Common email threat scenarios and how to tackle them

Email is one of the most widely used tools for professional and personal communication. It’s also the most widely used among the many attack vectors to launch cyber attacks. Attackers can reach a massive pool of victims with low effort and exploit the human weakness of trusting requests that appear urgent, familiar, or official.

Emails are also more prone to attack because they carry sensitive information like login credentials, financial details, or confidential workplace communications. Despite all of the technical safeguards, a single careless click can let an attacker steal the victim's personal data, money, or even identity.

Emails can carry malicious software such as malware, ransomware, or spyware, which may be installed in the system or network after clicking on a malicious link embedded in the email.

The best defense is knowing the red flags and how to respond safely. In this article, we’ll look at the universal red flags, response protocols, and some of the most common email threat scenarios.

Universal red flags and responses

While email threats come in many forms, they share some similar red flags. Recognizing these universal red flags can help you identify those scams. By understanding these common traits and knowing how to respond safely, you can protect yourself from a wide range of email-based attacks.

Suspicious sender addresses and usernames: Attackers often use fake or look-alike email addresses to appear legitimate. They may add extra words or symbols (paypal-security.com), use free email services for official messages, or spoof real domains. Watch for typosquatting, where attackers register domains with subtle misspellings like character substitutions (paypai.com), letter swaps (amazno.com), look-alike characters (micros0ft.com), extra letters (appple.com), or foreign alphabet characters that appear identical.In workplaces, scammers may impersonate executives by using their names in the display field to create urgency or authority. Always hover over the sender’s address to confirm who the email is really from.

Urgent or manipulative language: Emails with subject lines such as “Need urgent attention,” “Your account will be suspended,” or “You’ve won!” should be treated as suspicious. Emails that begin with generic greetings like “Dear Customer” instead of your name indicate that they may be mass phishing messages sent to multiple recipients.

Embedded links and requests: If the email contains links that call for action, hover over them before clicking. The real URL will be displayed in the lower-left corner of your browser. If it doesn't match the legitimate company's domain, this is a red flag that the link may be malicious. Don't download attachments, especially .exe or .zip files. Legitimate institutions will never ask customers to share usernames, passwords, pin numbers, or other sensitive information via email.

Context clues: If something seems suspicious, such as a notification about a package you didn't order, a prize for a contest you didn't participate in, or a problem with an account you don't have, trust your instincts and consider it a red flag.

How to respond: A 4-step plan

Identifying a malicious email is only the first step; knowing how to respond is what keeps you safe. A calm, cautious and strategic approach can prevent potential damage. Follow this simple 4-step response plan:

1. Stop

When you suspect that an incoming email is malicious, not acting on it is key. Don't click any links or download any attachments embedded in the email. Don't follow any instructions in the message. Don't respond by replying or calling phone numbers mentioned in the email.

2. Verify

When you encounter a link, hover over it to reveal the actual URL in the lower-left corner of your browser. Check whether this URL matches the company's official domain (e.g., paypal.com, not paypal-secure.com). To verify whether the URL is legitimate, open a new browser window and type the official website address yourself. Log in to check for real alerts. For banks, call the number on your physical card. For packages, check your order history and paste tracking numbers directly into the official carrier websites.

3. Report

If you identify a phishing email at work, report it immediately to your company's IT or security team and mark it as spam or phishing. For personal accounts, use your email provider's report phishing or report spam feature to flag suspicious messages. Additionally, consider notifying the legitimate company being impersonated so they can take action against the fraudulent activity. Reporting is important because it helps email systems improve their detection algorithms and prevents similar threats from reaching others in the future.

4. Delete

After reporting a phishing email, delete it permanently. Do not open any attachments, click any links, or reply to the sender. If you have accidentally interacted with the email by clicking a link, downloading software, or entering your personal information, take immediate action: disconnect your device from the internet, and run a complete malware scan, change your password on a secure device, enable multi-factor authentication (MFA) for your accounts, and check for fraudulent activity in your financial accounts.

Common threat scenarios

While the warning signs are often the same, scammers use different ways to trick people. Here are six common email scams you should know about, along with real examples of how they appear.

1. Fake bank or financial alerts

What it looks like: A phishing email that impersonates your bank may warn you about suspicious activity or ask for your login credentials to verify your identity. The email may contain official logos and formatting similar to your bank's legitimate emails. These emails typically use subject lines that create a sense of urgency or a prompt to act immediately to avoid any potential consequences.

Typical examples include: 

1. "Urgent: Your account will be suspended in 24 hours. Click here to verify."
2. "We've detected unusual login attempts from an unrecognized device."
3. "Your account has been temporarily locked due to suspicious activity."
4. "Confirm these transactions or your card will be blocked immediately."

2. Delivery or shipping notification scams

What it looks like: An email impersonating a major shipping carrier, like FedEx, UPS, DHL, or USPS, claiming that the package couldn't be delivered due to a wrong address and prompting the receiver to verify the address or pay a shipping fee to attempt delivery.

Typical examples include: 

1. "Your parcel delivery failed. Click here to pay a $100 reshipment fee to receive your package."
2. "Package #78945612 is awaiting customs clearance. Pay $3.99 to release your shipment."
3. "We attempted delivery today but no one was home. Reschedule within 48 hours or your package will be returned."
4. "Your delivery address is incomplete. Update your information to receive your parcel."
5. "You have a package waiting at our facility. Confirm your identity to arrange pickup."

3. Social media account alerts

What it looks like: A phishing email or message claiming that your social media account will be locked, suspended, or disabled unless you take immediate action. These emails often include official-looking logos, urgent subject lines, and links that appear to lead to the platform’s login page. They aim to trick you into revealing your credentials.

Typical examples include:

1.  “Your Instagram account will be disabled unless you verify your login here.”
2. “Unusual activity has been detected on your Facebook account. Confirm your identity to continue using your account.”
3. “X has temporarily locked your account due to suspicious login attempts. Click here to restore access.”

4. Prize or lottery scams

What it looks like: An email claiming you have won a prize, lottery, or gift card. The email asks you to pay a processing fee or provide personal or financial information to claim your winnings. These scams exploit curiosity, greed, or excitement, and may use logos and designs to appear legitimate.

Typical examples include: 

1. “Congratulations! You’ve won $1,000! Send your bank info to claim it.”
2. “You are the lucky winner of a $500 gift card. Verify your details now to receive it.”
3. “Claim your prize! A luxury vacation awaits, but first complete this verification form.”

5. Tech support scams

What it looks like: An email claiming your computer or device has been infected with a virus, malware, or other issues. The sender urges you to call a support number or click a link to fix the problem. These scams often mimic official tech support messages and aim to steal personal data or install malware on your system.

Typical examples include: 

1. “Your computer has been infected! Call 1-800-XXX-XXXX immediately.”
2. “Virus detected on your system. Click here to remove it now.”
3. “Security alert: Your device has been compromised. Contact our support team immediately.”

6. Account verification or login phishing

What it looks like: An email pretending to come from a service or platform you use, asking you to verify your account, reset your password, or confirm your login details. These emails often include a sense of urgency and mimic the style of official communications, with the goal of stealing your credentials. 

Typical examples include: 

1. “Your Amazon account will be suspended. Click here to verify your login.”
2. “Alert: Unusual activity has been detected on your PayPal account. Verify your account now.”
3. “Google account login attempt has been blocked. Confirm your identity immediately to restore access.”

Wrapping up

More than 90% of successful cyber attacks start with a phishing email. Yet most of them can be prevented with awareness and the right response. By recognizing red flags, responding carefully, and reporting suspicious emails, individuals can protect themselves and their personal information from cyber threats.

Organizations can strengthen their defenses through a combined approach: educating employees about email-based attacks and implementing advanced email security solutions like Zoho eProtect. This enterprise-grade, cloud-based, email security and archiving solution adds a critical layer of defense by filtering malicious emails before they reach inboxes, scanning attachments for threats in real-time, and automatically blocking phishing attempts, protecting your entire organization.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.