What are Email Scams?

Email scams are cyberattacks sent over email that use social engineering tactics to trick people into sharing private data or installing malicious software.

Email scams are designed to trick a person into sharing sensitive information, paying a fake invoice, or installing malware. There are multiple strategies that criminals use to trick recipients into thinking an email is legitimate. Criminals rely heavily on social engineering to fool recipients into ignoring red flags of fraudulent activity.

Read on to learn how email scams work, recent email scam examples, how to spot suspicious emails, and how to stop scam emails using Abnormal Security.

How Do Email Scams Work?

In general, email scams are when a criminal sends an email that appears authentic but actually contains malicious links or attachments. The goal is for the recipient to trust the email and have them interact with it.

Criminals use email scams to obtain sensitive information like credit card numbers, login credentials, or other personal data. Depending on their intentions, criminals may also target organizations and attempt to install ransomware via email scams.

Criminals use social engineering and exploit trusted relationships to conduct their email scams. They also know how to create legitimate-looking emails and websites to get the information they want from their victims.

Types of Email Scams

There’s a wide range of email scams. Some of them are generic emails sent to massive groups of people, and others are specifically tailored to a narrow target using social engineering tactics. Let's explore some of the common email scams.


Email phishing is a broad term for emails designed to trick the recipient into handing over sensitive information or installing malicious software. It will usually contain a legitimate-looking email that mimics a trusted source.

Spear Phishing

Unlike mass phishing emails, spear phishing targets specific recipients instead of a group. The criminal will research and create a highly personalized phishing campaign to trick a person into a scam. These are highly effective when executed properly.


Pharming involves redirecting users from a legitimate website to a fake version. This is executed with malware or display name spoofing. It's designed to steal login credentials from victims.

Whaling and CEO Fraud

In this cyberattack, criminals target or impersonate a high-ranking official. Then they send scam emails to other employees within the same company. CEO fraud is effective in tricking employees since the email looks like it came from their boss.

URL Phishing

URL phishing attempts will use similar-looking domain links to fool a victim into thinking they are using the real website. The fake websites are designed to look legitimate and then attempt to steal login credentials or install malware.

Credential Phishing

Many phishing scams leverage credential phishing as part of their campaign. It uses social engineering tactics to trick users into handing over sensitive information, paying fake invoices, or installing malware.


At best, spam is annoying and clogs your inbox. At worst, it could contain malicious links or attachments. Spam filters can intercept a lot of spam emails, but they may miss social engineering phishing attacks.

Vendor Email Compromise (VEC)

When a criminal compromises a vendor's email account, it can launch email scam attacks against trusted business partners. This is also referred to as a supply chain attack.

Email Spoofing

Criminals can use spoofed email addresses to trick recipients by impersonating another person or business. The email address may have one letter off, or it uses a display name that looks like a trusted sender. This is easy to miss by the human eye.

You may notice a common theme through all of these email scam methods. Criminals depend on social engineering and easily missed details to successfully launch a cyberattack. Unfortunately, traditional email security methods often miss telltale signs of a fraudulent email, and many people have fallen victim to email scams.

Email Scam Examples

Several of the world's top brands and organizations are leveraged by criminals as part of their social engineering tactics. Here are a few recent real-life examples:

  • PayPal: In this credential phishing attack, criminals used PayPal branding to gain a recipient's trust. A closer look reveals the criminals used email spoofing and URL phishing to trick users into entering their PayPal login credentials.
Paypal phishing email scam
  • Microsoft: Criminals used email spoofing, employee impersonation of a company's HR department, and Microsoft branding to launch a credential phishing campaign. The strategy also included URL phishing to a fraudulent website that looked like the real one.
Microsoft covid email scam
  • eBay: The spear phishing attack chose recipients that may have been expecting instructions on how to pay for a car purchased on eBay. The criminals impersonate eBay with email spoofing and provide information on how to pay with gift cards. If successful, the victim will have overpaid for their purchase.

Ebay email scam

These examples show the importance of staying vigilant with every email you receive in your inbox. People should take precautions to ensure that an email is legitimate and from a trusted source.

How to Tell If An Email Is a Scam

Emails scams are easier to spot when you are aware of common characteristics such as:

  • Sense of urgency: A scam will ask the recipient to complete a time-sensitive action and gives them little time to think about it.

  • Grammatical errors: Typos, spelling mistakes, and other grammatical errors are signs that an email is suspicious.

  • Different tone of voice: If you receive an email from a trusted source, compare it to previous emails to judge the tone and style. You may notice a professional tone has replaced a previously friendly voice, which could be a sign of fraudulent activity.

  • Suspicious links: Before opening a link, check that it's legitimate and not a spoofed URL.

  • Unfamiliar attachments: Treat attachments with suspicion before opening. It's best to have updated antivirus software to scan attachments to authenticate their legitimacy.

  • Display Name spoofing: People should look beyond the display name and ensure that the email address is legitimate and not spoofed. Even then, it could be a vendor email compromise, so take a look at the other characteristics prior to trusting the email.

What to Do When You Get Scam Emails

If you think you received a suspicious email, here are some steps you can take to protect yourself:

  • Don't open links or download attachments: Don't interact with the email any further. You should delete the email as soon as possible to prevent malware from installing on your device.

  • Don't respond to sender: You may receive multiple demanding emails from criminals, but don't respond to them. A response could give them access.

  • File a report: If you did fall victim to a phishing scam, it's important to take steps to prevent identity theft. Some steps include changing all of your passwords, monitoring credit reports and bank statements, and reporting the phishing scam to an organization like the Internet Crime Complaint Center. In a professional setting, your employees should receive training on how to report scam emails to the IT department. This step is crucial to implementing a business continuity plan and stopping malicious software from spreading further.

How to Avoid Email Scams

The first step to protecting yourself is to know how to identify email scams. While native email security protocols can catch the most common email scams, they can't always detect social engineering tactics that raise suspicion of a possible fraudulent email. Some ways to lessen the impact of email scams include:

  • Implement a strong password policy

  • Install advanced email security software

  • Update antivirus software

  • Enforce multi-factor authentication

  • Train employees on cybersecurity awareness and reporting procedures

Abnormal Security vs. Email Scams

Criminals frequently target email inboxes as an entry point for a cyberattack. Proactively preparing a strong cybersecurity defense and training employees to notice suspicious emails are crucial to ensuring that your network stays secure. One way to prepare your defense is using advanced email security software.

Abnormal Security detects social engineering tactics in emails which traditional email security usually misses. Some of the red flags Abnormal can detect include:

  • Display names that don't match sender names

  • Unusual IP addresses

  • Urgent language

  • Requests for credentials or financial information

  • Suspicious links and attachments

  • Changes to mail filter rules

An integrated solution like Abnormal can discover email scams from mass phishing attacks to personalized spear phishing attempts. Investing in an advanced email security solution will lower the risk of falling victim to criminals.

Ready to evolve your email scam protection? Get a demo to see how Abnormal Security can help protect your inboxes.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo