HomeBlogPhishing Email Examples

10 Real Phishing Email Examples (And How to Spot Each One)

Published: April 202610 min read

Phishing emails are the #1 attack vector for credential theft and fraud. Every day, billions of phishing emails are sent worldwide. The good news? Most are easy to spot if you know what to look for. This guide shows you 10 real phishing email examples from the brands scammers impersonate most—and exactly what red flags expose them.

Example 1: PayPal Account Verification Phish

Target: PayPal users. Goal: Steal login credentials and payment information.

From: security@account-paypal.com

Subject: PayPal Account Verification Required - Action Needed

Body:

"Dear PayPal User,

We detected unusual activity on your PayPal account. To protect your account, we need you to verify your identity immediately.

Click below to verify your account:
[VERIFY ACCOUNT]

This verification is required to keep your account active. If you do not verify within 24 hours, your account will be limited."

Red Flags

  • Sender email is account-paypal.com, not @paypal.com
  • Generic greeting "Dear PayPal User" instead of your name
  • Artificial urgency and threats ("account will be limited")
  • Asks to click a link instead of logging in directly on PayPal.com
  • No mention of specific suspicious activity—just vague "unusual activity"

Example 2: Microsoft/Outlook Suspicious Sign-In

Target: Outlook, Office 365, and Microsoft account users. Goal: Compromise email and Microsoft services.

From: noreply@microsoftservice.com

Subject: Suspicious Sign-In Activity - Verify Now

Body:

"We detected a sign-in to your Microsoft account from an unfamiliar location.

Location: Lagos, Nigeria
Device: Unknown Device
Time: 3:45 PM UTC

If this wasn't you, secure your account immediately:
[SECURE MY ACCOUNT]

Best regards,
Microsoft Security Team"

Red Flags

  • Sender is microsoftservice.com, not microsoft.com
  • Generic location info to create urgency
  • Button links to a phishing page, not actual account security
  • Real Microsoft emails typically show less detail initially
  • Signs itself as "Microsoft Security Team" (informal for Microsoft)

Example 3: Apple ID Security Alert

Target: Apple ID users. Goal: Steal Apple ID and trigger password resets on iCloud, iMessage, iTunes.

From: security@apple-id.com

Subject: URGENT: Your Apple ID Has Been Compromised

Body:

"Your Apple ID may have been used without your permission. Someone may have your password or recovery information.

Take action now to secure your Apple ID and prevent unauthorized access:
[RESET MY PASSWORD]

Do not ignore this message. Your account security is at risk."

Red Flags

  • Sender is apple-id.com, not apple.com
  • All-caps "URGENT" indicates phishing (Apple doesn't use this style)
  • Vague threats without specifics
  • Pressures immediate action with emotional language
  • Real Apple emails rarely ask you to reset your password via link

Example 4: Bank Account Unusual Activity Alert

Target: Bank customers. Goal: Steal online banking credentials and access financial accounts.

From: security@yourbank-alerts.com

Subject: ALERT: Unauthorized Transaction Detected

Body:

"We detected a $2,500 wire transfer to an unknown account from your checking account.

If you did not authorize this transaction, click below to dispute it immediately:
[DISPUTE CHARGE]

Account Access may be blocked if fraud is not addressed within 1 hour."

Red Flags

  • Sender is yourbank-alerts.com (generic, not real bank domain)
  • Specific dollar amount ($2,500) creates panic
  • Hard deadline (1 hour) to force reckless clicks
  • Real banks never ask you to click links to dispute transactions
  • Real banks show your actual account number, not just "your account"

Example 5: Google Account Suspicious Activity

Target: Gmail and Google account users. Goal: Compromise Google account and access to Google Drive, Photos, Gmail, YouTube.

From: noreply@security-google.com

Subject: Review Suspicious Activity on Your Google Account

Body:

"We noticed someone accessed your Google Account from an unusual location.

Recent Activity:
Location: Moscow, Russia
Device: Android Device

Review this activity now:
[CHECK ACTIVITY]

Do not delay. Click the link above to secure your account."

Red Flags

  • Sender is security-google.com, not google.com
  • Foreign location (Russia, Nigeria, China) is a common phishing tactic
  • Button says "CHECK ACTIVITY" but links to phishing page
  • Real Google alerts show your actual email address, not generic greeting
  • Real Google doesn't use "Do not delay" language in emails

Example 6: LinkedIn Account Restricted

Target: LinkedIn users. Goal: Steal LinkedIn accounts to impersonate professionals and target connections.

From: security@linkedinservice.com

Subject: Your LinkedIn Account Has Been Restricted

Body:

"LinkedIn has restricted your account due to suspicious activity. We need to verify your identity to restore access.

Verify your identity here:
[VERIFY IDENTITY]

Your account will be permanently deleted if not verified within 48 hours."

Red Flags

  • Sender is linkedinservice.com, not linkedin.com
  • Threats of account deletion to force action
  • No details about what "suspicious activity" was detected
  • LinkedIn doesn't restrict accounts via email verification links
  • Generic greeting without personal information

Example 7: DocuSign/Signature Service Spoofing

Target: Business professionals. Goal: Capture credentials and business documents.

From: notification@docusign-verify.com

Subject: [ACTION REQUIRED] Document Signature Needed

Body:

"A document is waiting for your signature:

Document: Contract_Final.pdf
From: contracts@company.com

Click below to review and sign:
[SIGN DOCUMENT]

This document expires in 24 hours."

Red Flags

  • Sender is docusign-verify.com, not docusign.com
  • Generic company name "company.com" instead of real sender
  • Artificial urgency ("expires in 24 hours")
  • Real DocuSign notifications come from @docusign.com domain
  • Button links to fake DocuSign login page

Example 8: Amazon Buyer Protection Claim

Target: Amazon shoppers. Goal: Steal Amazon login and credit card information.

From: buyerprotection@amazonservice.net

Subject: Your A-to-Z Guarantee Claim Is Under Review

Body:

"A buyer has filed a claim against you. To respond to this claim and protect your seller account, you must verify your identity.

Verify here:
[VERIFY SELLER ACCOUNT]

Your account may be suspended if you do not respond within 48 hours."

Red Flags

  • Sender is amazonservice.net, not amazon.com
  • This email targets Amazon sellers, not buyers (unusual)
  • Threat of account suspension
  • Real Amazon uses different domains for seller services
  • No specific details about the claim or buyer

Example 9: Password Expiration Notice

Target: Various services. Goal: Capture new passwords when users try to reset.

From: noreply@banking-service.com

Subject: Your Password Expires Soon - Update Now

Body:

"Your password will expire in 3 days. Update your password to maintain access to your account.

[UPDATE PASSWORD]

Failure to update your password will result in account lockout."

Red Flags

  • Sender is banking-service.com (generic, not real bank)
  • Most services don't force password expiration via email
  • Threat of lockout to create urgency
  • Button links to phishing password reset page
  • Real services ask you to log in directly, not click email buttons

Example 10: Package Delivery Failed Notice

Target: Online shoppers. Goal: Trick users into downloading malware or providing payment information.

From: delivery@fedex-update.com

Subject: Package Delivery Failed - Verify Address

Body:

"We attempted to deliver your package but could not locate your address. Update your delivery details below:

[VERIFY DELIVERY ADDRESS]

Your package will be returned if we don't receive updated information within 24 hours."

Red Flags

  • Sender is fedex-update.com, not fedex.com
  • Generic message without tracking number or order details
  • You may not even be expecting a package
  • Asks to update address via email button (unusual for real carriers)
  • Real FedEx/UPS include tracking numbers in subject lines

Common Red Flags Across All Phishing Emails

  • Wrong domain: Sender email doesn't match the company's real domain (apple-id.com vs apple.com)
  • Generic greeting: "Dear Customer" or "Hello" instead of your actual name
  • Artificial urgency: Deadlines, threats, "act now," "24 hours," "account will be deleted"
  • Suspicious links: Buttons that don't link to official websites
  • Vague details: No specific information about suspicious activity or claims
  • Requests to click: Legitimate companies ask you to log in on their actual website, not click email buttons
  • Grammar errors: Professional companies have polished writing; phishing emails often have mistakes
  • Uncommon sender format: All-caps subject lines, unusual formatting, or unfamiliar email patterns
  • Too good to be true: Prize notifications, refunds you didn't request, or unusual offers
  • Unverified details: If you're not expecting a package, password reset, or claim, it's likely phishing

How to Verify Sender Identity

  1. Check the full email address: Look at the complete sender address, not just the display name
  2. Hover over links (desktop): Hover without clicking to see the actual URL destination
  3. Check official website: Go directly to the company's official website (type in address bar) and compare
  4. Contact the company directly: Call the number on their official website or use their official contact form
  5. Look up the domain: Use WHOIS lookup to verify domain registration details
  6. Check email headers: Advanced users can review email headers to trace the true origin

See a suspicious email?

ScamDefender can scan the sender address and content to verify legitimacy before you click.

Check Email Now →

What to Do If You Clicked a Phishing Link

  1. Do not enter your password or personal information
  2. Close the browser tab or window immediately
  3. If you already entered credentials, change your password immediately on the official website
  4. Enable two-factor authentication to add an extra security layer
  5. Monitor your account and credit reports for suspicious activity
  6. Report the phishing email to the actual company and to the FTC at reportfraud.ftc.gov
  7. Consider running antivirus software to check for malware

Phishing emails are designed to look legitimate and create panic. The best defense is to slow down and verify. Never click links in unsolicited emails—go directly to official websites instead. When in doubt, call the company using a number you find yourself (not from the email). Trust your instincts: if something feels off, it probably is.

How to Spot a Phishing Email: 10 Warning Signs →
Amazon Order Confirmation Scam: Spot Fake Emails →
PayPal Account Suspended Email Scam →
How to Report a Scam: Complete Guide →