How to spot a phishing email: the annotation approach
Abstract rules don't stick; patterns do. Each example below reconstructs a lure that has been documented in a public CSIRT alert, police warning, brand fraud page or vendor research - we show the sender display, the subject line, the gist of the body and, most importantly, the ask. Then we annotate the red flags. Read them the way an attacker writes them and you'll recognize the next variant on sight. For the condensed version, see our red-flags checklist for employees.
| Lure category | Typical ask | Documented by |
|---|---|---|
| Parcel and post scams | Small "customs" or "redelivery" card payment | DHL and DPD fraud pages, SK-CERT, Česká pošta |
| Bank and payment impersonations | "Verify your account" via a cloned login | Bank security pages, national CERT warnings |
| Microsoft 365 / Google lures | Work credentials and MFA codes | Check Point Research, Microsoft reporting |
| Internal BEC emails | Urgent payments, payroll and banking changes | FBI IC3 reports and advisories |
| AI-assisted phishing | Any of the above - without the typos | ENISA Threat Landscape 2025 |
Parcel and post-office scams: the highest-volume lure
Parcel lures lead on volume because everyone is always waiting for something. The pretext is small and boring on purpose: a fee of a euro or two feels too trivial to be a scam - and that is exactly the trick. The fee is the pretext; your full card details are the target.
1. The DHL customs-fee hold
Display name "DHL Express", sender address on a lookalike domain. Subject: "Your shipment is on hold". The body claims a parcel is stuck at customs and asks for a €1.99–€2.99 "duty" through a fake tracking page that harvests full card details. DHL's fraud-awareness page warns about exactly this lure and lists the genuine dhl.com sending domains.
- Sender domain is not dhl.com or a listed DHL subdomain
- No tracking number matching an order you actually placed
- A full card form for a sub-€3 fee - the data, not the money, is the goal
2. The DPD missed-delivery fee
Display name "DPD", subject "We missed you - schedule redelivery". The email claims a failed delivery attempt and links to a page that charges a small "redelivery fee" and collects card details. DPD's country sites have published repeated warnings that the company never asks recipients to pay additional fees for standard services by email or SMS.
- Couriers don't charge redelivery fees through emailed links
- Countdown pressure: "parcel returns to sender within 48 hours"
- Link destination is not an official dpd domain
3. The national-post card harvest
Display name "Slovenská pošta", message: a parcel is waiting, click to arrange delivery. Slovakia's national cyber security centre issued an urgent warning about this campaign: the fraudulent pages collect card data plus the SMS confirmation code, which attackers use to enroll the victim's card into Apple Pay or Google Pay. The identical playbook of podvodné emaily runs in Czechia - Česká pošta and Zásilkovna both maintain public galleries of fraudulent messages sent in their name.
- Postal fees are paid at delivery or pickup, never via an emailed card form
- Asking for the SMS code - that code registers your card in a mobile wallet
- Lookalike domain instead of posta.sk, ceskaposta.cz or zasilkovna.cz
Bank and payment impersonations
Attackers impersonate banks because the payoff is direct: internet-banking credentials plus an SMS code equals money. Banks across the EU publish near-identical warnings about these lures, and all repeat the same rule - a bank never asks you to log in through a link in an email.
4. The blocked-account verification
Display name shows your bank's real name; the actual address sits on an unrelated domain. Subject: "Unusual activity - your account has been limited". The body cites a routine security check and pushes you to "verify your identity" on a cloned internet-banking login that captures credentials, card data and the confirmation codes that follow.
- A login link in an email - banks consistently warn they never send these
- Generic "Dear client" instead of your name and partial account number
- Suspension threatened within hours to short-circuit thinking
5. The tax-refund bait
Display name "Financial Administration", subject "You are eligible for a tax refund of €248.50". SK-CERT has warned about fraud abusing the identity of Slovakia's Finančná správa: the promised refund leads to a form harvesting personal data and the card details the money will supposedly be "sent to". The same pattern recurs around tax season with tax authorities across the EU.
- Tax authorities don't pay refunds to card numbers submitted by email
- An oddly specific amount manufactured to look official
- Claim deadline measured in days to force a quick click
Microsoft 365 and Google Workspace login lures
Microsoft topped Check Point Research's brand-phishing ranking in every quarter of 2025, with Google close behind. The reason is simple: one set of stolen workspace credentials opens mail, files and everything connected by single sign-on. These three lures dominate what lands in corporate inboxes.
6. The password-expiry notice
Sender "IT Support" or "Microsoft 365 Team" - from outside your tenant. Subject: "Your password expires today". A convenient "Keep current password" button leads to a pixel-perfect Microsoft login page, increasingly an adversary-in-the-middle proxy that also steals the MFA session token. We cover that mechanic in our guide to modern phishing techniques.
- Real IT never offers to let you "keep" an expiring password
- Internal-sounding notice arriving from an external domain
- Login page URL is not login.microsoftonline.com or accounts.google.com
7. The held-messages voicemail
Subject: "You have (3) held messages" or a voicemail notification carrying an HTML attachment. Opening the attachment renders a local copy of a Microsoft login form - there is no suspicious URL to hover over, and the credentials post straight to the attacker. Security researchers have documented recurring waves of this campaign since 2022.
- .htm or .html attachments on a "notification" email
- A login demanded to "release" quarantined messages
- Voicemail-to-email alerts your company doesn't actually use
8. The shared-document notification
A genuine-looking SharePoint or Google Drive notification: "Lucia shared 'Payments Q3.xlsx' with you". The share can even be real - the hosted file then links onward to a credential-harvesting page. The tell is being asked to "sign in again" to view a document while you are already signed in.
- Unexpected share from someone you've never worked with
- A second login prompt in the middle of an authenticated session
- The onward link leaves microsoft.com or google.com territory
Internal-looking emails: fake HR, IT support and CEO requests
No brand is impersonated here - your own colleagues are. The FBI's IC3 logged close to $2.8 billion in business email compromise losses in 2024 alone. These messages are short, text-only and often carry no link or attachment at all, which is why email filters routinely let them through. Our spear phishing and BEC guide covers the full attack chain.
9. The CEO "quick favor"
Display name: your CEO's real name. Actual address: a freemail account or a domain one letter off. Subject: "Quick favor". Two sentences: are you at your desk, I need an urgent payment processed, I'm heading into a meeting - keep this between us. Gift-card and wire-transfer variants of this exact message drive a large share of BEC losses.
- Display name doesn't match the underlying address
- Urgency plus secrecy - the signature BEC combination
- The request bypasses your normal payment approval process
10. The HR payroll update
Display name "HR Department", subject "Updated payslip - action required". The link leads to a fake HR-portal or Microsoft login; with captured credentials, attackers change the employee's direct-deposit details so the next salary lands in a mule account - a payroll-diversion pattern the FBI has explicitly warned employers about.
- HR notice arriving from an external or lookalike domain
- A login wall in front of a "payslip" you didn't request
- A process change nobody announced internally
11. The IT-helpdesk migration
Sender "IT Helpdesk", subject "Mailbox migration tonight - validate your account or lose access". A common follow-up is a phone call in which the "technician" asks the employee to read out an MFA code or approve a push notification, pairing email phishing with vishing and MFA fatigue.
- Same-day deadline tied to losing access
- Anyone asking you to share or approve an MFA code - legitimate IT never needs it
- Reply-to address differs from the visible sender
Why is AI-generated phishing harder to spot?
For years, awareness training told employees to look for typos and clumsy phrasing. That heuristic is dead. ENISA's Threat Landscape 2025 reports that AI-supported phishing accounted for over 80% of observed social engineering activity worldwide by early 2025. Language models produce flawless English, Slovak or Czech - correct diacritics included - and personalize each message from LinkedIn and company websites at no extra cost to the attacker.
12. The deepfake-backed CFO request
In a case confirmed by Hong Kong police in 2024, a finance employee of the engineering firm Arup received an email from the "CFO" about a confidential transaction. He suspected phishing - until a video call with AI-generated deepfakes of the CFO and several colleagues convinced him to send HK$200 million (about $25.6 million) across 15 transfers. Note what failed: he verified, but on a channel the attackers controlled.
- A "confidential" transaction urged into motion by email
- Verification offered on a channel the requester set up
- Multiple transfers to brand-new beneficiary accounts
What AI cannot fake is your process. Sender infrastructure, the nature of the ask and manufactured pressure stay constant across every example above - so train people to verify requests through an independent, pre-agreed channel instead of judging prose quality.
Which phishing email red flags repeat in every example?
Strip away the branding and the same phishing email red flags appear in all twelve reconstructions. This is the checklist worth printing:
- The sender's real domain doesn't match the brand - display names are free to fake.
- Urgency or a threat: account closed, parcel returned, access lost "today".
- The ask is credentials, card data or an MFA code, delivered through a link.
- The link's true destination (hover or long-press) differs from the visible text.
- A small payment is required to "release" something you never ordered.
- Generic greeting and missing specifics: no name, order number or account reference.
- Pressure to bypass normal process or keep the request confidential.
- Unexpected attachment types (.htm, .html, .zip, .iso) or QR codes replacing links.
- The reply-to address differs from the visible sender.
- Flawless language proves nothing - verify the request, not the grammar.
How to use these phishing email examples for training
Reading examples builds recognition; being tested builds reflexes. Pick the three or four categories most relevant to your organization - parcel lures for everyone, BEC for finance, helpdesk lures for the whole office - and turn them into simulated campaigns delivered to real inboxes. Our phishing simulation playbook walks through scoping, consent, scheduling and metrics; track the report rate, not just the click rate.
If you'd rather not build templates yourself, PhishGun - built by the offensive-security team at Haxoris - ships localized templates in English, Slovak and Czech modeled on these same documented lure categories, delivers micro-training the moment someone clicks, and produces audit-ready reports usable as awareness-training evidence for NIS2, ISO 27001 and DORA. Your first phishing campaign is free, no credit card required, and pricing is transparent per employee.
Frequently asked questions
What are the most common phishing email examples?
The highest-volume lures are parcel-delivery fee scams impersonating couriers such as DHL and DPD, bank "account verification" messages, Microsoft 365 and Google password or shared-document lures, and internal-looking requests from a fake CEO, HR or IT helpdesk. All follow the same logic: a trusted sender, a plausible pretext, and an ask for credentials, card data or a payment.
How can employees quickly spot a phishing email?
Check three things first: does the sender's actual domain match the brand, where does the link really lead (hover, don't click), and what is the email asking for? Requests for passwords, card numbers, MFA codes or urgent payments are red flags regardless of how polished the message looks. When unsure, verify through the official app or a phone number you already have.
Are AI-generated phishing emails harder to detect?
Yes. ENISA's Threat Landscape 2025 reported that AI-supported phishing made up over 80% of observed social engineering activity by early 2025. AI removes the classic giveaways - typos, clumsy phrasing, wrong diacritics - and adds voice and video deepfakes. Training should therefore focus on verifying requests through a second, independent channel rather than hunting for grammar mistakes.
Can we use real phishing emails for security training?
Yes, and you should - but use reconstructions or sanitized screenshots, never forward live malicious mail. Better still, turn documented lure patterns into simulated phishing campaigns so employees meet them in their real inbox. Pair every simulation with short, immediate feedback for anyone who clicks; that moment is where the actual learning happens.
What should an employee do after clicking a phishing link?
Report it immediately to IT or via the phishing-report button - speed matters more than blame. IT should reset the password, revoke active sessions, check for new MFA enrollments or mail-forwarding rules, and review sign-in logs. An employee who reports a click within minutes usually turns a potential incident into a non-event.