Back to Header Analyzer

Common Email Attacks

Real-world attack types, how they work, and how to defend against them

Email Attacks by the Numbers

96%

of cyberattacks start with email

$2.9B

lost to BEC attacks in 2023

3.4B

phishing emails sent daily

Business Email Compromise (BEC) / CEO Fraud

Attackers impersonate executives or vendors to request fraudulent wire transfers or sensitive data.

CRITICAL SEVERITYVery CommonAvg Loss: $120,000 per incident

How This Attack Works:

  1. 1Attacker researches company hierarchy on LinkedIn
  2. 2Creates email address similar to CEO/CFO (ceo@comp-any.com vs ceo@company.com)
  3. 3Emails finance team requesting 'urgent' wire transfer
  4. 4Often targets employees who can authorize payments
  5. 5May compromise real executive email account first

Real-World Example:

From: CEO John Smith <ceo@c0mpany.com>
Subject: URGENT: Confidential Wire Transfer Needed
I'm in a meeting and can't talk. We need to wire $85,000 to complete an acquisition today. I'll send you the wire details in a separate email. Keep this confidential - the board doesn't know yet. Thanks, John
🚩 Red Flags in This Email:
  • •Domain uses zero '0' instead of letter 'O'
  • •Unusual urgency and secrecy
  • •Request to bypass normal procedures
  • •CEO wouldn't personally handle wire transfers
  • •Pressure to act fast without verification

How to Defend Against This Attack:

  • ✓ALWAYS verify payment requests via phone using known number
  • ✓Implement dual-approval for wire transfers
  • ✓Use code words for verbal verification
  • ✓Train finance team to recognize social engineering
  • ✓Flag external emails claiming to be from executives
Industry Data: BEC attacks cost businesses $2.9 billion in 2023 (FBI IC3)

Credential Harvesting / Phishing

Fake login pages designed to steal usernames and passwords.

HIGH SEVERITYExtremely CommonAvg Loss: $1,000-$50,000 average

How This Attack Works:

  1. 1Email claims your account needs verification
  2. 2Provides link to fake login page
  3. 3Fake page looks identical to real service
  4. 4User enters credentials, which are sent to attacker
  5. 5Attacker immediately logs into real account

Real-World Example:

From: Microsoft Account Team <security@microsoft-services.com>
Subject: Unusual sign-in activity detected
We detected unusual activity on your Microsoft account from IP 103.45.67.89 (Russia). If this wasn't you, secure your account immediately: [Click Here to Verify Account]
🚩 Red Flags in This Email:
  • •Domain is microsoft-services.com (not microsoft.com)
  • •Generic greeting (no name)
  • •Creates urgency with security threat
  • •Link goes to microsof1-login.tk (not microsoft.com)
  • •Real Microsoft would say 'Sign in to review' not 'click here'

How to Defend Against This Attack:

  • ✓NEVER click links in unexpected security emails
  • ✓Type known URLs directly into browser
  • ✓Check URL carefully before entering password
  • ✓Enable 2FA - makes stolen passwords useless
  • ✓Use password manager - won't autofill on fake sites
Industry Data: 83% of organizations experienced phishing attacks in 2023

Spear Phishing

Highly targeted phishing using personal information about the victim.

HIGH SEVERITYCommonAvg Loss: $25,000-$100,000

How This Attack Works:

  1. 1Attacker researches victim on social media
  2. 2Learns about projects, colleagues, vendors
  3. 3Crafts personalized email referencing real information
  4. 4Much more convincing than generic phishing
  5. 5Often targets specific employees with access to valuable data

Real-World Example:

From: Sarah Chen <sarah.chen@acme-vendor.com>
Subject: Re: Q4 Marketing Budget - Updated Proposal
Hi Tom, Following up on our call yesterday about the Q4 campaign. I've updated the proposal based on your feedback about the YouTube budget. Can you review the attached PDF? We need approval by Friday to lock in the rates. Thanks, Sarah
🚩 Red Flags in This Email:
  • •You don't remember a call with Sarah yesterday
  • •Domain is acme-vendor.com (real vendor is acmevendor.com)
  • •References real project to seem legitimate
  • •Attachment could contain malware
  • •Artificial deadline creates pressure

How to Defend Against This Attack:

  • ✓Verify requests via separate communication channel
  • ✓Be suspicious of unexpected attachments referencing real projects
  • ✓Check sender's email address carefully, not just display name
  • ✓Question requests that bypass normal procedures
  • ✓Educate employees about social engineering tactics
Industry Data: Spear phishing is 3x more likely to succeed than generic phishing

Whaling (Executive Targeting)

Spear phishing specifically targeting C-level executives and high-value individuals.

CRITICAL SEVERITYUncommonAvg Loss: $500,000+ per incident

How This Attack Works:

  1. 1Attackers target CEOs, CFOs, board members
  2. 2Research executives' business deals, travel, contacts
  3. 3Craft highly sophisticated, personalized attacks
  4. 4May impersonate board members, lawyers, business partners
  5. 5Focus on high-value targets with access to finances or sensitive data

Real-World Example:

From: Robert Patterson, Board Chair <r.patterson@boardmail.net>
Subject: CONFIDENTIAL: Board Resolution - Action Required
The board has approved the acquisition we discussed. Legal needs you to review and sign the attached NDA before Monday's call. This is time-sensitive and confidential. Call me if any issues. -Robert
🚩 Red Flags in This Email:
  • •Domain doesn't match company's usual board communications
  • •Creates urgency with tight deadline
  • •Requests signing documents without normal legal review
  • •References confidential deal to discourage verification
  • •Attachment could be malicious PDF

How to Defend Against This Attack:

  • ✓Executives should receive specialized security awareness training
  • ✓Implement strict verification for high-value transactions
  • ✓Use secure channels for sensitive communications
  • ✓Monitor executive email accounts for compromise indicators
  • ✓Limit publicly available information about executives
Industry Data: Whaling attacks targeting executives increased 400% in 2023

Ransomware Email Delivery

Malicious attachments or links that install ransomware, encrypting all company data.

CRITICAL SEVERITYCommonAvg Loss: $1.85 million average (downtime + ransom)

How This Attack Works:

  1. 1Email contains infected attachment (Office doc, ZIP, PDF)
  2. 2Or link to website that downloads ransomware
  3. 3Document requests 'Enable Macros' to run malicious code
  4. 4Ransomware encrypts all accessible files
  5. 5Demands bitcoin payment for decryption key

Real-World Example:

From: FedEx Delivery <delivery@fedex-tracking.com>
Subject: Package Delivery Failed - Action Required
Your package could not be delivered to 123 Main St. Please review the attached delivery notice for pickup instructions. You have 3 days to collect your package. Tracking: FX8834729103
🚩 Red Flags in This Email:
  • •Unexpected package - you didn't order anything
  • •Domain is fedex-tracking.com (real is fedex.com)
  • •Attachment 'delivery_notice.docx' contains malicious macros
  • •Generic address (may not even be yours)
  • •Creates urgency with 3-day deadline

How to Defend Against This Attack:

  • ✓NEVER open unexpected attachments
  • ✓NEVER enable macros in documents from email
  • ✓Keep offline backups of critical data
  • ✓Use anti-malware that scans attachments
  • ✓Train employees to recognize fake delivery notices
  • ✓Maintain updated backups (3-2-1 rule)
Industry Data: 68% of ransomware infections start with a phishing email

Invoice/Payment Fraud

Fake invoices or requests to change payment account details for real vendors.

HIGH SEVERITYVery CommonAvg Loss: $50,000 average

How This Attack Works:

  1. 1Attacker impersonates real vendor
  2. 2Sends invoice for plausible services
  3. 3Or requests 'updated' payment routing information
  4. 4Company pays fake invoice to attacker's account
  5. 5Real vendor never receives payment

Real-World Example:

From: Accounts Receivable <ar@office-supplies-pro.com>
Subject: URGENT: Updated Payment Information
Dear Valued Customer, Due to a recent banking merger, we've changed our payment routing details. Please update your records: Bank: First National Bank Account: 9847362910 Routing: 021000021 All future payments should use these details. Contact us with questions. Office Supplies Pro
🚩 Red Flags in This Email:
  • •Real vendor would call about banking changes, not just email
  • •Creates urgency to bypass verification
  • •Generic 'Dear Customer' (real vendor knows your name)
  • •Domain might be slightly different from real vendor
  • •No reference to specific invoices or account numbers

How to Defend Against This Attack:

  • ✓ALWAYS verify banking changes via phone using known number
  • ✓Call vendor directly before changing payment details
  • ✓Verify invoices match expected services/amounts
  • ✓Implement approval workflow for vendor changes
  • ✓Reconcile payments with vendors regularly
Industry Data: Invoice fraud is the 2nd most common BEC attack type

Account Takeover (ATO)

Attacker gains access to legitimate email account to send convincing phishing from trusted address.

CRITICAL SEVERITYCommonAvg Loss: Varies widely

How This Attack Works:

  1. 1Attacker steals credentials via phishing or data breach
  2. 2Logs into victim's real email account
  3. 3Uses compromised account to send phishing to contacts
  4. 4Emails come from trusted sender, bypassing suspicion
  5. 5May set up forwarding rules to hide activity

Real-World Example:

From: Your Coworker Mike <mike.johnson@yourcompany.com>
Subject: Check out this document
Hey, Can you review this document when you get a chance? [Google Docs Link] Let me know your thoughts. Thanks!
🚩 Red Flags in This Email:
  • •Mike's account was actually compromised
  • •This IS from real mike.johnson@yourcompany.com
  • •Short, generic message unlike Mike's usual style
  • •Unexpected link with no context
  • •Link goes to credential harvesting page
  • •Mike didn't actually send this

How to Defend Against This Attack:

  • ✓Enable 2FA on all email accounts - prevents most ATO
  • ✓Monitor for unusual account activity (login locations, times)
  • ✓Check for unauthorized forwarding rules periodically
  • ✓If account seems compromised, change password immediately
  • ✓Alert IT security team if you suspect compromise
Industry Data: Account takeover enables 35% of successful BEC attacks

Universal Defense Principles

These practices protect against ALL email attack types:

Critical Controls:

  • ✓Enable 2FA on all accounts
  • ✓Verify ALL unexpected requests via separate channel
  • ✓Never click links/attachments without verification
  • ✓Implement approval workflows for payments

Key Mindsets:

  • ✓Question urgency - it's the #1 manipulation tactic
  • ✓Trust your instincts - if it feels wrong, verify
  • ✓No legitimate company demands immediate action
  • ✓When in doubt, use PhishCheck for analysis

Received a Suspicious Email?

Get instant AI-powered analysis to determine if it's a phishing attack