Email Scams (Real Examples)

How to Use This Examples Guide

Over 3.4 billion phishing emails are sent daily worldwide. The best way to recognize a scam email is to have seen one before. This guide collects the most common email scam formats reported in 2025 and 2026, showing what each type looks like, marking the red flags, and explaining what the scammer wants. Use these examples to compare against any suspicious email in your own inbox.

Example 1: The Account Locked Alert

What it looks like: An email purportedly from Apple Support with sender address noreply@apple-id-security.com, subject "Your Apple ID Has Been Locked," greeting "Dear Customer," warning of unusual sign-in activity and threatening permanent account disabling within 24 hours unless you click "Verify Your Apple ID."

Red flags: The sender domain is apple-id-security.com, not apple.com. Real Apple emails come from @apple.com or @id.apple.com. The greeting is "Dear Customer" rather than your actual name. Apple does not threaten permanent disabling through a single email.

What the scammer wants: Your Apple ID credentials, giving access to iCloud data, purchases, and potentially your devices.

How to verify: Go directly to appleid.apple.com and sign in. If your account is actually locked, you will see the issue there.

Example 2: The Fake Invoice

What it looks like: An email from "Norton Billing" at billing@norton-renewal-center.com claiming your Norton 360 Premium subscription auto-renewed for $399.99, with a phone number to call within 48 hours to cancel for a full refund.

Red flags: The sender domain is norton-renewal-center.com, not norton.com. The inflated amount ($399.99) creates alarm. The email pushes you to call a number rather than log in to your Norton account. The "call to cancel" format is designed to connect you with a scammer who will request remote access to your computer.

What the scammer wants: To get you on the phone to extract payment information or convince you to install remote access software.

How to verify: Log in to your Norton account at my.norton.com and check your subscription and billing history.

Example 3: The Delivery Notification

What it looks like: An email from "USPS Delivery" at tracking@usps-delivery-update.com claiming your package could not be delivered and providing an "Update Delivery Address" link to avoid return to sender.

Red flags: The sender domain is usps-delivery-update.com, not usps.com. USPS does not send unsolicited emails asking you to click links to update your address. USPS leaves physical notices for failed deliveries, not email links.

What the scammer wants: Personal information and potentially payment details if the phishing page includes a redelivery fee.

How to verify: Go to tools.usps.com/go/TrackConfirmAction and enter any tracking number you are expecting.

Example 4: The Unauthorized Purchase

What it looks like: An order confirmation from amazon-orders-notification.com for an Apple MacBook Pro for $2,499, shipping to your city, with a "Cancel This Order" link to stop the unauthorized charge.

Red flags: The sender domain is not amazon.com. The email references your city and state (inferrable from your IP or public data) to appear targeted. The expensive item creates urgency. Real Amazon confirmations include your full name and link to your actual order history.

What the scammer wants: Your Amazon credentials and credit card information through a fake cancellation page.

How to verify: Go to amazon.com/orders and check your recent order history.

Example 5: The Shared Document

What it looks like: A Google Drive notification from notification@drive-share-notify.com saying "Jessica" has shared "Q1 2026 Budget Review.xlsx" with you, with an "Open in Google Sheets" link.

Red flags: The sender domain is drive-share-notify.com, not google.com. Real Google Drive sharing notifications come from drive-shares-dm-noreply@google.com. The first-name-only sender makes verification impossible. The link leads to a fake Google login page.

What the scammer wants: Your Google account credentials, giving access to Gmail, Drive, Photos, YouTube, and Android devices.

How to verify: Go to drive.google.com directly and check your Shared with Me folder.

Example 6: The Prize or Refund

What it looks like: An IRS email from refund@irs-refund-processing.com claiming you are eligible for a $1,847.00 tax refund, with a "Claim Your Refund" link requiring you to verify your identity and provide banking information.

Red flags: The sender domain is not irs.gov. The IRS never initiates contact via email to request personal or financial information. Real refunds are processed through your tax return to the account you specified when filing.

What the scammer wants: Banking information and personal identity details for identity theft and financial fraud.

How to verify: Check your refund status at irs.gov/refunds using your Social Security number, filing status, and exact refund amount.

Example 7: The Urgent Request From Someone You Know

What it looks like: An email from an address similar to someone you know, explaining they are stuck in a meeting and need you to purchase 4 x $100 Amazon gift cards for a client event, then send photos of the codes for reimbursement.

Red flags: The email address does not match the sender's real email. Requests for gift cards are a hallmark of scams, as gift cards are essentially untraceable cash. The sender claims to be unavailable by phone, preventing verification through another channel.

What the scammer wants: Gift card codes, which can be redeemed instantly and are virtually impossible to recover.

How to verify: Contact the person through a different channel (phone call, text, or in-person). Never purchase gift cards based solely on an email request.

Example 8: AI-Generated Personalized Phishing

What it looks like: A Bank of America fraud alert from alerts@bankofamerica-secure.com addressed to you by name, referencing a specific $347.82 charge at a local Whole Foods on a recent date, from an account ending in plausible digits, with a link expiring in 2 hours.

Red flags: The sender domain is bankofamerica-secure.com, not bankofamerica.com. AI-generated phishing emails have increased 1,265% since late 2022 (SlashNext, 2025) and use data from breaches to personalize attacks. Despite the convincing details, the off-domain sender remains the definitive red flag.

What the scammer wants: Your online banking credentials. Personalization makes this dramatically more convincing than generic phishing.

How to verify: Log in to bankofamerica.com directly or call the number on the back of your card. Never use a phone number or link from the email.

How to Check Any Suspicious Email

Every example above can be caught by the same core checks: verify the actual sender email domain (not just the display name), never click links in suspicious emails, and go directly to the company's real website to confirm any claims. For an instant assessment of a suspicious email, paste the content into Scamwise.