12 Real Phishing Email Examples (2025) — And How to Spot Every One

Every phishing email that succeeds in your inbox has already beaten your spam filter, your email security stack, and your attention — all at once. That's what makes it dangerous.

The emails below aren't theoretical. They're real attack templates that compromised small businesses across the country in 2025. We've redacted identifying details but kept the mechanics intact. By the end of this article, you'll know exactly what to look for.

The Anatomy of a Phishing Email That Works

Before we get to the examples, here are the four elements every effective phishing email has in common:

• Authority: It impersonates someone you trust — your CEO, Microsoft, the IRS, a vendor you work with.
• Urgency: There's a deadline. Act now or lose access, pay a penalty, or miss a shipment.
• Simplicity: The ask is simple — click this link, approve this request, reply with your password.
• Legitimacy cues: Real logos, real formatting, real-looking sender addresses.

None of these elements alone should trigger alarm. All four together is a phishing email until proven otherwise.

Example 1: Fake Microsoft 365 "Your Password Expires Today"

What it looks like:

• Sender: "Microsoft 365 <no-reply@microsoft-365-security.com>" — Note the domain.
• Subject: "Password Expires in 24 Hours — Urgent Action Required"
• Body: "Your Microsoft 365 password expires today. If you do not update your credentials, your account will be suspended. Click below to verify your identity."
• Link text: "Update Your Password Now" → actual URL is "http://microsoft-365-helpdesk[.]com/verify"

How to spot it:

• Microsoft emails come from @microsoft.com, never from hyphenated security domains.
• Microsoft never sends password expiration warnings with clickable links in the body of the email.
• Hover over the link before clicking. The actual URL never matches microsoft.com.

Example 2: Wire Fraud — Fake Title Company Closing Request

What it looks like:

• Sender: "Jessica <j.harrington@titleco-wilmington[.]com>" — Looks like a real agent.
• Subject: "Re: Closing on 441 Oak Street — Final Wire Instructions"
• Body: "Hi, so sorry for the short notice — we need the wire to go out today or the closing gets pushed. Attached are the final wiring instructions. Please confirm receipt and send the transfer confirmation number once done."
• Attachment: "WiringInstructions_441Oak.pdf" — a legitimate-looking PDF with a new bank account number.

How to spot it:

• Call the title company directly using a number you know is real, not one in the email.
• Banks rarely change wiring instructions mid-transaction. A last-minute change is a red flag.
• The email domain titleco-wilmington[.]com is not the same as the real title company's actual domain.
• This attack has cost SMBs $98,000+ per incident. See our full wire fraud breakdown here →

Example 3: QuickBooks "Your Invoice is Ready" (Fake)

What it looks like:

• Sender: "QuickBooks <billing@quickbooks-notifications[.]net>"
• Subject: "Invoice #INV-88291 Due: Today"
• Body: "You received a payment request from [Vendor Name]. View and pay your invoice online."
• CTA button: "View Invoice" → leads to a convincing QuickBooks-branded login page that captures your credentials.

How to spot it:

• QuickBooks sends from @quickbooks.intuit.com or @intuit.com.
• If you don't recognize the vendor, don't click. Open QuickBooks directly and look for the invoice there.

Example 4: The "IT Department" Password Reset

What it looks like:

• Sender: "IT Help Desk <support@yourcompany-helpdesk[.]com>"
• Subject: "URGENT: Your password will be reset in 30 minutes"
• Body: "We have detected unusual login activity. For your security, please verify your credentials immediately using the link below. Failure to do so will result in account lockout."

How to spot it:

• Your IT department will never ask you to verify your password via email.
• The sender domain is not your company's real domain.
• Forward suspicious emails to your IT team for verification, do not click anything.

Example 5: FedEx "Failed Delivery" Smishing (Text, Not Email)

What it looks like:

• Sender: SMS from 5-digit number (not a real FedEx number)
• Message: "FedEx: Your package could not be delivered. Reschedule delivery here: http://fedex-redelivery[.]info/reschedule"

How to spot it:

• FedEx links are always at fedex.com, not hyphenated redirect domains.
• Never click delivery links in unsolicited text messages.

Example 6: LinkedIn "You Appear in 5 Searches This Week" (Credential Harvester)

What it looks like:

• Sender: "LinkedIn <messages-noreply@linkedin-mail[.]net>"
• Subject: "5 people viewed your profile this week"
• Body: "See who viewed your profile. Click to log in to LinkedIn."
• Link: mimics the LinkedIn login page — but it's a credential harvester on a look-alike domain.

How to spot it:

• LinkedIn never sends login links via email from third-party domains.
• Real LinkedIn notification URLs go to linkedin.com.

Example 7: IRS "Notice of Underreported Income" (Tax Scam)

What it looks like:

• Sender: "IRS Refund Team <refund-irs@tax-refund-portal[.]us>"
• Subject: "Notice of Underreported Income — Refund Offset Notice"
• Body: "You have an unclaimed refund of $1,847.00. To process this refund, we need you to verify your identity within 48 hours or your refund will be returned to the Treasury."

How to spot it:

• The IRS never initiates contact via email about refunds or penalties.
• Real IRS notices come via physical mail, not email.
• The domain tax-refund-portal[.]us is not a government domain.

Example 8: DocuSign "Please Review and Sign" (Invoice Attachment Scam)

What it looks like:

• Sender: "DocuSign <ds-notify@docusign-update[.]com>"
• Subject: "[Company Name] — Please review and sign document"
• Body: "You have received a document via DocuSign. Click below to review."
• Button: "Open Document" → leads to a fake Microsoft login to capture your corporate credentials.

How to spot it:

• Hover the button — the URL is docusign-update[.]com, not docusign.com.
• DocuSign always comes from docusign.net or docusign.com.
• If you weren't expecting a document, call the sender directly to confirm.

Example 9: Amazon "Your Order Cannot Be Shipped" (Fake Order Notification)

What it looks like:

• Sender: "Amazon <orders@amazon-orders-confirm[.]com>"
• Subject: "Your Amazon order #112-7748292-001 cannot be shipped"
• Body: "We need to verify your payment information. Click below to update your billing address."
• Link: Looks like amazon.com but captures your payment info on a fake page.

How to spot it:

• Amazon never asks you to update billing info via a link in an order confirmation email.
• Log into your Amazon account directly. Don't use links in emails.

Example 10: "Your CEO Needs a Gift Card" (BEC / Executive Impersonation)

What it looks like:

• Sender: "CEO Name <ceo.name@company-update[.]org>" — close to your CEO's real email but different domain.
• Subject: "Urgent — Need It Today"
• Body: "Hey, I need you to grab me some gift cards for a client — can you get $500 in iTunes cards and send me the codes? I'm in a meeting and can't talk right now. Need them quickly."

How to spot it:

• Your CEO has a corporate email. Not a different domain.
• No legitimate executive asks for gift card codes via email.
• Call your CEO on their direct line, not a number in the email.

Example 11: "Your Zoom Meeting Was Canceled" (Zoom Credential Theft)

What it looks like:

• Sender: "Zoom <notifications@zoom-meetings[.]io>"
• Subject: "Your Zoom Meeting Has Been Canceled"
• Body: "Your scheduled Zoom meeting was canceled by the host. Click here to reschedule or view details."
• Link: leads to a fake Zoom login page capturing your corporate credentials.

How to spot it:

• Zoom notifications come from zoom.us, not zoom-meetings[.]io.
• Open Zoom directly in your browser or app rather than using email links.

Example 12: "PayPal — You've Sent a Payment" (Fake Receipt)

What it looks like:

• Sender: "PayPal <service@paypal-billing[.]net>"
• Subject: "You Sent a Payment of $849.00 to [Vendor]"
• Body: "If you did not authorize this transaction, click here immediately to cancel."
• CTA: "Cancel This Transaction" → leads to a fake PayPal page capturing your login.

How to spot it:

• Real PayPal emails come from paypal.com.
• PayPal never asks you to cancel transactions via a link in the body of an email.
• Log into PayPal directly to check your transaction history.

The Anti-Phishing Playbook: 5 Steps Every Team Member Can Take

1. Hover before you click. Every link has a real URL. If it doesn't match the brand's actual domain, don't click.
2. Check the sender's full email address. Look beyond the display name — the domain after the @ is what matters.
3. Verify unexpected requests via a separate channel. Call the person directly, use a known phone number, don't use a number in the suspicious email.
4. Report suspicious emails to your IT team. Most email platforms have a "report phishing" button. Use it.
5. Don't forward suspicious emails — report them. Forwarding can spread the malicious content.

One trained employee who stops a single phishing email prevents an average of $200,000 in losses. That's the ROI on security awareness training.

Want your team to spot these before they click? Book a live Phishing Defense training session for your team → We simulate real attacks using examples like the ones above.

Or start with a free 10-question phishing quiz to benchmark your team's detection rate.

Get your free pocket guide

Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.

Send me the pocket guide →

✓

Check your inbox!

Your pocket guide is on its way.

No spam. Unsubscribe anytime. Unsubscribe