5 Common Phishing Emails

Phishing—whether via email, text messages (SMShing), social media, or phone calls (Vishing)—is now a daily threat for organisations. Among all forms, phishing emails remain the most common and damaging type of cyberattack.

Understanding the tactics used in phishing emails and training employees to recognise threats is crucial for reducing cyber risk.

What Are Phishing Emails?

Phishing emails are fraudulent messages sent by cybercriminals pretending to be legitimate organisations. Their goal is to trick recipients into revealing sensitive information, clicking malicious links, or downloading malware.

In the first quarter of 2025, the APWG Phishing Activity Trends Report recorded over 1 million phishing attacks, the highest quarterly total since late 2023. Attackers are increasingly using QR codes in emails to redirect victims to phishing sites.

Most targeted sectors:

• Financial sector attacks: 30.9% (including payment, banking, and cryptocurrency)
• SaaS/Webmail (18%)
• Wire transfer BEC attacks: +33% from the previous quarter

Below are the five most common phishing email scams and practical strategies to prevent them.

1. Fake Invoice Scam

Fraudsters often send emails containing fake invoices, hoping employees will pay them or provide sensitive information.

Examples of fake invoices include:

• Billing for antivirus or security products
• Overdue invoices from fake suppliers
• Domain expiry notifications warning of service suspension
• Charity or fundraiser invoices offering ad placements
• Sophisticated Business Email Compromise (BEC) attacks

How to Avoid Fake Invoice Scams:

• Use role-based phishing simulations for staff in finance or accounts payable.
• Train employees to recognise urgent, threatening language in invoices.
• Tailor campaigns to reflect real-life departmental challenges.

2. Fake Technical Support Emails

Scammers often impersonate internal technical support to create urgency and manipulate behaviour. These emails may demand immediate login or compliance to access personal information or company systems.

How to Avoid Fake Technical Support Emails:

• Implement general security awareness training for all employees.
• Educate staff on manipulation tactics, including urgency and threats of discipline.
• Use simulated phishing exercises that mimic internal department communications.

3. Tax Scams

Tax-related phishing emails often promise refunds but are fraudulent. HMRC states that it will never email notifications about rebates or refunds. Scammers often replicate HMRC branding and send links to fake login pages, sometimes embedding malware.

How to Avoid Tax Scams:

• Include tax scams in simulated phishing exercises for all staff.
• Focus additional training on finance department personnel, especially during tax season.
• Ensure employees know never to click links in unsolicited tax emails.

4. Email Account Problem Phishing

Cybercriminals frequently spoof Microsoft, Google, LinkedIn, DHL, and FedEx to send urgent messages claiming account issues. These emails often contain malicious links that harvest login credentials.

How to Avoid Account Problem Phishing Emails:

• Train employees to be wary of branded emails using urgency tactics.
• Incorporate simulated phishing exercises highlighting well-known brand impersonation.
• Reinforce verification procedures for unexpected account-related messages.

5. Google Docs and GSuite Scams

Scammers exploit collaboration platforms like Google Docs. A fraudulent comment using the @ notation can trigger a genuine notification email containing a malicious link.

How to Avoid GSuite Comment Scams:

• Use security awareness training that covers cloud-based collaboration tools.
• Ensure policies specify who can share and comment on company documents.
• Keep staff updated with the latest phishing intelligence and simulated exercises.

Key Takeaways for Phishing Prevention

• Phishing attacks are increasingly sophisticated and target all employees.
• Role-based training and simulated phishing exercises are essential.
• Continuous security awareness programmes reduce risk.
• Employees must understand human behaviour manipulation tactics.
• Cybersecurity education should be updated regularly to reflect evolving scams.

Phishing attacks are constantly evolving, making employee awareness and proactive training more important than ever. To strengthen your organisation’s defences, explore MetaCompliance’s Human Risk Management platform. Our platform provides role-based security awareness training, simulated phishing exercises, and real-time reporting to help reduce human risk across your organisation. Empower your teams to recognise threats, protect sensitive data, and create a culture of cybersecurity vigilance.