20 Real Phishing Email Examples in 2026
Our abuse inbox receives over 10,000 phishing samples per week. Most follow the same dozen templates — once you recognize them, you become nearly immune. Below are 20 real examples submitted by users in 2026, lightly redacted, with annotations explaining exactly what makes each one dangerous.
1. The Microsoft 365 "Password Expiry"
Subject: Action Required — Your password expires in 24 hours
From: security-noreply@micros0ft-365.com
"Dear user, your Microsoft 365 password will expire on April 2, 2026. Click below to keep your current password. [Update Password]"
The domain swaps an "o" for a zero. Microsoft never emails you about password expiry from that domain. The 24-hour deadline manufactures urgency to override critical thinking.
2. The Fake Shipping Notification
Subject: Your package could not be delivered — action needed
From: delivery-notice@ups-tracking-alert.com
"We attempted delivery of your parcel (tracking #1Z8R4V200349721865) but no one was available. Schedule redelivery here."
UPS sends tracking emails from @ups.com only. The domain ups-tracking-alert.com is attacker-controlled. The tracking number is formatted correctly — scammers copy real formats to look authentic.
3. The PayPal "Unusual Activity" Alert
Subject: We noticed unusual activity on your account
From: service@paypal.com.secure-review.net
"Someone tried to log in from an unrecognized device in Lagos, Nigeria. If this wasn't you, verify your identity immediately."
The "from" address looks like PayPal at first glance, but paypal.com is a subdomain of secure-review.net. Always read email domains right to left.
4. The CEO Wire Transfer
Subject: Urgent — Confidential
From: ceo.name@company-mail.co
"I need you to process a wire transfer for $47,500 to the vendor below. This is time-sensitive. Please handle before end of day and confirm when done. Don't mention this to anyone else — the deal is under NDA."
Classic business email compromise. The "confidential" framing isolates the victim from colleagues who would raise questions. Legitimate CEOs don't ask you to bypass standard payment processes over email.
5. The Apple ID Suspension
Subject: Your Apple ID has been suspended
"Due to a recent billing issue, your Apple ID has been temporarily suspended. Update your payment method within 48 hours to avoid permanent data loss."
Apple does not threaten permanent data loss over billing issues. The link redirects through three domains before landing on a credential-harvesting page that mirrors apple.com pixel-for-pixel.
6. The DocuSign Trap
Subject: Document Ready for Signature
From: dse@docusign.net
"John Smith sent you a document to review and sign. Review Document."
DocuSign is so widely used that its branding is weaponized daily. This version uses docusign.net instead of docusign.com. The "Review Document" button leads to a phishing page that requests your email password.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
7. The Netflix Payment Failed
Subject: We're having trouble with your current billing information
"Your membership will be cancelled on April 5, 2026 unless you update your payment details. [Update Account Now]"
Netflix phishing is perennial because nearly everyone has an account. The fear of losing watchlists and profiles drives clicks. Netflix will never ask for payment details via email link.
8. The HR Benefits Update
Subject: Open Enrollment 2026 — Immediate Action Required
From: hr-benefits@company-portal.org
"Your benefits elections for 2026 have not been finalized. Log in to the employee portal to confirm your selections before midnight Friday."
Internal-looking phishing that targets employees. The domain company-portal.org is not your actual HR system. Attackers scrape company details from LinkedIn to craft believable messages.
9. The Tax Refund
Subject: Your IRS tax refund of $3,847.00 is pending
From: refunds@irs-gov-returns.com
"You are eligible for a tax refund. Submit your information to receive your payment within 5-7 business days."
The IRS does not initiate contact by email about refunds. They use postal mail exclusively for refund notifications. The domain irs-gov-returns.com is unrelated to irs.gov.
10. The Google Drive Shared Document
Subject: Important — Shared document
"user4829@gmail.com has shared a file with you: Q1_Financial_Report.pdf. Open in Google Drive."
The shared document link redirects to a convincing Google login clone. Since Google Drive sharing is a normal workflow, people click without hesitation. Check the sender — random Gmail addresses sharing "financial reports" are red flags.
11. The LinkedIn Job Offer
Subject: Exciting opportunity at your experience level
"Hi, I came across your profile and think you'd be perfect for a Senior Product Manager role at a Fortune 500 company. Salary: $195K-$240K. Apply here."
Job phishing preys on ambition. The "apply" link collects personal information — name, address, SSN — under the guise of a background check. Legitimate recruiters don't ask for SSNs before an interview.
12. The Zoom Meeting Invite
Subject: You have been invited to a Zoom meeting
"Topic: Quarterly Performance Review. Date: April 3, 2026. Join Meeting: [link]"
The link doesn't go to zoom.us. It leads to a lookalike page that asks you to "download the latest Zoom client" — which is actually malware. Always verify meeting links come from zoom.us directly.
13. The Bank Account Verification
Subject: Verify your account to avoid suspension
From: alerts@chase-secure-banking.com
"We detected suspicious activity on your Chase account ending in 4821. Verify your identity now to prevent account suspension."
Chase sends alerts from @chase.com only. The fake domain and the partial account number (easily guessed or harvested from breaches) create false credibility.
14. The Amazon Order Confirmation
Subject: Order Confirmed — $849.99 MacBook Pro
"Your order for Apple MacBook Pro has shipped. If you did not make this purchase, click here to dispute and request a refund."
You panic because you didn't order an $849 laptop. The "dispute" link captures your Amazon credentials. This works because fear of unauthorized charges overrides caution.
15. The Cryptocurrency Airdrop
Subject: You've received 0.75 ETH — claim before it expires
"As part of our 2026 community airdrop, your wallet has been allocated 0.75 ETH. Connect your wallet to claim."
The "connect wallet" prompt is a drainer contract that empties your wallet the moment you approve. Legitimate airdrops never require wallet connection through random emails.
16. The Voicemail Notification
Subject: New voicemail from +1 (202) 555-0147
"You have 1 new voicemail message (00:47). Listen to voicemail."
The "listen" link downloads an HTML file that opens a fake Microsoft login page. Voicemail phishing is effective because it triggers curiosity about who called.
17. The Cloud Storage Full Alert
Subject: Your Google storage is 97% full
"You're running out of space. Files will stop syncing on April 8, 2026. Upgrade your plan or free up space now."
This mirrors Google's actual storage warnings. The "upgrade" link captures payment card details. Google sends these from no-reply@google.com — check the actual sender address.
18. The Instagram Copyright Warning
Subject: Your account will be permanently disabled
"We've received a copyright infringement report regarding content on your account. If you believe this is a mistake, submit an appeal within 24 hours."
Instagram copyright phishing targets creators and businesses who depend on their accounts for income. The appeal form harvests Instagram credentials and personal information.
19. The Fake Invoice
Subject: Invoice #INV-2026-04887 — Due April 5
"Please find attached your invoice for $2,340.00 for consulting services rendered. Payment is due within 5 business days."
The attachment is a PDF containing a malicious link, or worse, an executable disguised as a PDF. Businesses receive so many invoices that one more rarely triggers suspicion.
20. The Multi-Factor Authentication Bypass
Subject: Confirm your identity
"We noticed a sign-in attempt from a new device. Enter the 6-digit code sent to your phone to confirm this was you: [Enter Code]"
This real-time phishing intercepts MFA codes. As you type the code into the fake page, the attacker enters it into the real site simultaneously. Adversary-in-the-middle phishing kits like EvilProxy have made this attack scalable.
How to Spot Any Phishing Email
Check the sender domain. Read it right to left. paypal.com.evil.com belongs to evil.com, not PayPal.
Hover before clicking. On desktop, hover over any link to see where it actually goes. On mobile, long-press the link.
Question urgency. "Act now or lose your account" is manipulation. Real companies give you days or weeks, not hours.
Go direct. Instead of clicking any link, open a new browser tab and navigate to the official website manually.
Use verification tools. Paste suspicious emails into IsThisAScam for instant analysis of sender reputation, link destinations, and known phishing patterns.
Received something suspicious? Check it now for free →