Still, call it gallows humor, but sometimes phishing emails can be objectively funny. And sometimes they can be deathly serious<\/a> \u2014 when they’re constructed well enough to be convincing. . For example, when cybercriminals use email spoofing<\/a> to make their emails appear legitimate. And, nowadays, cybercriminals are even using the COVID-19 pandemic as a way to phish companies and individuals<\/a>.<\/p>\n\n\n\n So, today, we’re going to look at some phishing email examples \u2014 the best and the worst. And then we want to hear from you. At the end, we’ll ask you to send some of your best and\/or worst phishing examples and we’ll all learn from and\/or have a laugh at them, too.<\/p>\n\n\n\n Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n Now, before we go any further \u2014 and for the sake of our comments section \u2014 we are by no means saying any of these are the greatest or worst of all-time. I would be skeptical of anyone who claimed they could make that evaluation. And I’m not sure what criteria it would even be based on. <\/p>\n\n\n\n If you removed anything with a trace of subjectivity you would have to quantify it in terms of actual damage caused. For Facebook and Google, the total costs associated with one multi-email phishing email scam<\/a> surpassed $100 million. And in some cases, like John Podesta and the Democratic National Committee, you really can’t put a number on that kind of damage.<\/p>\n\n\n\n My point is this: don’t overthink it. These phishing email examples are archetypal in nature and are meant to illustrate the kinds of tactics that phishers use. They’re also taken from our own email servers (and were shared by our employees from their personal email accounts, in some cases). This is what phishing looks like in the wild. <\/p>\n\n\n\n With that out of the way, let’s looking at some phishing email examples.<\/p>\n\n\n\n As far as phishing email examples go, this one isn\u2019t too bad (although the American Express logo appears distorted). Sometimes, simple is better when it comes to trying to make a fake email appear legitimate. The attacker changed the sender\u2019s display name to appear as American Express, which means that if the recipient didn\u2019t bother to check the email address itself, they may not realize that it is coming from an email address from pentagon-securidad.cl instead of an americanexpress.com domain registered email address.<\/p>\n\n\n\n The message creates a sense of urgency by warning you that your account is suspended until you take the time to verify your account information. However, in the next sentence, it\u2019s saying to \u201cupdate the information about your account ownership,\u201d which is different than just verifying something.<\/p>\n\n\n\n Next up to bat is this message that appears to come from Geico. It looks like they\u2019ve decided to follow the previous phishing example\u2019s lead and take the simpler-is-better approach to design. Considering that Geico is a popular insurance company, it\u2019s likely that it would catch the attention of many potential targets. This phishing email is set up nicely and isn\u2019t as error-ridden as many phishing emails that grace your junk mail folder. However, there are a few things that give away the fact that this is still phish.<\/p>\n\n\n\n First, look at the email \u201cfrom:\u201d field. The email comes from a pigtask.com domain address instead of geico.com. Second, the sender set both the \u201cto:\u201d and \u201cCC:\u201d fields to send to the same person (those fields have been edited to remove the recipient\u2019s email address).<\/p>\n\n\n\n Second, there are some weird capitalizations going on. And if you were to hover your mouse over the Expiring Soon link near the top or the Take Survey Now button near the bottom, you\u2019d see that they\u2019d take you to a non-Geico website. <\/p>\n\n\n\n Oh, and by the way, never assume an Unsubscribe link is safe in an email. Always hover over it with your mouse to see what the real website URL is. If the unsubscribe link is in a suspected phishing email, don\u2019t click it \u2014 ever. Unless, of course, your idea of fun is spending the rest of your day cleaning malware off your machine and changing all of your account passwords\u2026 in which case, have at it.<\/p>\n\n\n\n Here’s another example of brand phishing. In this case, the phish is imitating a Rackspace email. We happen to use Rackspace, so this had the potential to pique the right person’s interest. It also requires immediate attention, which tries to force a sense of urgency<\/a>.<\/p>\n\n\n\n Where it falls apart is in the “from:” field and the link URL. Let’s start with the sender. Rackspace is very clear about the servers it delivers mail from. This isn’t one of them. That was enough to get it flagged by our filters. But beyond that, the from name isn’t quite right (it uses alpha characters instead of “a”) and the URL it links to isn’t rackspace.com.<\/p>\n\n\n\n The URL is pretty sneaky, though. At cursory glance, it almost looks like a valid Rackspace URL:<\/p>\n\n\n\n https:\/\/[redacted].com\/\u03b1pps.r\u03b1cksp\u03b1ce.c\u03bfm\/index.php?email=product-manager@thesslstore.com<\/p>\n\n\n\n All of these well-known brands are being impersonated by cybercriminals through phishing email examples like these. Something that\u2019s poised to be incredibly useful in the future for verifying whether an email is sent from a legitimate organization (i.e., not an imposter) is BIMI<\/a>, or what stands for brand indicators for message identification. <\/p>\n\n\n\n This BIMI pilot program<\/a>, which Google\u2019s launched at Google and Verizon Media on July 21, 2020 with DigiCert and Entrust Datacard, involves the use of verified mark certificates (VMCs). The goal is to offer greater security for users and businesses by authenticating businesses and displaying their verified company logos.<\/p>\n\n\n\n Here\u2019s another example of a phishing email pretending to be an unnamed tech company:<\/p>\n\n\n\n Again, this looks to create urgency about an expiring account. But if you stop for a second, you’ll notice that no where included in this colorful correspondence is any mention of what the expiring account IS. It just says “Computer security account” in the signature. That’s actually helpful in its unhelpfulness. This is clearly a phish.<\/p>\n\n\n<\/span><\/span>\n\n\n If you ever were \u2014 or have just spent time around \u2014 a middle school-aged boy, the name of the sender would give this away immediately. But, assuming your purity of mind and heart allowed you to miss that, the premise of this phishing email is actually pretty ingenious. If a company has posted job listings on websites like Indeed or LinkedIn, shoot them an email with a malicious payload masquerading as a resume. <\/p>\n\n\n\n Or in the case of Shona’s resume, maybe just a headshot. <\/p>\n\n\n\n Here’s another phishing email example with a less egregious name, though it’s sent to an email address that a legitimate applicant wouldn’t use, much less even have. <\/p>\n\n\n\n This is just the first of several phishing examples that show that phishing doesn\u2019t always include links. Sometimes, the threat comes in the form of an Office file or .txt doc. Heck, some phishing emails even use doctored images<\/a> to transmit malicious payloads.<\/p>\n\n\n\n Notice the filters caught the malware and renamed the attachment rather un-suspiciously. I think this is one case where if an employee still opens it, you’re legally sanctioned to load them into a cannon and fire them into the sun.<\/p>\n\n\n\n Nobody wants to be accused of billing a customer twice. That’s something that needs to be addressed immediately so this is definitely effective in terms of creating urgency. And when it’s a “customer,” unless the “sender:” and “from:” fields don’t match, it can be tough to rule a whole lot out by domain and TLD. <\/p>\n\n\n\n But there are a couple of things that give this away as a phishing email. For one, every sentence or so you get two words concatenated<\/a>. That’s a formatting error caused by copy\/pasting between differently encoded applications. That’s never a good sign. Also, who sends a link to their bank statement? That’s phishy, too. But the real tell is there’s no contact information given beyond “Al Scogin” and the email address this came from. That speaks to the sender’s intent, which isn’t to recoup a financial loss so much as to get you to click a link. Phish.<\/p>\n\n\n\n Ok, now let’s look at some bad phishing email examples because those are way more fun. We’ll update our best phish section as we see some better phishing examples in the future. As you’re about to see, a lot of these examples of phishing scams are just garbage.<\/p>\n\n\n\n You know how sometimes you CAN judge a book by its cover? The inverse makes for a good movie, but in real life a lot of the time stuff really is as bad as it looks. Sorry, kiddos. Let’s dive into the worst phishing email examples that we have readily available…<\/p>\n\n\n\n PayPal is one of the most oft-imitated brands in the world of Phishing<\/a>, so if you want to PayPal phish, you better have your ducks in a row and make it look good<\/a>. <\/p>\n\n\n\n This… is not that.<\/p>\n\n\n\n Ignoring for a second that PayPal would never bungle the aesthetics of an email this badly, let’s just admire the details here. The correspondence is addressed TO “paypal” for some reason. Then the second sentence is “you’ve chosen to explore a mighty network!” What the hell does that mean?! If someone says that to you on the street \u2014 you clock them and run in the other direction. Then there’s a praise emoji and a stalker-ish “I’ve-been-watching-you”-style sign off. Then a brand statement. What kind of psychopath wrote this email? <\/p>\n\n\n\n Then, of course, there’s also this one…<\/p>\n\n\n\n Okay, so this phishing attempt isn\u2019t so bad visually speaking. But seems like a very confused email when you actually bother reading it.<\/p>\n\n\n\n The email subject line talks about a Chase account and the sender\u2019s name is listed as \u201cPaypal Letter.\u201d First, PayPal would never list your account-related information in an email (let alone in the subject line). Second, if the email was legit, it would say that it came from a PayPal domain-related email address. It certainly wouldn\u2019t come from a chiropractic company\u2019s email address.<\/p>\n\n\n\n These two signs alone are great indicators that this email isn\u2019t really from PayPal. But, wait, there\u2019s more!<\/p>\n\n\n\n When you read the content, you’ll quickly realize that it doesn\u2019t make sense even from just a grammatical perspective: \u201cWe\u2019ve taken extra precaution to confirm that your PayPal account is secure and have assigned your account with a temporary limited.\u201d A temporary limited what? This message trails off and never completes the train of thought. This never would have made it past PayPal\u2019s real marketing team. <\/p>\n\n\n\n Speaking of confused emails\u2026 check out this beauty from Chase. I mean Rackspace. Wait, no, I mean “Online Email Team”\u2026<\/p>\n\n\n\n This message is very poorly put together. The subject line says it\u2019s an alert from Chase Online, but the sender\u2019s display name says it\u2019s from Rackspace Support and it\u2019s signed by just \u201cOnline Email Team.\u201d Not to mention the email is addressed to \u201cDear Customer.\u201d I\u2019m pretty sure that Rackspace would know your name if they\u2019re them and you\u2019re one of their customers\u2026 <\/p>\n\n\n\n Needless to say, there\u2019s a lot to unpack in this phishing email. The content itself is also poorly written. There are grammatical errors everywhere along with poor capitalizations and spacing issues. Furthermore, the phisher who wrote the email hedged their bet by saying \u201cyour accounts\u201d because they don\u2019t know whether you have just one or multiple accounts.<\/p>\n\n\n\n The pi\u00e8ce de r\u00e9sistance<\/em> comes in the form of the link itself. Sure, the display name appears to be rackspace.com. However, if you hover your cursor over the link, you\u2019ll see that it\u2019s a sham and that the real URL will take you to another unknown website.<\/p>\n\n\n\n Man, Rackspace just can’t seem to catch a break from being impersonated in phishing scams. This one has a decent subject line and it purports to be from Rackspace. But two words in and we already know it’s BS. Also, it originated from ambergris.it? That’s not a Rackspace server. <\/p>\n\n\n\n My favorite part is the passive-aggressive way Rackspace is allegedly telling the recipient to take care of their bill… “devote 2 minutes of your time and go on our page to settle your bill.” Very on-brand. (So there’s no ambiguity, this is sarcasm. Though we pay our bills on time I’m sure there is no such passive aggression on Rackspace’s part in the event things are past due.)<\/p>\n\n\n\n So, how about one more Rackspace phishing example? Then we’ll leave them alone.<\/p>\n\n\n\n Ah, yes. Another email with all of the hallmark indicators of a phishing scam. It\u2019s addressed with the generic salutations directed to the \u201cvalued member.\u201d (Aww, don\u2019t you feel special?) While the email display says Rackspace, the actual email address behind it belies that claim. <\/p>\n\n\n\n When you read the message, there\u2019s no identifying information about the recipient that would indicate that the sender actually knows who they\u2019re talking to. They\u2019re just taking shots in the dark and hoping that one will land a target. And all it takes is for one person to fall for this scam to make their minimal amount of effort worthwhile.<\/p>\n\n\n\n Even this tech giant isn\u2019t safe from the reaches of phishers. That\u2019s why it\u2019s made its way onto our list of bad phishing email examples. This email \u2014 again, directed to the generic \u201cuser\u201d \u2014 seems to confuse the words \u201cupdate\u201d and \u201cupgrade.\u201d The title of the phish implies that there\u2019s an update coming, whereas the message itself says that you have to upgrade your account to keep it from being terminated.<\/p>\n\n\n\n The message, which says it was sent by Office 365 (and not Microsoft), comes from a sender\u2019s email address that indicates otherwise. After all, I\u2019m pretty sure noblesys.com isn\u2019t the same as Microsoft.com.<\/p>\n\n\n\n Also, as a last quick note, it looks like someone was either in a big rush or they just didn\u2019t give a crap about how the email looks. The message uses text that\u2019s written in both serif and sans serif typefaces, different colors, and different sizes. This is a poor copy-paste job if I\u2019ve ever seen one.<\/p>\n\n\n\n Here\u2019s a colorful example of a bad brand phishing email that one of my colleagues received on her personal account. While the email address does include \u201cWalmart\u201d in the first half of the address, it\u2019s followed by a bunch of gibberish that\u2019s clearly not a Walmart.com-associated account or domain.<\/p>\n\n\n\n In the main body of the email, note how the phisher tries to impersonate Walmart with the sun logo next to the name. However, Walmart\u2019s logo doesn\u2019t look like that. In fact, the icon they\u2019re using is actually the sun icon from Microsoft Office\u2019s icon list. Also, the email\u2019s written to sound suspiciously urgent. And if we\u2019ve learned anything from this article so far, if an unsolicited message pushes immediacy, it\u2019s likely to be a phishing email.<\/p>\n\n\n\n Lastly, notice all of the weird text at the end of the email? Here\u2019s, let\u2019s blow that up a bit so you can see it better:<\/p>\n\n\n\n All of that mumbo-jumbo is there to try to help emails get around spam filters. However, it\u2019s important to note that the name of the company is, in fact, a real organization and the person this cybercriminal is impersonating was one of their real employees. Bob Graham, the co-founder of the real Event Temple, posted on Google\u2019s community support forums<\/a> about the issue:<\/p>\n\n\n\n Unfortunately for Dylan \u2014 and for his previous employer \u2014 phishers are having a field day sending out spam emails using their legitimate info.<\/p>\n\n\n\n This email is purportedly from blockchain.com, a digital wallet for cryptocurrencies. While it\u2019s got a decent subject line that piques your interest and creates a sense of urgency, the rest of the poorly written email. It\u2019s very vague in nature and is sent to \u201cRecipients\u201d and addresses the recipient as \u201cDear User.\u201d<\/p>\n\n\n\n Suuuuure, that\u2019s not too suspicious. Not to mention, no legitimate company would send out bulk emails about issues relating to individual accounts.<\/p>\n\n\n Another dead giveaway? Look at the website \u2014 www.blockchain.com.com. When you hover your mouse over the link, it displays the real URL of the site that you\u2019d be directed to if you were to click on it. Needless to say, that\u2019s definitely not a link for blockchain.com. <\/p>\n\n\n\n If someone\u2019s smart enough to have a digital wallet and successfully hold and manage cryptocurrencies, I\u2019m pretty sure they\u2019re also too smart to fall for such a lazy phishing scam attempt. But maybe I should curb my expectations since even experts can fall for phishing scams<\/a>\u2026<\/p>\n\n\n\n The original fake news: sending someone an advertisement that’s really just trying to steal their info or give them malware. Here’s an example:<\/p>\n\n\n\n The subject line “Amy from ABC LunaTrim Edition 23092” could pass as a subcription-related message as ABC always sounds like a legitimate enterprise. And it says “ABC Today News Special,” which most people in the U.S. (and Australia) associate with a TV network. But the sender’s name and email address don’t match up. Then things go downhill quickly with one word: “Incredilbe.” <\/p>\n\n\n\n This is such a weird mistake that I actually Googled it just to make sure it wasn’t a cognate, and that’s just how another language spells it and… no. After clicking through Google’s “suggested spelling” all I found was a bunch of travel reviews left by orthographically-challenged (idiot) tourists. Actually, they say spelling isn’t a function of intelligence, but there’s a threshold at which point it’s hard to argue it isn’t at least a little bit indicative of it. Or a lack of it. Also, who uses Bing Maps? <\/p>\n\n\n\n Anyway, the rest of the email does itself no favors, either. Clearly a phish.<\/p>\n\n\n\n A lot of people don’t know a whole lot about computers and networks and cybersecurity, which paints hackers in a rather fictional light. And to make things worse the media does a really poor job of covering cybersecurity topics<\/a>, which scares up a whole host of other problems.<\/p>\n\n\n\n Criminals know this, and they are more than happy to prey on those fears with phishing emails and scams. <\/p>\n\n\n\n This next email has some NSFW language. Ohh, I probably should have mentioned that earlier, too (looking at you, Shona), but we’re all adults here, so let’s continue.<\/p>\n\n\n\n This is actually one in a string of clearly-automated emails that escalated over the course of a few weeks. Regrettably, I emptied my junk folder and deleted the first few before starting this article, but you can probably gather the substance and gravity of the first few from this one. <\/p>\n\n\n\n Right away, you can tell this is a phish. First of all, Mr. Retention doesn’t have a social life. Mr. Retention is not even a person. Mr. Retention is a deprecated mail alias (apparently one with too much time on his hands). You can tell this is automated from the get-go. <\/p>\n\n\n\n And I think there’s a foundational flaw in the logic behind this whole endeavor, which is that the type of person that might be scared into believing this definitely has no idea how to buy Bitcoin. <\/p>\n\n\n\n In fact, asking such a naive, impressionable individual to even try to obtain Bitcoin is like sending a sheep into a lion’s den. They’ll have their money, their home and all their credit sucked out of them way before you ever see your $2,000’s worth.<\/p>\n\n\n\n Here’s the same thing in Here’s another phishing example with some slightly different language, but all the same anger and scaremongering we’ve come to love:<\/p>\n\n\n\n C’mon, Mr. Retention. We’re going to have to take away your internet access, aren’t we? <\/p>\n\n\n\nPhishing Email Examples: The Best<\/h2>\n\n\n\n
Brand Phishing Email Examples<\/h3>\n\n\n\n
American Express<\/h4>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/AMEX-phishing-email-example.png\")
GEICO<\/h4>\n\n\n\n
![\"Geico](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/geico-phishing-email-example-1024x593.png\")
Rackspace<\/h4>\n\n\n\n
![\"rackspace](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/rackspace-phishing.png\")
![\"Generic](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-5.png\")
Posing as a Job Applicant<\/h3>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-8-v3.png\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-3.png\")
Posing as an Angry Customer<\/h3>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-6.png\")
<\/figure><\/div>\n\n\n\nPhishing Email Examples: The Worst<\/h2>\n\n\n\n
Bad Brand Phishing Email Examples<\/h3>\n\n\n\n
![\"PayPal](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-12.png\")
![\"PayPal](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/paypal-phishing-email-example.png\")
![\"Screenshot](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/Chase-https-phishing-email-example.png\")
<\/figure><\/div>\n\n\n\n![\"Racespace](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-4.png\")
<\/figure><\/div>\n\n\n\n![\"another](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/rackspace-phishing-email-example.png\")
<\/figure><\/div>\n\n\n\nMicrosoft<\/h4>\n\n\n\n
![\"Microsoft](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/microsoft-365-update-phishing-email-examples.png\")
<\/figure><\/div>\n\n\n\nWalmart<\/h4>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/walmart-phishing-email-737x1024.png\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/phishing-email-text-to-avoid-filters-1024x168.png\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/warning-imposter-1024x792.png\")
Posing As Your Crypto Wallet Company<\/h3>\n\n\n\n
![\"Phishing](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/blockchain-phishing-example-1024x505.png\")
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/blockchain-phishing-example-url.png\")
<\/figure>\n<\/div>\n\n\nFake News<\/h3>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-15.png\")
<\/figure><\/div>\n\n\n\nPose as a Hacker<\/h3>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-9-841x1024.png\")
German<\/s> Danish. Same disclaimer applies. NSFW language (if you speak Danish). <\/p>\n\n\n\n![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-13.png\")
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Phishing-Email-Examples-1.png\")
![\"Annual](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/annual-bonus-phishing-scam-1024x326.png\")
![\"Another](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/Maersk.png\")
<\/figure><\/div>\n\n\n\n![\"Phishing](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/10\/fake-purchase-order-phishing-email-examples-1024x764.png\")
<\/figure><\/div>\n\n\n\n![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"