Email Phishing Scams: How to Recognize and Avoid Email Scams

Email Phishing Scams: How to Recognize and Avoid Email Scams
Graphic: Nathaniel Blum

Email Phishing Scams: How to Recognize and Avoid Email Scams

Emily Long
August 30, 2019

Email is a near-universal way of communicating. We use it at work and in our personal lives. We get dozens or even hundreds of messages a day. Many are legit, but some are not.

Email scams aren’t uncommon, and when they’re successful, they can leave your personal information exposed and your bank account vulnerable to attack. In fact, consumers reported more than $48 million lost to phishing and similar scams in 2018, according to the FBI’s Internet Crime Complaint Center (IC3).

Here’s what you need to know to protect yourself.

What are scam emails?

Scam emails are messages that try to get you to give up information, from your credit card number to your login credentials for a secure website. Some email scams are obvious (you don’t actually know any Nigerian princes, do you?) while others are spoofed, or made to look like they come from a legitimate business, a government agency or a friend.

Another term for this tactic is phishing—where scammers try to convince you that a message is from someone you trust so you’ll click a link or open an attachment and provide or confirm personal information. According to the Federal Trade Commission (FTC), thousands of phishing attacks occur every single day.

Serious email scammers are creative, said Brian Young, public policy manager at the National Consumers League. They’re able to replicate company logos and login pages well enough to make you think you’ve received a legitimate message or are entering credentials into a secure webpage. And they may take particular advantage of media hype about data breaches to trick you into giving up your personal information.

Related: The World’s Largest Data Breaches

This means scams can be hard to spot. Here are a few to look out for.

Amazon scam email

In July 2019, security company McAfee reported a phishing scam targeting Amazon users. Scammers sent fake emails that appeared to be from Amazon to account holders. The spoofed emails led recipients to believe that their accounts had been compromised and included a PDF attachment with a link to a fake Amazon login page, where they were prompted to enter their usernames and passwords.

If you receive a suspicious email from Amazon, follow Amazon’s directions to determine whether the email is legitimate. Don’t click any links or enter sensitive account information. (If you’re concerned that your login has been compromised, go directly to by typing the URL address into your web browser.) Finally, report the scam to by opening a new draft and attaching the spoofed email to it.

Netflix scam email

A similar email scam targeted 110 million Netflix users starting in late 2018. Users received messages with the subject line “Your suspension notification”. The email went on to say that the recipient’s billing information needed to be validated within 48 hours or their subscription would be canceled. The message included a link to a spoofed website where recipients could “update” their payment information.

According to reports, while the email contained a few obvious errors, the fake landing page was visually accurate enough to be convincing for some recipients.

Netflix advises subscribers never to enter login or financial information via a link in an email or text. If you do receive a sketchy email you suspect is not actually from Netflix, forward the message to If you clicked a link or entered sensitive info, change your Netflix password and the passwords for any bank or credit card accounts that may have been compromised.

PayPal email scams

There are a variety of PayPal email scams floating around that could trick users into giving up sensitive personal or financial information. Here are a few subject lines from common scams:

  • “Your account is about to be suspended”
  • “You’ve been paid”
  • “You’ve been paid too much”

Like many other email scams, fake PayPal account suspension messages may prompt you to enter your credentials on a spoofed webpage. Other scammers may try to trick you into sending a product you haven’t actually been paid for or return money you don’t actually owe.

A real PayPal email comes from and addresses you by your first and last name or business name. If you get a phishing email related to your PayPal account, don’t click any links—forward it to and delete it from your inbox.

Apple ID email scams

One of the main Apple ID email scams uses the same tactic as the Amazon email scam—in fact, the Apple ID spoof came first. Scammers targeted Apple account holders with a message that their information needed to be updated, which then led to a landing page where targeted email recipients could enter their login credentials.

Security experts have identified a few other Apple ID email scams, including messages with subject lines like “Receipt ID,” “Receipt Order” and “Payment Statement.” The end goal is to get recipients to confirm their personal information, including passwords and credit card numbers, on a spoofed page.

Emails from Apple will never ask for your Social Security number, credit card details or mother’s maiden name. If you receive a questionable message, forward it to and update your Apple ID password.

Find out who the email address belongs to

What to do if you are a victim of an email scam

While it’s natural to panic—after all, getting scammed can be scary—there are concrete steps you can take to manage and minimize the potential damage.

  • Act immediately. As soon as you realize you’ve clicked a fraudulent link or submitted information on a spoofed website, work your way through these steps.
  • Change your passwords. Update login credentials for the site the scam email is trying to spoof. If you gave out any financial information, it’s a good idea to change the passwords for your banking and credit card accounts, too. Use a password generator to create long and complex passwords, and consider a password manager to keep track of your various logins.
  • Notify the relevant company. This helps the company figure out how big the scam is and warn other customers.
  • Let your bank or credit card company know. If you think your financial information has been compromised, call your bank. It can keep an eye out for possible signs of fraud, and cancel cards or close accounts if needed.
  • Monitor your accounts. Scrutinize your bank and credit card statements. Check your other accounts (like Amazon) for odd or suspicious activity. Pull your credit report to make sure no new accounts have been opened in your name, and consider freezing your credit altogether to prevent this from happening. You may need to keep an eye on this for months or even years. And while your info may not have been compromised, it’s a good habit to check your accounts regularly for fraud.
  • File a formal complaint. You can file a complaint detailing the scam with a number of government agencies and consumer advocacy organizations. This won’t undo what happened to you, but it can help security pros identify trends and build cases against criminals to prevent them from scamming others. Report scams to the FTC and the National Consumers League.
  • Follow steps to prevent identity theft. If you believe your personally identifiable information was compromised, don’t wait for a thief to use your credit card number or open a loan in your name. Use the resources at to identify warning signs and develop a plan to protect your identity.

How can I protect myself from email scams?

The good news? While email scams are pretty common, you don’t have to be a victim. The most important thing is to listen to your gut—if you feel an emotional response or pressure to act, take a step back and think it through. Here are some ways you might be able to detect scam emails.

“Any time you see something that’s a little out of the ordinary, that should be a red flag for you,” Young said.

Follow these tips to minimize your risk.

  • Use a spam filter. Most major email providers have built-in filters that send obvious junk to a spam folder. This keeps at least some of the bad stuff out of your inbox. If your service doesn’t already have this function, you can purchase spam-filtering software.
  • Scrutinize email addresses. Sender names are easy to spoof, so you may get an email from “PayPal” that isn’t actually from an address. Always look at the email address itself. As an extra layer of protection, you can use a reverse email lookup tool to try and check the sender’s identity.
  • Don’t click links. If an email is even somewhat suspicious, or if it pushes you to take action related to login credentials or billing info, don’t open any links. Instead, hover over the hyperlinked text to reveal the URL address of the site before you click.
  • Use multifactor authentication. You can set up some accounts to require multiple credentials, such as a passcode you receive via text or a fingerprint scan, in addition to your username and password. This can prevent scammers from accessing your accounts even if they steal your login info.
  • Keep your software up to date. Set your operating systems, web browsers, and apps on your phone, tablet and computer to update automatically. These software updates fix possible security flaws that could leave your information vulnerable.
  • Don’t give out personal info in any communication you didn’t initiate. You should always be the one to call, email or begin a conversation that involves sensitive data. For example, if you get a message from your bank asking you to verify information, call the bank using the number found on its website, not the one provided in the email.
  • Be wary of generic emails. Do not respond to or take action from messages that aren’t addressed to you by name or that ask you to fill out a form with sensitive personal information.

These days, it’s hard not to be on the receiving end of scam emails, but with some vigilance and common sense, you can avoid being a victim.

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.