15 Real Phishing Email Examples & How to Spot Them in 2026

Phishing is no longer the broken-English Nigerian prince genre. In its 2025 Data Breach Investigations Report (DBIR), Verizon attributed roughly 36% of breaches to a social-engineering vector, and the Anti-Phishing Working Group (APWG) logged more than 1 million unique phishing sites in a single quarter of 2024 — a record. The FBI's Internet Crime Complaint Center (IC3) put phishing as the most-reported cybercrime category in its 2024 annual report, with adjusted losses from related business email compromise (BEC) exceeding US$2.9 billion. The 15 phishing email examples below cover what real users actually receive in 2026, organized by category, with the structural red flags that survive even the AI-polish era.

Last updated: April 25, 2026 — Reviewed by Maria Volkov (OSCP, CIPP/E)

Quick Answer / TL;DR

• Phishing emails fall into roughly five operational categories: financial, workplace, parcel, government and tax, and personal-relationship lures.
• The four reliable detection signals are sender domain, link destination, urgency mismatch, and request plausibility — in that order.
• Subject lines and visual templates change every quarter; the structural patterns do not.
• Antivirus suites add a meaningful filter (92-99% block rates in 2025 AV-Comparatives anti-phishing tests, with weak vendors below 75%), but the human check still does the heavy lifting.
• If you clicked a link, treat it as a credential-exposure incident, not a curiosity.

Why These Examples Matter More Than Brand-Name Samples

We deliberately describe each phishing email's structure rather than pasting verbatim copy. The reasons are practical and ethical: verbatim reproductions help attackers iterate on what works, and brand-specific lures rotate weekly. What stays stable across years is the choreography — the order in which a phisher establishes context, raises stakes, presents a fake remedy, and inserts the click. Read each example as a recipe, not a screenshot.

How to Read the Red-Flag Tags

Every example below ends with three tags. Take them seriously when you receive a real email:

• Subject pattern: the headline shape, not the exact words
• Spot signal: the single highest-confidence tell for that lure type
• Exposure if clicked: what an attacker most often gains in that scenario

---

Category 1: Financial Lures (Banking, Payments, Crypto)

These are the highest-volume category and the most immediately profitable. APWG's 2024 quarterly trend reports show financial brands accounting for the largest single share of phishing target sectors.

Example 1: The Generic Bank "Suspicious Login" Alert

The email arrives styled as a security notice from a bank you may or may not actually use. The subject is some variation of "Unusual sign-in attempt detected — verify within 24 hours." The body shows a fake login map (city, IP, device) and a "Was this you? Yes / No" pair of buttons. Both buttons go to the same credential-harvesting page. The 24-hour clock is the giveaway: real banks freeze suspect access on their side first and ask you to call.

• Subject pattern: Account security alert + tight deadline
• Spot signal: Both decision buttons resolve to identical URLs
• Exposure if clicked: Online banking credentials and 2FA codes captured in real time

Example 2: The Payment-Processor "Refund Pending" Hook

Spoofs a major payment processor. The message claims a pending refund of an oddly specific amount (say $147.62) requires login confirmation. Hover any link and the destination is a recently-registered domain with the brand name as a subdirectory rather than the actual root domain. APWG noted in 2024 a sustained surge in financial-sector lookalike domains using the brand-as-subdomain pattern.

• Subject pattern: Pending refund / completed transaction
• Spot signal: Brand appears in subdomain or path, never in the actual registered domain
• Exposure if clicked: Wallet credentials, linked card data

Example 3: The Crypto-Wallet "Verify Seed Phrase" Trap

Targets known crypto users (lists are scraped from breaches). Email is short, uses wallet branding, and warns of "a forced migration" or "wallet integrity check" requiring you to enter your 12 or 24-word recovery phrase. No legitimate wallet provider ever asks for a seed phrase by email. None. Ever.

• Subject pattern: Wallet migration / security maintenance
• Spot signal: Any request to type your seed phrase anywhere
• Exposure if clicked: Total wallet drain within minutes

---

Category 2: Workplace Lures (BEC, Payroll, HR)

Business email compromise is the biggest single source of dollar losses in the IC3 2024 report. These lures typically reach personal inboxes too because attackers harvest LinkedIn employer data.

Example 4: The CEO "Quick Favor" Wire-Transfer Scam

Comes from a lookalike of the CEO's name with a free webmail address (gmail.com, outlook.com). Subject is something like "Are you at your desk?" The conversation escalates over two or three short messages: rapport, urgency, then a request to wire funds or buy gift cards for a "client gift." The display name matches; the underlying email address does not.

• Subject pattern: Casual one-line opener
• Spot signal: Reply-to address is a webmail account, not the corporate domain
• Exposure if clicked: Direct financial loss via wire or gift-card codes

Example 5: The Payroll-Redirection Email

Impersonates an employee asking HR to update direct-deposit details to a new bank account "starting next pay period." The IRS and FBI issued joint warnings in 2023 and 2024 specifically about this variant. The email mimics internal payroll-system templates and often arrives just before payroll cutoff dates.

• Subject pattern: Direct deposit update / banking change
• Spot signal: Request bypasses normal HR portal workflow
• Exposure if clicked: One full pay cycle redirected before discovery

Example 6: The "Shared Document Awaiting Signature" Lure

Spoofs an enterprise document-signature platform. Subject claims a contract or HR form awaits review. The link goes to a credential-harvesting page styled like the platform's login screen. Microsoft 365 and Google Workspace credentials are the most prized harvest because they unlock every other system the user is signed into.

• Subject pattern: Document for your signature / pending review
• Spot signal: Sender domain is one-character-different from the genuine platform
• Exposure if clicked: Single sign-on credentials, full mailbox access

Example 7: The IT-Department MFA-Reset Notice

Pretends to be your own IT helpdesk warning that "multi-factor authentication will be reset" unless you re-enroll via the included link. Targets newly-onboarded employees most aggressively. The link captures both password and the MFA token in real time and forwards them to the actual login.

• Subject pattern: Mandatory MFA / security re-enrollment
• Spot signal: Internal IT never emails an external link for authentication actions
• Exposure if clicked: Account takeover including 2FA bypass

---

Category 3: Parcel & Logistics Lures

Parcel-delivery scams spike during holiday seasons but run year-round. APWG's 2024 reports flagged shipping-sector phishing as one of the fastest-growing verticals.

Example 8: The "Failed Delivery — Reschedule" SMS-Email Combo

Hybrid lure: an SMS arrives saying a package could not be delivered, with a follow-up email reinforcing the same message. Both link to a page asking for a small "redelivery fee" along with full card data. The carrier brand is generic enough to apply to most users (a major postal service or international courier).

• Subject pattern: Delivery failed / address verification needed
• Spot signal: Any fee for redelivery — real carriers do not collect by email
• Exposure if clicked: Card data, billing address for follow-on identity fraud

Example 9: The Customs-Hold "Pay Duty Now" Scam

Targets users expecting international shipments. Email claims a parcel is held at customs pending a duty payment. Includes a fake tracking number that goes nowhere. Carriers do collect duties at delivery in some cases, but never via an emailed link to a third-party processor.

• Subject pattern: Customs hold / duty payment required
• Spot signal: The tracking number is unsearchable on the carrier's real site
• Exposure if clicked: Card data, sometimes a small fee charged immediately to validate the card

---

Category 4: Government and Tax Lures

These spike in the first quarter of every year. The IRS itself maintains a phishing inbox at phishing@irs.gov because the volume of impersonation attempts is so high.

Example 10: The IRS or HMRC "Refund Available" Notice

Email claims an unclaimed refund of a specific dollar or pound amount. Links to a form requesting full Social Security or National Insurance number, date of birth, and bank routing details. Tax authorities never initiate refund offers by email. The IRS has stated this in writing every year for over a decade.

• Subject pattern: Tax refund pending / unclaimed credit
• Spot signal: Request for full SSN or NIN — real tax accounts use the last four digits at most
• Exposure if clicked: Identity theft sufficient to file fraudulent tax returns in the victim's name

Example 11: The Fake Court Summons or Legal Notice

Subject reads as a court summons or jury notice with an attached PDF or DOCX. The attachment carries a malware payload (often a remote-access trojan) or a link to a credential page styled as a state-court portal. Courts in the US and UK serve summonses by mail or process server, never by email attachment.

• Subject pattern: Court summons / legal notice / case number reference
• Spot signal: Any attachment from an unfamiliar legal sender
• Exposure if clicked: Malware infection — often the entry point for ransomware

Example 12: The Government Benefit "Apply Now" Scam

Spoofs benefits or grant agencies (varies by country and current news). Email claims the recipient qualifies for a relief payment and directs to a portal harvesting bank details and government IDs. Surges every time a new public-aid program is announced.

• Subject pattern: You are eligible / pre-approved benefit
• Spot signal: Real aid programs publish application paths through official .gov portals only
• Exposure if clicked: Identity data sufficient for benefits fraud and account takeover

---

Category 5: Personal-Relationship Lures

These are slower-moving and harder to spot because they exploit emotion. The IC3 2024 report tracked over US$650 million in romance and confidence-fraud losses.

Example 13: The Family-Emergency "Help Me" Request

Display name matches a relative; email address is a slightly altered webmail account. Message claims the relative is stranded, in hospital, or in legal trouble in another country and needs an urgent wire transfer. AI voice cloning has made the follow-up phone call far more convincing than it was three years ago. Establish a family code word out-of-band.

• Subject pattern: Urgent / emergency / I need help
• Spot signal: Pressure to keep the matter secret from other family members
• Exposure if clicked: Direct financial loss, potential ongoing extortion

Example 14: The Slow-Build Romance Recovery Scam

Operates over weeks, often beginning on a dating or social platform and migrating to email. After rapport is built, the request is for a one-time loan, an investment opportunity, or help moving funds. A second wave — the "recovery scam" — targets the same victims later, pretending to be a fraud-recovery service.

• Subject pattern: Personal, relationship-building, no urgency at first
• Spot signal: Any request for money, however framed, before meeting in person
• Exposure if clicked: Sustained financial drain, secondary recovery scam, identity exposure

Example 15: The Sextortion or "I Recorded You" Threat

Subject often includes a real (breached) password belonging to the recipient — pulled from public dumps. Body claims the sender installed malware on the victim's device, recorded compromising material, and demands payment in cryptocurrency. The claim is almost always false; the password is the only real data point. Treat as bluff, change the password, enable 2FA, and file with IC3 if the wallet address has been seen in similar campaigns.

• Subject pattern: Includes a real (old) password as proof
• Spot signal: Demand for cryptocurrency payment within 24-72 hours
• Exposure if clicked: None directly — the threat is a bluff — but ignore at your own discomfort

---

The 4-Step Spot Check (Memorize This)

Step	What to check	Why it works in 2026
1	Real sender domain (hover, do not click)	AI cannot fake registered domain ownership; lookalikes have to register typo-domains
2	Link destination (hover and read full URL)	Brand-as-subdomain pattern is the dominant 2024-25 phisher tactic
3	Urgency vs realistic process	Real institutions follow regulated workflows; phishers compress decisions
4	Request plausibility (would they really ask this here?)	Banks, tax authorities, and HR systems have established channels — email is rarely the channel for a high-stakes ask

If two of the four are wrong, treat the email as hostile. If three are wrong, report and delete.

Anti-Phishing Performance: What Independent Labs Found in 2025

Test (Lab)	Date	Top performers (block rate)	Bottom performers (block rate)
AV-Comparatives Anti-Phishing Test	July 2025	92-99%	<75%
AV-TEST Home User Windows	December 2025	6/6 protection score (top tier)	4/6 or lower
SE Labs Home Anti-Malware	Q4 2025	AAA rating	A or below

The takeaway is consistent across labs: top consumer antivirus suites block roughly 9 in 10 phishing URLs, while the weakest paid products fall well below that. Independent test data — never vendor marketing — is the only honest way to evaluate protection. We track three lab cycles per year in our reviews and publish the underlying methodology for every score we assign.

Reporting and Recovery

If you receive a phishing email, the report paths are:

• Generic phishing: forward to reportphishing@apwg.org
• Spoofed brand: many large brands publish abuse@ or phishing@ inboxes
• IRS impersonation (US): phishing@irs.gov
• UK phishing: report@phishing.gov.uk
• Financial loss: file with the FBI's IC3 at ic3.gov within 72 hours for the best chance of recovery action

If you clicked a link, the priority order is: disconnect, change the impersonated service's password from a clean device, enable 2FA, run a full antivirus scan, monitor accounts for 90 days, and freeze your credit through the major bureaus if Social Security or full identity data was exposed.

FAQs

What are the most common phishing email examples in 2026?

The five highest-volume categories are fake bank security alerts, payroll-redirection scams targeting employees (a form of business email compromise), parcel-delivery notices spoofing carriers, IRS or HMRC tax-refund traps, and romance or recovery scams that mature over weeks. Verizon's 2025 DBIR attributes roughly 36% of breaches to social-engineering vectors with phishing dominating that category.

How can I tell if an email is a phishing scam?

Check four things in this order: the actual sender domain (hover, do not click), any link target (hover and read the full URL), the urgency cue (real institutions almost never threaten account closure within 24 hours), and grammatical or formatting anomalies. If three of the four are off, treat the message as hostile and report it to your IT team or to reportphishing@apwg.org.

Are AI-generated phishing emails harder to detect?

Yes. The Anti-Phishing Working Group's 2025 quarterly reports note that AI-polished phishing now lacks the broken English that historically tipped users off. Modern detection has shifted from spotting bad grammar to verifying sender domains, link destinations, and request plausibility. The structural red flags in this guide still hold even when the prose is perfect.

What should I do if I clicked a phishing link?

Disconnect from the network, change the password for the impersonated service from a different device, enable two-factor authentication if it was not already on, run a full antivirus scan, monitor financial accounts for 90 days, and report to the FBI's IC3 portal at ic3.gov if money or credentials were exposed. Do not reply to the original email.

Do antivirus programs actually block phishing emails?

Independent anti-phishing tests from AV-Comparatives in 2025 showed top consumer suites blocking between 92% and 99% of test URLs, while the worst performers blocked under 75%. Antivirus is a meaningful second layer but not a substitute for human judgment on the four checks above. We use lab data from AV-Comparatives, AV-TEST, and SE Labs in our reviews — never vendor marketing.

Where can I report a phishing email?

In the United States, forward suspicious emails to reportphishing@apwg.org and to the FTC at reportfraud.ftc.gov. Spoofs of specific brands often have dedicated mailboxes (for example, phishing reports for tax-themed scams go to phishing@irs.gov). For criminal losses, file with the FBI at ic3.gov. UK residents can forward to report@phishing.gov.uk.

The Bottom Line

Phishing in 2026 is fluent, branded, and AI-polished. The grammar checks of a decade ago no longer work. What still works is the four-step spot check — sender domain, link destination, urgency mismatch, request plausibility — combined with a top-tier antivirus suite as a backstop and 2FA on every account that supports it. We rate consumer security tools using independent lab data from AV-TEST, AV-Comparatives, and SE Labs, with no paid placements. If you want our current ranked picks, see our best antivirus page; for the broader defensive playbook, read how to protect yourself online; and for the specific threat that often follows a successful phishing click, our ransomware attacks 2026 report tracks active campaigns by industry.

External authoritative references used in this guide:

• Verizon Data Breach Investigations Report 2025 — verizon.com/business/resources/reports/dbir/
• FBI Internet Crime Complaint Center 2024 Annual Report — ic3.gov
• Anti-Phishing Working Group quarterly trend reports — apwg.org/trendsreports
• AV-Comparatives Anti-Phishing Test 2025 — av-comparatives.org