Phishing emails range from obvious scams full of typos to highly sophisticated impersonations that have fooled experienced security professionals. Seeing real examples of each type — and understanding the tell-tale signs — is the most effective way to build the recognition pattern that keeps you from falling for them.

Type 1: The Urgency/Account Threat Email

Subject: “Your account has been compromised — immediate action required”

What it looks like: A professional-looking email from what appears to be your bank, Google, Microsoft, or a major retailer. It states that suspicious activity has been detected, your account will be suspended, or an unauthorized transaction is pending. There’s a prominent button or link: “Verify Your Account” or “Secure My Account Now.”

The tells:

• The sender address doesn’t match the claimed organization (look at the actual email address, not the display name)
• The link destination doesn’t match the company’s real domain (hover before clicking)
• Artificial urgency — “within 24 hours” or “immediately”
• Generic greetings (“Dear Customer”) rather than your actual name
• Slight branding differences — wrong colors, low-resolution logos, slightly off fonts

Type 2: The Invoice/Package Delivery Email

Subject: “Your package couldn’t be delivered” or “Invoice #47829 attached”

What it looks like: Either a fake shipping notification (FedEx, UPS, DHL, USPS) saying your package couldn’t be delivered and you need to click to reschedule, or a fake invoice for something you didn’t order, designed to provoke you into opening the attachment to dispute it.

The tells:

• You’re not expecting a package, or the tracking number doesn’t match any real order
• The attachment is a .exe, .zip, .docm, or .xlsm file (not a PDF)
• The link goes to a domain unrelated to the courier (fedex-delivery-update.com instead of fedex.com)
• No specific details about what was ordered or from where

Type 3: The “Your Password Is Expiring” Email

Subject: “Action required: Your Microsoft 365 password expires in 3 days”

What it looks like: An email impersonating your employer’s IT department or a major software provider. It says your password is about to expire and you need to click to reset it or you’ll lose access. Often targets corporate users to harvest work credentials.

The tells:

• IT departments don’t send password reset links via email — they use internal portals
• The link goes to a lookalike domain for the login page (microsoft-365-portal.com rather than microsoft.com)
• Often sent to your personal email rather than work email
• Unusual timing — sent on a weekend or outside business hours

Type 4: The CEO/Executive Fraud Email

Subject: “Quick favor needed” from [CEO’s name]

What it looks like: Appears to come from a senior executive at your company — often the CEO. The email is brief and informal, asking you to urgently purchase gift cards, wire money, or provide sensitive information. It often starts with “Are you available?” to confirm you’re there before making the request.

The tells:

• The actual sender email doesn’t match the executive’s work address
• Requests for gift cards or wire transfers — legitimate executives don’t do this over email
• Unusual urgency and a request to keep it confidential
• Replies go to a personal Gmail or Hotmail address, not a company domain

Type 5: The Tax/Government Agency Email

Subject: “IRS Notice: You have a pending tax refund” or “Action required on your account”

What it looks like: An email impersonating the IRS, HMRC, Social Security Administration, or another government agency, claiming you have a refund, owe a payment, or need to verify information to avoid penalties.

The tells:

• The IRS and most government agencies do not contact taxpayers by email for sensitive matters
• Government agencies never request payment via gift cards, wire transfer, or cryptocurrency
• The email address isn’t a government domain (.gov in the US)
• Threats of immediate arrest or suspension of benefits for non-compliance

When You’re Not Sure About a Link

Copy the suspicious URL (right-click > Copy Link Address without visiting it) and run it through the Phishing Link Scanner for a full red-flag breakdown and verdict. For any link you’re genuinely uncertain about, going directly to the company’s website by typing the address yourself is always the safer path.