Re-Hashed: Phishing Email Examples — The Best & Worst
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Re-Hashed: Phishing Email Examples — The Best & Worst

Here are the best and worst phishing examples and scams we’ve seen lately — send us some of the best and worst you’ve seen!

Unfortunately phishing has become so prevalent that most of us have grown sort of jaded. Case in point, we pass around phishing email examples at our office. It’s not uncommon to get an email from a coworker with a subject line like “check out teh pheesh” and a screenshot of a questionably worded request to change a password or some such nonsense.

Even referring to a phishing email as phish kind of undermines what a pernicious threat phishing actually is. After all, if you’ve ever read our phishing statistics article, you know that it’s a big issue. Phishing was a factor in 22% of the confirmed data breaches investigated and reported in Verizon’s 2020 Data Breach Investigations Report (DBIR). That means that phishing was involved in nearly one in four data breaches.

Still, call it gallows humor, but sometimes phishing emails can be objectively funny. And sometimes they can be deathly serious — when they’re constructed well enough to be convincing. . For example, when cybercriminals use email spoofing to make their emails appear legitimate. And, nowadays, cybercriminals are even using the COVID-19 pandemic as a way to phish companies and individuals.

So, today, we’re going to look at some phishing email examples — the best and the worst. And then we want to hear from you. At the end, we’ll ask you to send some of your best and/or worst phishing examples and we’ll all learn from and/or have a laugh at them, too.

Let’s hash it out.

Phishing Email Examples: The Best

Now, before we go any further — and for the sake of our comments section — we are by no means saying any of these are the greatest or worst of all-time. I would be skeptical of anyone who claimed they could make that evaluation. And I’m not sure what criteria it would even be based on.

If you removed anything with a trace of subjectivity you would have to quantify it in terms of actual damage caused. For Facebook and Google, the total costs associated with one multi-email phishing email scam surpassed $100 million. And in some cases, like John Podesta and the Democratic National Committee, you really can’t put a number on that kind of damage.

My point is this: don’t overthink it. These phishing email examples are archetypal in nature and are meant to illustrate the kinds of tactics that phishers use. They’re also taken from our own email servers (and were shared by our employees from their personal email accounts, in some cases). This is what phishing looks like in the wild.

With that out of the way, let’s looking at some phishing email examples.

Brand Phishing Email Examples

American Express

An American Express phishing email example
This screenshot is of a phishing email that’s designed to look like it came from American Express.

As far as phishing email examples go, this one isn’t too bad (although the American Express logo appears distorted). Sometimes, simple is better when it comes to trying to make a fake email appear legitimate. The attacker changed the sender’s display name to appear as American Express, which means that if the recipient didn’t bother to check the email address itself, they may not realize that it is coming from an email address from pentagon-securidad.cl instead of an americanexpress.com domain registered email address.

The message creates a sense of urgency by warning you that your account is suspended until you take the time to verify your account information. However, in the next sentence, it’s saying to “update the information about your account ownership,” which is different than just verifying something.

GEICO

Geico phishing email example
Here’s a brand phishing example in which the cybercriminal impersonates GEICO.

Next up to bat is this message that appears to come from Geico. It looks like they’ve decided to follow the previous phishing example’s lead and take the simpler-is-better approach to design. Considering that Geico is a popular insurance company, it’s likely that it would catch the attention of many potential targets. This phishing email is set up nicely and isn’t as error-ridden as many phishing emails that grace your junk mail folder. However, there are a few things that give away the fact that this is still phish.

First, look at the email “from:” field. The email comes from a pigtask.com domain address instead of geico.com. Second, the sender set both the “to:” and “CC:” fields to send to the same person (those fields have been edited to remove the recipient’s email address).

Second, there are some weird capitalizations going on. And if you were to hover your mouse over the Expiring Soon link near the top or the Take Survey Now button near the bottom, you’d see that they’d take you to a non-Geico website.  

Oh, and by the way, never assume an Unsubscribe link is safe in an email. Always hover over it with your mouse to see what the real website URL is. If the unsubscribe link is in a suspected phishing email, don’t click it — ever. Unless, of course, your idea of fun is spending the rest of your day cleaning malware off your machine and changing all of your account passwords… in which case, have at it.

Rackspace

rackspace phishing example email screenshot
This brand phishing example involves a cybercriminal creating an email that looks like it came from Rackspace.

Here’s another example of brand phishing. In this case, the phish is imitating a Rackspace email. We happen to use Rackspace, so this had the potential to pique the right person’s interest. It also requires immediate attention, which tries to force a sense of urgency.

Where it falls apart is in the “from:” field and the link URL. Let’s start with the sender. Rackspace is very clear about the servers it delivers mail from. This isn’t one of them. That was enough to get it flagged by our filters. But beyond that, the from name isn’t quite right (it uses alpha characters instead of “a”) and the URL it links to isn’t rackspace.com.

The URL is pretty sneaky, though. At cursory glance, it almost looks like a valid Rackspace URL:

https://[redacted].com/αpps.rαckspαce.cοm/index.php?email=product-manager@thesslstore.com

All of these well-known brands are being impersonated by cybercriminals through phishing email examples like these. Something that’s poised to be incredibly useful in the future for verifying whether an email is sent from a legitimate organization (i.e., not an imposter) is BIMI, or what stands for brand indicators for message identification.

This BIMI pilot program, which Google’s launched at Google and Verizon Media on July 21, 2020 with DigiCert and Entrust Datacard, involves the use of verified mark certificates (VMCs). The goal is to offer greater security for users and businesses by authenticating businesses and displaying their verified company logos.

Here’s another example of a phishing email pretending to be an unnamed tech company:

Generic computer security company's phishing email example
Notice anything missing in this phish? Yeah, substance!

Again, this looks to create urgency about an expiring account. But if you stop for a second, you’ll notice that no where included in this colorful correspondence is any mention of what the expiring account IS. It just says “Computer security account” in the signature. That’s actually helpful in its unhelpfulness. This is clearly a phish.

Posing as a Job Applicant

A job applicant phishing email example with a malicious attachment
This cybercriminal is clearly channeling his inner pre-pubescent boy with this phishing email.

If you ever were — or have just spent time around — a middle school-aged boy, the name of the sender would give this away immediately. But, assuming your purity of mind and heart allowed you to miss that, the premise of this phishing email is actually pretty ingenious. If a company has posted job listings on websites like Indeed or LinkedIn, shoot them an email with a malicious payload masquerading as a resume.

Or in the case of Shona’s resume, maybe just a headshot.

Here’s another phishing email example with a less egregious name, though it’s sent to an email address that a legitimate applicant wouldn’t use, much less even have.

This is just the first of several phishing examples that show that phishing doesn’t always include links. Sometimes, the threat comes in the form of an Office file or .txt doc. Heck, some phishing emails even use doctored images to transmit malicious payloads.

Notice the filters caught the malware and renamed the attachment rather un-suspiciously. I think this is one case where if an employee still opens it, you’re legally sanctioned to load them into a cannon and fire them into the sun.

A job applicant phishing email example that's had a malicious attachment removed
The SSL Store’s email filters identified the threat of this phishing email and removed a malicious file attachment that was disguised as a resume text doc.

Posing as an Angry Customer

A screenshot of a phishing email that's written to look like it came from a customer

Nobody wants to be accused of billing a customer twice. That’s something that needs to be addressed immediately so this is definitely effective in terms of creating urgency. And when it’s a “customer,” unless the “sender:” and “from:” fields don’t match, it can be tough to rule a whole lot out by domain and TLD.

But there are a couple of things that give this away as a phishing email. For one, every sentence or so you get two words concatenated. That’s a formatting error caused by copy/pasting between differently encoded applications. That’s never a good sign. Also, who sends a link to their bank statement? That’s phishy, too. But the real tell is there’s no contact information given beyond “Al Scogin” and the email address this came from. That speaks to the sender’s intent, which isn’t to recoup a financial loss so much as to get you to click a link. Phish.

Ok, now let’s look at some bad phishing email examples because those are way more fun. We’ll update our best phish section as we see some better phishing examples in the future. As you’re about to see, a lot of these examples of phishing scams are just garbage.

Phishing Email Examples: The Worst

You know how sometimes you CAN judge a book by its cover? The inverse makes for a good movie, but in real life a lot of the time stuff really is as bad as it looks. Sorry, kiddos. Let’s dive into the worst phishing email examples that we have readily available…

Bad Brand Phishing Email Examples

PayPal is one of the most oft-imitated brands in the world of Phishing, so if you want to PayPal phish, you better have your ducks in a row and make it look good.

This… is not that.

PayPal phishing email example
Note to scammers: Keep using emojis and writing creepy messages like this. It’s a dead giveaway and makes our job of proving phishing email examples a lot easier.

Ignoring for a second that PayPal would never bungle the aesthetics of an email this badly, let’s just admire the details here. The correspondence is addressed TO “paypal” for some reason. Then the second sentence is “you’ve chosen to explore a mighty network!” What the hell does that mean?! If someone says that to you on the street — you clock them and run in the other direction. Then there’s a praise emoji and a stalker-ish “I’ve-been-watching-you”-style sign off. Then a brand statement. What kind of psychopath wrote this email?

Then, of course, there’s also this one…

PayPal phishing email example screenshot
This PayPal phishing email example at least looks more legitimate…

Okay, so this phishing attempt isn’t so bad visually speaking. But seems like a very confused email when you actually bother reading it.

The email subject line talks about a Chase account and the sender’s name is listed as “Paypal Letter.” First, PayPal would never list your account-related information in an email (let alone in the subject line). Second, if the email was legit, it would say that it came from a PayPal domain-related email address. It certainly wouldn’t come from a chiropractic company’s email address.

These two signs alone are great indicators that this email isn’t really from PayPal. But, wait, there’s more!

When you read the content, you’ll quickly realize that it doesn’t make sense even from just a grammatical perspective: “We’ve taken extra precaution to confirm that your PayPal account is secure and have assigned your account with a temporary limited.” A temporary limited what? This message trails off and never completes the train of thought. This never would have made it past PayPal’s real marketing team.

Speaking of confused emails… check out this beauty from Chase. I mean Rackspace. Wait, no, I mean “Online Email Team”…

Screenshot of a Chase online phishing email that uses HTTPs phishing

This message is very poorly put together. The subject line says it’s an alert from Chase Online, but the sender’s display name says it’s from Rackspace Support and it’s signed by just “Online Email Team.” Not to mention the email is addressed to “Dear Customer.” I’m pretty sure that Rackspace would know your name if they’re them and you’re one of their customers…

Needless to say, there’s a lot to unpack in this phishing email. The content itself is also poorly written. There are grammatical errors everywhere along with poor capitalizations and spacing issues. Furthermore, the phisher who wrote the email hedged their bet by saying “your accounts” because they don’t know whether you have just one or multiple accounts.

The pièce de résistance comes in the form of the link itself. Sure, the display name appears to be rackspace.com. However, if you hover your cursor over the link, you’ll see that it’s a sham and that the real URL will take you to another unknown website.

Racespace imposter email (a screenshot of another Rackspace phishing email)

Man, Rackspace just can’t seem to catch a break from being impersonated in phishing scams. This one has a decent subject line and it purports to be from Rackspace. But two words in and we already know it’s BS. Also, it originated from ambergris.it? That’s not a Rackspace server.

My favorite part is the passive-aggressive way Rackspace is allegedly telling the recipient to take care of their bill… “devote 2 minutes of your time and go on our page to settle your bill.” Very on-brand. (So there’s no ambiguity, this is sarcasm. Though we pay our bills on time I’m sure there is no such passive aggression on Rackspace’s part in the event things are past due.)

So, how about one more Rackspace phishing example? Then we’ll leave them alone.

another in our list of rackspace phishing email examples

Ah, yes. Another email with all of the hallmark indicators of a phishing scam. It’s addressed with the generic salutations directed to the “valued member.” (Aww, don’t you feel special?) While the email display says Rackspace, the actual email address behind it belies that claim.

When you read the message, there’s no identifying information about the recipient that would indicate that the sender actually knows who they’re talking to. They’re just taking shots in the dark and hoping that one will land a target. And all it takes is for one person to fall for this scam to make their minimal amount of effort worthwhile.

Microsoft

Microsoft Office 365 phishing email example screenshot

Even this tech giant isn’t safe from the reaches of phishers. That’s why it’s made its way onto our list of bad phishing email examples. This email — again, directed to the generic “user” — seems to confuse the words “update” and “upgrade.” The title of the phish implies that there’s an update coming, whereas the message itself says that you have to upgrade your account to keep it from being terminated.

The message, which says it was sent by Office 365 (and not Microsoft), comes from a sender’s email address that indicates otherwise. After all, I’m pretty sure noblesys.com isn’t the same as Microsoft.com.

Also, as a last quick note, it looks like someone was either in a big rush or they just didn’t give a crap about how the email looks. The message uses text that’s written in both serif and sans serif typefaces, different colors, and different sizes. This is a poor copy-paste job if I’ve ever seen one.

Walmart

A screenshot of one of those annoying Walmart scam phishing email examples
The recipient’s email address has been edited out of this phishing email screenshot for the sake of privacy.

Here’s a colorful example of a bad brand phishing email that one of my colleagues received on her personal account. While the email address does include “Walmart” in the first half of the address, it’s followed by a bunch of gibberish that’s clearly not a Walmart.com-associated account or domain.

In the main body of the email, note how the phisher tries to impersonate Walmart with the sun logo next to the name. However, Walmart’s logo doesn’t look like that. In fact, the icon they’re using is actually the sun icon from Microsoft Office’s icon list. Also, the email’s written to sound suspiciously urgent. And if we’ve learned anything from this article so far, if an unsolicited message pushes immediacy, it’s likely to be a phishing email.

Lastly, notice all of the weird text at the end of the email? Here’s, let’s blow that up a bit so you can see it better:

A screenshot of fake content featuring a real person and company that phishers sometimes use in phishing emails
An example of some of the random text you might find at the end of some phishing email examples. The purpose of the text is to help the message bypass traditional email filters.

All of that mumbo-jumbo is there to try to help emails get around spam filters. However, it’s important to note that the name of the company is, in fact, a real organization and the person this cybercriminal is impersonating was one of their real employees. Bob Graham, the co-founder of the real Event Temple, posted on Google’s community support forums about the issue:

A Google Forums message about the phishing email example's text footer
A screenshot of the post on Google’s community forum.

Unfortunately for Dylan — and for his previous employer — phishers are having a field day sending out spam emails using their legitimate info.

Posing As Your Crypto Wallet Company

Phishing email examples screenshot of a message targeting Blockchain.com digital wallets
This is one of the cryptocurrency related phishing email examples that you might find in your junk mail folder.

This email is purportedly from blockchain.com, a digital wallet for cryptocurrencies. While it’s got a decent subject line that piques your interest and creates a sense of urgency, the rest of the poorly written email. It’s very vague in nature and is sent to “Recipients” and addresses the recipient as “Dear User.”

Suuuuure, that’s not too suspicious. Not to mention, no legitimate company would send out bulk emails about issues relating to individual accounts.

A screenshot of the URL phishing in this phishing email example

Another dead giveaway? Look at the website — www.blockchain.com.com. When you hover your mouse over the link, it displays the real URL of the site that you’d be directed to if you were to click on it. Needless to say, that’s definitely not a link for blockchain.com.  

If someone’s smart enough to have a digital wallet and successfully hold and manage cryptocurrencies, I’m pretty sure they’re also too smart to fall for such a lazy phishing scam attempt. But maybe I should curb my expectations since even experts can fall for phishing scams

Fake News

The original fake news: sending someone an advertisement that’s really just trying to steal their info or give them malware. Here’s an example:

A fake news phishing email

The subject line “Amy from ABC LunaTrim Edition 23092” could pass as a subcription-related message as ABC always sounds like a legitimate enterprise. And it says “ABC Today News Special,” which most people in the U.S. (and Australia) associate with a TV network. But the sender’s name and email address don’t match up. Then things go downhill quickly with one word: “Incredilbe.”

This is such a weird mistake that I actually Googled it just to make sure it wasn’t a cognate, and that’s just how another language spells it and… no. After clicking through Google’s “suggested spelling” all I found was a bunch of travel reviews left by orthographically-challenged (idiot) tourists. Actually, they say spelling isn’t a function of intelligence, but there’s a threshold at which point it’s hard to argue it isn’t at least a little bit indicative of it. Or a lack of it. Also, who uses Bing Maps?

Anyway, the rest of the email does itself no favors, either. Clearly a phish.

Pose as a Hacker

A lot of people don’t know a whole lot about computers and networks and cybersecurity, which paints hackers in a rather fictional light. And to make things worse the media does a really poor job of covering cybersecurity topics, which scares up a whole host of other problems.

Criminals know this, and they are more than happy to prey on those fears with phishing emails and scams.

This next email has some NSFW language. Ohh, I probably should have mentioned that earlier, too (looking at you, Shona), but we’re all adults here, so let’s continue.

The first of three Bitcoin-related phishing scam email examples
This email is the first in a series of phishing email examples that aim to extort Bitcoin from blindsided targets.

This is actually one in a string of clearly-automated emails that escalated over the course of a few weeks. Regrettably, I emptied my junk folder and deleted the first few before starting this article, but you can probably gather the substance and gravity of the first few from this one.

Right away, you can tell this is a phish. First of all, Mr. Retention doesn’t have a social life. Mr. Retention is not even a person. Mr. Retention is a deprecated mail alias (apparently one with too much time on his hands). You can tell this is automated from the get-go.

And I think there’s a foundational flaw in the logic behind this whole endeavor, which is that the type of person that might be scared into believing this definitely has no idea how to buy Bitcoin.

In fact, asking such a naive, impressionable individual to even try to obtain Bitcoin is like sending a sheep into a lion’s den. They’ll have their money, their home and all their credit sucked out of them way before you ever see your $2,000’s worth.

Here’s the same thing in German Danish. Same disclaimer applies. NSFW language (if you speak Danish).

The second of three Bitcoin-related phishing scam email examples, only this one is written in Danish
Looking for a Danish version of the same kind of Bitcoin phishing email examples? Look no further…

Here’s another phishing example with some slightly different language, but all the same anger and scaremongering we’ve come to love:

The third of three Bitcoin-related phishing scam email examples
The last in the series of Bitcoin phishing email examples sent to our beloved Mr. Retention.

C’mon, Mr. Retention. We’re going to have to take away your internet access, aren’t we?

For an in-depth look at more of these Bitcoin phishing emails, be sure to check out our article on n1ghtm4r3 phishing emails.

Phony Invoices, Payments & Bonus Phishing Email Examples

Annual bonus phishing email examples are common ways to target employees
Here’s just one of many annual bonus-themed phishing email messages that I’ve received during my time at The SSL Store.

Everyone loves money, and there are few things more attractive to an employee than an email insinuating that they’re getting a bonus. Unfortunately, however, was sent to use from the typo-king version of Captain America, “Stive Rojers.” A quick look at the sender’s email address or name is enough to make you hit the spam button right away. But then when you actually read this sad excuse of a phishing example, you’ll see that it’s written in a way that it tries to be believable without actually doing a good job.

If you’re a legal assistant (not a “lawyer assistant,” by the way), you certainly wouldn’t send a message from your boss while addressing them as “The Ssl Store Accountant.” That’s a bit on the nose, wouldn’t you say? Also, I’m pretty sure that if you worked for a company, you’d know how to properly write their name (The SSL Store), which is named after their core products. Just sayin’.

Furthermore, the contact information contains no phone number (although it does contain an extension), which would imply that the idea here is that you’re not supposed to contact them. Instead, they’ve included a link to a PDF that’s supposedly available on a website. Someone’s annual bonus information isn’t something that you’d want to simply host and send a link out to on a public website.

Needless to say, all of this screams “scam.”

Another phishing email examples screenshot of someone pretending to be Maersk Line

Maersk Line, the largest subsidiary of the well-known international container logistics parent company Maersk Group, is another favorite target of cybercriminals. In 2019, the company released a statement warning that their real employees were being impersonated in phishing scams. Lucky for us, we’ve received one of those phishing email examples here at Hashed Out to share with you.

The email sender info displays Maersk Line and the email spoofing attempt of the email address itself could be considered passable to someone who doesn’t look closely. But the email content itself is a mess — it’s a collage of different colors, typefaces and character sizes.

Phishing email examples graphic of a fake purchase order

We’ve reached the final item on our list of phishing email examples. This message is written to look like it’s part of an ongoing correspondence. It did contain malicious content, which was removed by Outlook’s email spam filters.

Of course, the writing clearly isn’t from a native English speaker — it’s riddled with poor grammar and a dearth of sentence capitalizations that sets an editor’s teeth on edge. And the email is addressed to “Hello dear.” Definitely not a professional way to address a work-related contact. That would set off red flags immediately.

Let’s consider the sender’s email address itself. If you look up “shivantrade.com,” the search results show a bunch of links relating to Chinese baby wipes exports. Not really sure what that would have to do with The SSL Store or why they’d think we’d order them in bulk. But, hey, who am I to question the decisions of management, right?

A particularly nice touch of this email is making it look like I was the one who reached out to the sender first. Of course, they flubbed it by signing it “casey.crane” — it shows that they either copy-pasted this first half of the email address or used code to auto populate the field. Either way, if you’re going to go to all of that trouble to try to make an email appear legitimate, it would be important to fix those little details.

Send Us Your Best & Worst Phishing Email Examples!

We want to see YOUR best phish. Hang on, let’s reword that. If anyone sends you or your company a particularly good phish — really convincing ones or comically bad ones — take a screenshot and send it to HashedOut@TheSSLStore.com. Just make sure to cover up anything you don’t want the world to see. Probably best to rephrase that, too. If there are any recipients, email addresses or proprietary information included on the screenshot make sure to obscure it before sending it.

And check back on this phishing email examples article periodically. We’ll update this article as more and more phish swim our way.

Note: This article on phishing email examples was originally written by Patrick Nohe on June 11, 2019. The piece, which was updated with lots of new content and screenshots, was re-published by Casey Crane as a “re-hashed” version of the article on Oct. 21, 2020.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.