Chapter 3 · Email Safety
Email Scams: How to Spot Phishing and Protect Yourself
Your inbox is the single most common place a scam will reach you — not because email is clever, but because it's cheap, instant, and easy to fake. This chapter breaks down how email fraud works, the signs that give it away, and what to do the moment you suspect something's wrong.
Key takeaways
- Phishing emails impersonate people and brands you trust to steal logins, money, or personal data.
- Four signals catch most of them: a faked sender address, a generic greeting, manufactured urgency, and mismatched links.
- If a message pressures you to act right now, that pressure is the scam — verify through a channel you already trust.
- If you've already clicked or replied, fast action limits the damage.
Why email is a scammer's favorite tool
Email is the number one delivery route for fraud because scale costs almost nothing. One operator can send the same message to ten million people in an afternoon. At that volume, even a response rate of one in a million still turns a profit — which is why your inbox sees the same recycled tricks year after year.
It also explains why these emails feel slightly "off." They're built for volume, not craftsmanship. The odd grammar and the almost-right logo are the seams of an operation designed to be sent a million times, not written for you.
What phishing actually is
"Phishing" is pronounced like "fishing," and that's the whole idea: bait cast wide, waiting for a bite. A phishing email is disguised to look like it comes from someone you trust — your bank, PayPal, Amazon, the IRS, a delivery service, or a coworker. The goal is to get you to click a link to a fake login page, or to reveal sensitive information in a reply.
The fake login page is the dangerous part. It's built to look identical to the real site. You type your username and password, the page quietly records them, then often forwards you to the genuine site so nothing seems wrong — while the scammer walks away with your credentials.
Three tells in one message: a generic "Dear Customer," a threat with a deadline, and a "verify" link to a counterfeit page. A real company uses your name and never makes you rescue your account through an emailed link.
The four red flags that catch most phishing
1. A sender address that's almost right
Anyone can set the display name, so look at the actual address. Watch for misspellings and lookalike characters: support@amaz0n-help.com (a zero for the "o") is not Amazon. The real domain is the part right before the final ".com"; everything bolted around it is where fakes hide.
2. A greeting that doesn't know you
"Dear Customer" or "Dear Account Holder" are hallmarks of a message blasted to millions. A company you have an account with knows your name. A generic greeting on an "urgent" email is a strong sign it's fake.
3. Manufactured urgency
"Act within 24 hours or your account will be closed." The urgency exists to stop you thinking. Legitimate organizations give you reasonable time and several ways to respond.
4. Links that point somewhere else
On a computer, hover over a link (don't click) to see its real destination at the bottom of the screen; on a phone, press and hold to preview. If a "bank" email links to a random domain, that mismatch is the scam in plain sight.
Other common email schemes
The lottery or prize scam
You "won" a lottery you never entered, but must pay a fee or tax to release the funds. There is no prize. Real lotteries never ask winners to pay up front.
The advance-fee ("Nigerian prince") scam
Someone overseas needs help moving a large sum and offers you a share. They'll invent fee after fee until you stop paying. The promised fortune never existed.
The overpayment scam
A "buyer" sends a check for too much and asks you to wire back the difference. Days later the check bounces and you're out the money you sent.
The job-offer scam
A surprisingly generous remote job appears, but first you must pay for training, software, or a background check. Real employers pay you — you never pay them to start.
What to do if you've already clicked or replied
- If you entered a password, change it now — everywhere you reused it. Start with email and banking.
- Turn on two-factor authentication (2FA) so a stolen password alone isn't enough.
- If you shared card or bank details, call your bank or card issuer right away.
- If you opened an attachment, disconnect from the internet and run a full security scan before logging into anything.
- Save the evidence — keep the original email before deleting it; you'll need it to report.
Five rules that stop most email scams
- Never click unexpected links. Type the official address into your browser yourself.
- Don't open unexpected attachments, even from people you know — their accounts may be compromised.
- Verify through a separate channel. If "your bank" emails, call the number on your card, not the one in the email.
- Turn on 2FA everywhere it's offered.
- Slow down. A real problem survives you taking five minutes to check.
Want every chapter in one place?
This guide is free to read here. If you'd like the complete book — checklists, scripts for handling a scam in progress, and every chapter offline — it's available as an eBook.