Chapter 3 · Email Safety

Email Scams: How to Spot Phishing and Protect Yourself

By Joseph Richard Updated June 20268 min read

Your inbox is the single most common place a scam will reach you — not because email is clever, but because it's cheap, instant, and easy to fake. This chapter breaks down how email fraud works, the signs that give it away, and what to do the moment you suspect something's wrong.

Key takeaways

Why email is a scammer's favorite tool

Email is the number one delivery route for fraud because scale costs almost nothing. One operator can send the same message to ten million people in an afternoon. At that volume, even a response rate of one in a million still turns a profit — which is why your inbox sees the same recycled tricks year after year.

It also explains why these emails feel slightly "off." They're built for volume, not craftsmanship. The odd grammar and the almost-right logo are the seams of an operation designed to be sent a million times, not written for you.

What phishing actually is

"Phishing" is pronounced like "fishing," and that's the whole idea: bait cast wide, waiting for a bite. A phishing email is disguised to look like it comes from someone you trust — your bank, PayPal, Amazon, the IRS, a delivery service, or a coworker. The goal is to get you to click a link to a fake login page, or to reveal sensitive information in a reply.

The fake login page is the dangerous part. It's built to look identical to the real site. You type your username and password, the page quietly records them, then often forwards you to the genuine site so nothing seems wrong — while the scammer walks away with your credentials.

⚠ Real-world example
Subject: URGENT — Your Amazon account has been suspended
"Dear Customer, unusual activity has been detected on your account. Click here immediately to verify your identity, or your account will be permanently closed."

Three tells in one message: a generic "Dear Customer," a threat with a deadline, and a "verify" link to a counterfeit page. A real company uses your name and never makes you rescue your account through an emailed link.

The four red flags that catch most phishing

1. A sender address that's almost right

Anyone can set the display name, so look at the actual address. Watch for misspellings and lookalike characters: support@amaz0n-help.com (a zero for the "o") is not Amazon. The real domain is the part right before the final ".com"; everything bolted around it is where fakes hide.

2. A greeting that doesn't know you

"Dear Customer" or "Dear Account Holder" are hallmarks of a message blasted to millions. A company you have an account with knows your name. A generic greeting on an "urgent" email is a strong sign it's fake.

3. Manufactured urgency

"Act within 24 hours or your account will be closed." The urgency exists to stop you thinking. Legitimate organizations give you reasonable time and several ways to respond.

4. Links that point somewhere else

On a computer, hover over a link (don't click) to see its real destination at the bottom of the screen; on a phone, press and hold to preview. If a "bank" email links to a random domain, that mismatch is the scam in plain sight.

Other common email schemes

The lottery or prize scam

You "won" a lottery you never entered, but must pay a fee or tax to release the funds. There is no prize. Real lotteries never ask winners to pay up front.

The advance-fee ("Nigerian prince") scam

Someone overseas needs help moving a large sum and offers you a share. They'll invent fee after fee until you stop paying. The promised fortune never existed.

The overpayment scam

A "buyer" sends a check for too much and asks you to wire back the difference. Days later the check bounces and you're out the money you sent.

The job-offer scam

A surprisingly generous remote job appears, but first you must pay for training, software, or a background check. Real employers pay you — you never pay them to start.

What to do if you've already clicked or replied

  1. If you entered a password, change it now — everywhere you reused it. Start with email and banking.
  2. Turn on two-factor authentication (2FA) so a stolen password alone isn't enough.
  3. If you shared card or bank details, call your bank or card issuer right away.
  4. If you opened an attachment, disconnect from the internet and run a full security scan before logging into anything.
  5. Save the evidence — keep the original email before deleting it; you'll need it to report.

Five rules that stop most email scams

Want every chapter in one place?

This guide is free to read here. If you'd like the complete book — checklists, scripts for handling a scam in progress, and every chapter offline — it's available as an eBook.