
  2. Check the real sender address, not just the display name. Display names are free to fake; the domain after the @ is what matters.
  3. Hover or long-press links to see where they actually go — a real brand link goes to its real domain.
  4. Go direct. Open the company's app or type its address yourself and check for the supposed problem there.
  5. Never share a code, password, or card number by email or to anyone who calls about one.
  6. When unsure, get a second opinion before acting — that's the whole point of having one.

For more on verifying a single message, see how to check if a link is safe and is this email a scam.

FAQ

What's the most common type of phishing email?

Credential-harvesting emails — "your account is suspended / verify your identity / reset your password" — are the most common, because a stolen login unlocks everything behind it. Fake invoices and delivery-fee texts are close behind. All rely on urgency and a link or number you're told to act on immediately.

How can I tell if an email is phishing?

Check the real sender domain, hover over links to see where they lead, watch for urgency and requests for sensitive details, and notice which emotion it's pulling on. The safest test is to ignore the email entirely and verify the claim by opening the company's app or site yourself.

Are phishing emails always full of typos?

No — that's outdated. Many modern phishing emails are polished and grammatically clean, and some are sent through real platforms (like genuine PayPal or DocuSign). Judge an email by its sender, links, and what it's asking you to do, not by whether the writing looks professional.

What should I do with a phishing email?

Don't click, reply, or call. Report it (in Outlook or Gmail, use the "Report phishing" option), then delete it. If you already clicked or entered details, switch to recovery mode and follow the steps in our clicked-a-link guide.

Key takeaways

  • The same handful of tricks power almost every phishing email — learn the fingerprints.
  • Lookalike domains, fake deadlines, and "act inside this email" are the constants.
  • Modern phishing is often polished and grammatically clean; don't judge by typos.
  • Never share a code, password, or card number, and never trust a number in a suspicious email.
  • When unsure, verify by going direct to the company yourself, or get a second opinion first.

Not sure about a message?

Forward it to check@fraudroom.com and get a plain-English scam check in minutes.

Try it free — 5 checks, no card