How to Spot and Avoid Email Phishing Scams: Tips, Tricks and Examples

Phishing scams are a popular attack vector used by hackers to breach company networks, as well as steal personal data through malicious email correspondence. In this guide, we’ll talk you through the latest phishing scams and how to avoid them, offering examples of popular cons and, crucially, explaining where to report suspicious activity.

Phishing scams involve threat actors posing as legitimate businesses in order to convince victims to hand over passwords, company data, bank details, and other information. Luckily, a lot of modern antivirus software offers anti-phishing capabilities, though cybersecurity experts will always tell you that people are the best line of defense.

Overall, our experience asking ChatGPT to produce phishing email templates might mean AI makes phishing a whole lot harder to spot, which is why having some guidance to help you brush up on your online security awareness can help. Read on for an in-depth look at how to spot phishing scams and what to do if you uncover one.

• What Is a Phishing Email?
• How to Spot a Phishing Email
• Geek Squad Phishing Email
• PayPal Phishing Email
• Amazon Phishing Email
• Bank of America Phishing Email
• Why AI Will Make Phishing Worse [Test]
• Example of a Phishing Email
• How to Report a Phishing Emails
• How to Avoid Phishing Emails

What is a Phishing Email Scam?

Phishing is a form of malicious email correspondence. In phishing attacks, scammers masquerade as legitimate companies to lure victims into handing over personal and/or sensitive information. In just Q1 of 2023, threat detection firm Vade observed 562.4 million phishing emails, the highest Q1 total since 2018. There are four main types of email phishing:

• Traditional email phishing
• Malware phishing
• Spear phishing
• Whaling

Traditional email phishing scams involve emails that include hyperlinks to malicious websites that are designed to look like the landing page of a well-known company. Once the victim enters information, it’s transferred straight to the scammer. This technique is often used to hack high-value accounts and orchestrate business email compromise (BEC).

Malware phishing scams, on the other hand, involve trying to smuggle malware onto victims’ devices disguised as legitimate documents, attached to emails.

An average phishing email will be sent out to hundreds or thousands of email addresses, with the scammer only needing a small percentage of people to take the bait. However, spear phishing emails target someone specific. The scammer will use things they’ve learned about the person to gear their scam email towards them specifically.

Whaling involves similar processes, but the targets are always “big fish” – business leaders, CEOs, and other highly-positioned individuals. The logic is, they’ll have more valuable information and potentially more access to a wider range of a given company’s systems. What’s more, those at the C-suite level are often the weak links when it comes to following company security protocols.

Other types of phishing

The word “phishing” has been modified as a way to describe similar lure-based social engineering ploys that occur across platforms other than email. These include:

• Smishing: phishing via text message (i.e. SMS-phishing)
• Vishing: phishing conducted over the telephone (i.e. Voice phishing)
• Quishing: phishing scams that utilize QR codes (QR phishing)

Along with these three different versions of the scam which play off the “phishing” name, there’s also social media phishing, which occurs in some form on TikTok, Facebook, LinkedIn, Instagram, and Twitter.

One popular form of social media phishing is “angler phishing”. Angler phishing involves threat actors pretending to be customer support services of brands, and replying to customers who’ve made complaints. Then, they’ll try and engineer them into clicking links they leave in those replies or coax them into sending private information via direct message:

Image Credit: Verizon

Wherever users are clicking on links – regardless of where they are on the internet – scammers will lurk with malicious intentions.

How to Spot a Phishing Email Scam

Despite the rise of other kinds of cyber attacks, email phishing is still one of the most popular methods threat actors use to gain unauthorized access to both personal data and company networks. However, there are some common, telltale signs that the vast majority of phishing emails contain that give them away.

A sense of need/urgency

Phishing emails are trying to get you to hand over your data, which often involves you clicking a link and heading to a malicious site. But in order to get you to do that, scammers try to inject a sense of urgency into the message. Common methods for doing this include claiming that:

• An account you own has been locked or deleted
• You’ve broken a law or a company policy
• You’ve won a prize or competition
• One of your accounts has been hacked
• You’re due an upgrade of something
• Someone has accessed your account
• Someone has sent you money
• Someone has made a transaction on your account

Demands for sensitive information

As a result of phishing emails, legitimate companies simply don’t ask for private or sensitive information like bank details or passwords via email anymore. They’re just not going to use phrases such as: “please enter your password on the page linked below” or “please enter your banking details here”.

Some companies that need to discuss or reference sensitive information will usually present you with data that proves they are who they say they are, such as your private account information.

Grammar and spelling issues

Mistakes are common in phishing emails, which are usually sent out to high volumes of targets, and attention to detail is not the priority (aside from spear phishing).

Most of the time, scammers are casting a wide net, hoping for success with a few people that fall for it. Legitimate companies will rarely send out correspondence without it being proofread or checked first, because they have an interest in maintaining a reputation. Scammers, on the other hand, couldn’t be more different.

Strange greetings

Another telltale sign that an email may be suspicious is a strange opening line, one you wouldn’t usually find in correspondence from a business.

For example, if you’ve signed up to a business’s mailing list, they’ll probably call you by name, rather than “customer” or “user”. Similarly, even if you have won a competition, you’re unlikely to be addressed as “winner”.

A misspelled domain name, or a public email address

Any email from a domain that is essentially a misspelled version of a well-known company’s name – or includes any spelling mistakes, for that matter – should be discarded immediately.

Legitimate businesses have dedicated email addresses, which cost money. Scammers don’t want to pay for this, so sometimes, they just use a public email address such as a Gmail address. Any correspondence purporting to be from Amazon, for example, but through a Gmail, Hotmail, or other public account, should ring alarm bells.

An important note on spotting phishing scams

All of the common features of phishing scams are indications that an email might not be from who it says it is. Poorly worded, shady-looking emails from suspicious-looking domains should be avoided like the plague.

That doesn’t mean that phishing emails will necessarily include all of these features, all of the time – and AI is muddying the waters even further (more on this below).

It’s important to keep your wits about you when you’re leafing through your inbox, even if an email is well-written and from a legitimate domain. Scammers’ tactics are constantly evolving and becoming increasingly sophisticated – so follow best practices for avoiding phishing scams at all costs.

Phishing Email from Geek Squad

Geek Squad is Best Buy’s tech support team, and according to search volume data obtained by Tech.co, Geek Squad scams are one of the most searched-for scams in the United States.

The scam has been around for a long time, and it even targets customers in countries like the United Kingdom, where Best Buy doesn’t even operate anymore.

Like Netflix scams, a common variation of a Geek Squad scam is an “auto-renewal” scam, which aims to trick targets into thinking they’re about to be billed a significant amount of money if they don’t cancel soon.

Image Credit: Washington University, St. Louis

Along with auto-renewal scams, Geek Squad’s logo, and name are regularly leveraged to orchestrate Best Buy password reset scams, as well as a variety of different forms of malware phishing scams.

Phishing Email from Paypal

Phishing emails from PayPal are extremely common, as are PayPal text message scams. In fact, it’s by far the most impersonated payment processor on the internet.

Image Credit: BBB

This is because it’s an online money-transferring service – so there’s a chance to make an immediate profit off a scam if you can secure a victim’s details  – but also because there are over 430 million active PayPal accounts.

In other words, if you’re sending out fake PayPal emails to a bank of stolen email addresses, it’s quite likely at least some of your targets will have PayPal. Here’s a PayPal scam received by a Tech.co source:

PayPal scams often include claims that someone has transferred you a large amount of money, that someone has gained access to your account, or that an order has been made from your account.

If you received a phishing email claiming to be from PayPal, make sure you forward it to phishing@paypal.com, and the company will investigate it.

Phishing Email from Amazon

Due to the fact that so many people use Amazon’s various different products – from Alexa, to Prime services, Amazon Video, and of course their delivery service – the company is sending out millions of emails every day.

This creates the perfect cover for scammers. There are currently 200 million Amazon Prime members, so that’s a lot of legitimate correspondence to hide amongst.

Image Credit: Avast

Techniques to persuade users into handing over their information include telling them that their account has been locked or that they’re owed a refund on a recent purchase.

Scammers also utilize the fact that Amazon is sending out huge numbers of delivery notifications to different customers each day, which can make an email regarding a parcel imminently about to be delivered sound very convincing.

If an Amazon email makes its way to your inbox and you think it might be an Amazon scam, forward the email to stop-spoofing@amazon.com.

Phishing Email from Bank of America

Bank of America phishing scams usually revolve around trying to convince customers that their accounts have been suspended, or that someone has opened a Bank of America account in their name. Of course, classic “verify your information” scams are also common.

The company has around 68 million consumer and small business clients in the United States, so it’s easy to see why they’re one of the more popular companies to impersonate.

The example we’ve included below is a classic case of malware phishing, but link-based email phishing under the Bank of America name is also extremely common.

Image Credit: BitDefender

If you received a suspicious email purporting to be from the Bank of America, forward it to abuse@bankofamerica.com and then delete it.

Remember, if you receive an email like this and you’re worried that someone may have withdrawn money from your account or gained unauthorized access to it, you can check your accounts directly and then contact Bank of America’s customer helpline. There’s no need to click on the links in an email like this.

Phishing email from Netflix

Of course, Netflix is one of the most subscribed-to services in the entire world – which means it’s the perfect company for scammers to pretend to be.

A lot of Netflix phishing emails center their social engineering tactics around these subscriptions – such as telling unsuspecting victims that their billing method has failed:

Image Credit: MailGuard

On its help center page, Netflix says that the company will “never ask you to share your personal information in a text or email”, including “credit or debit card numbers”, “bank account details” and “Netflix passwords”.

You can report suspicious Netflix phishing emails to phishing@netflix.com.

Why AI Will Make Phishing Scams Worse

In July 2023, when we took a look into a range of different AI scams that have taken place over the past few months, we wanted to see if ChatGPT would make email templates that could feasibly be used in a phishing scam – and it did.

However, when we tried this again, this month, it initially seemed like OpenAI had tightened up its prompt response rules. A similar request to construct a phishing email was met with this message:

Unfortunately, a slight alteration to our prompt and we were back in business. This means that ChatGPT still has the potential to be used as a potent weapon for scammers, and will churn out professional-sounding, mistake-free email copy if the prompt is worded correctly:

Example of a Phishing Email

Here’s an example of another phishing email that exhibits many of the signs we discussed earlier on. As you can see, it vaguely resembles the DHL color scheme, but “Express Delivery” is not a real company:

The email is worded to inject a sense of urgency into proceedings – there’s a time limit, for example, and anyone who does have a delivery on the way (which at anyone one time, is millions of people globally) may think they’re going to lose their package if they don’t act.

How to Report a Phishing Email Scam

A lot of big companies that are regularly impersonated during phishing scams now have pages dedicated to reporting them. Netflix and Amazon are two examples of this, but every company included on this list now operates an email inbox for this purpose. We’ve included their specific phishing report emails in the sections above.

If you live in the US, the FTC recommends that you forward any suspicious correspondence that you believe to be a phishing scam to the anti-phishing working group (reportphishing@apwg.org). The group is a conglomerate of “ISPs, security vendors, financial institutions, and law enforcement agencies” that can investigate the issue.

In countries like the UK, on the other hand, you can report phishing scams directly to the government (report@phishing.gov.uk), and a cybersecurity agency will investigate it.

How to Avoid Phishing Email Scams

The easiest way to avoid email phishing scams is to familiarize yourself with the telltale signs of phishing emails, such as the ones we’ve already discussed in an article. The more you read about phishing tactics and the more examples you look at, the easier it’ll be to recognize one when it makes its way into your inbox.

Secondly, make use of any anti-spam or anti-phishing features that your email provider offers, if there’s an option to turn them on/off. Of course, if you turn them on, take their email flagging and alerts extremely seriously, and don’t interact with emails flagged as suspicious.

Also, we’d recommend downloading antivirus software with anti-phishing capabilities, which can sync up with your email and provide another filter to weed out shady emails.

However, the golden rule to staying safe is this: unless you’re 100% sure that an email is legitimate don’t click on any links contained in the email. It’s not worth the risk simply because, in almost all cases, you can just log into whatever account you hold with the company the email claims to be from by going directly to their website through Google.

Any real, important notification or message will be accessible there. Just an inkling of doubt is enough to just not take the risk.