Most email scams are not "hacking". They are persuasion attacks that try to make you click, pay, or share a code before you verify. The fastest way to win is to make verification a habit and treat every unexpected request as untrusted by default.
If you only do one thing: never sign in through links in messages. Open the official app or type the site address yourself.
Triage checklist (30 seconds)
- Do not click: do not click links, do not open attachments, do not reply with personal info.
- Check what the email wants you to do: sign in, pay, install software, or share a code are the highest-risk actions.
- Verify through a separate channel: use the official app, a bookmarked URL, or a known phone number from the vendor's website.
- Assume any request for a one-time code is an account takeover attempt until proven otherwise.
If the email relates to account access or security alerts, start with the control plane: protect your inbox and turn on two-factor authentication (2FA) on email and critical accounts.
What scammers exploit
Email scams succeed by controlling context. They show you a believable logo, a plausible warning, and a time limit. Your job is to stop operating inside the attacker's frame.
| Pressure tactic | What it looks like | Why it works | Safe response |
|---|---|---|---|
| Urgency | "Your account will be closed today" | Forces fast decisions | Pause and verify independently |
| Authority | Bank, HR, IT, police, court | Triggers compliance | Use official contact routes |
| Secrecy | "Do not tell anyone" | Isolates you from help | Tell a trusted person, then verify |
| Scarcity | "Limited-time refund" | Creates fear of missing out | Assume it can wait until verified |
| Technical fog | Fake "security logs" and jargon | Makes you outsource thinking | Return to basics: who sent it, what action is requested |
Safety note: legitimate support does not need your password or one-time codes. If someone asks for a code, they are trying to log in as you.
How to check the sender safely
Do not trust the display name. Check the actual email address and the path the email wants you to take.
Step 1: Ignore the name, inspect the address
- Look for small misspellings and extra words in the domain (for example, "secure", "billing", "support").
- Be skeptical of free email domains for companies (Gmail, Outlook) unless you are dealing with a small business and can verify through another channel.
- Check the reply-to address if your email client shows it. Scams often use a legitimate-looking from name but a different reply-to.
Step 2: Look for the "ask"
The single most predictive question is: what is the email trying to get you to do?
- Sign in: highest risk. Treat login links as hostile.
- Pay: high risk. Scammers often push irreversible payment methods.
- Open an attachment: high risk if unexpected.
- Share personal info or codes: almost always malicious.
Step 3: Verify the claim from your side
- Open the official app (bank app, ecommerce app, password manager, email provider) and check for alerts there.
- Type the site address yourself or use a bookmark.
- Call a known number from the vendor's real website, not a number inside the email.
If you are shopping online and the email is about a payment issue, also verify the site itself before entering any details: how to detect fake websites and online stores.
Links: how to evaluate them without clicking
Attackers rely on you treating a button as truth. You can evaluate most links without opening them.
- On desktop, hover the link and read the real destination in the status bar.
- On mobile, long-press to preview the URL.
- Look for lookalike domains and odd subdomains (for example, "vendor.example.com.evil-domain.com").
- If the link is a URL shortener, treat it as a red flag and verify via official channels.
A common scam is an "invoice" or "subscription renewal" email with a link to cancel. The goal is to push you into a fake support flow and extract payment or remote access. If you did not request the invoice, ignore it and verify from the vendor's app instead.
Attachments: treat them like unknown software
Unexpected attachments are a delivery channel for malware and credential theft. That includes files that look harmless like PDFs or Office documents. The safe response is to confirm the document through a separate channel before opening.
- If a coworker "sent a contract", confirm with them through chat or phone, not by replying to the email thread.
- If a vendor "sent an invoice", log into your known vendor portal directly to check whether it exists.
- If the email asks you to enable macros or "enable content", treat it as malicious.
If you already opened something and your device started behaving oddly, treat it as a device compromise possibility: how to detect spyware.
The most common scam-email categories (and what to do)
Password resets and login alerts
Real alerts happen. Attackers abuse them by sending fake alerts and then capturing your login in a lookalike page.
- Do not click the link. Open the official app or type the site URL and sign in from there.
- If you see a real unexpected password reset request, change the password from a trusted device and enable 2FA.
Shipping problems and "package waiting" messages
These are designed to make you click on mobile. If you are expecting a shipment, use the carrier's app or the retailer's order page. Do not re-enter payment information from an email link.
Invoices and subscription renewals
The goal is often a fake support call. If the email includes a phone number to cancel, treat it as suspect. Verify by logging into the vendor's real account portal.
Employer impersonation (CEO fraud, payroll changes)
These often request gift cards, urgent wire transfers, or payroll direct-deposit changes. The defense is process: confirm changes in person or via a known internal channel.
Threats, legal language, and "law enforcement" notices
These are intimidation attacks. Do not engage through the email. Verify by contacting the real agency or company through official websites and phone numbers.
What to do if you already interacted
Response depends on what you did. Focus on the control plane first: email access, then major accounts, then devices.
If you clicked a link but did not enter anything
- Close the page. Do not enter information later "to be safe".
- Run a basic device check and update your browser and OS.
- Watch for follow-up messages. Attackers often escalate once they have a responsive target.
If you entered a password
- Change that password immediately on the real site, from a trusted device.
- If you reused that password anywhere else, rotate those accounts too. This is how a single click turns into multi-account takeover.
- Enable 2FA and review recent sessions and connected apps.
If you shared a one-time code
Assume the attacker logged in. Change the password, turn on 2FA if it was off, sign out other sessions, and review account recovery settings. Work through the containment flow in been hacked? what to do first.
If you sent money or payment details
Time matters. Contact your bank or card issuer immediately. If you paid a stranger or used an irreversible method (wire transfer, crypto, gift cards), focus on stopping further loss and preserving evidence.
How to report and reduce repeat targeting
- Mark the message as phishing or spam in your email client so filters improve.
- If the email impersonates your employer, tell your IT or security team.
- If it impersonates a bank or marketplace, report it through that vendor's official abuse channels.
Scam resistance is a workflow, not a personality trait. You do not need to be skeptical all day. You need one reliable routine that you follow whenever a message asks for authentication, money, or secrecy.
When you verify through official channels, you take away the attacker's main advantage: they no longer control the context you are responding to.
If you keep one rule, keep the one that prevents the most account takeovers: authenticate only through your own navigation, not through message links.