Recognising phishing: 7 examples you need to know

Phishing remains the number one method cybercriminals use to attack businesses. Over 90% of successful cyber attacks start with a phishing email. And despite all the technological defences available, phishing works because it targets the weakest link in any security chain: people.

The good news? Phishing emails follow predictable patterns. Once you and your team know what to look for, you can spot most attempts before any damage is done.

In this article we walk through 7 real-world phishing examples, explain how to recognise them and share practical measures to protect your organisation.

What is phishing?

Phishing is a form of social engineering where attackers pose as a trusted party — a bank, a colleague, a supplier — to trick you into:

• Clicking a malicious link
• Entering login credentials on a fake website
• Opening an infected attachment
• Transferring money to a fraudulent account
• Sharing sensitive information

Phishing can arrive via email, SMS (smishing), phone calls (vishing), or even QR codes (quishing). The common thread is always deception and urgency.

Example 1: The fake Microsoft 365 login

How it works

You receive an email that appears to come from Microsoft or your IT department. The message warns about a security issue, an expiring password or a document someone shared with you. There's a prominent button: "Sign in to view" or "Update your password now."

The link leads to a page that looks exactly like the Microsoft 365 login page — same logo, same layout, same colours. But the URL is slightly different: instead of "login.microsoftonline.com", it might be "login-microsoftonline.com" or "microsoft365-login.net".

How to recognise it

• Check the sender address — Hover over the sender name. Is it actually from @microsoft.com or from a random domain?
• Check the URL before clicking — Hover over the button. Does the URL point to a genuine Microsoft domain?
• Look for urgency — "Your account will be suspended in 24 hours" is a classic pressure tactic
• Grammar and formatting — While improving, many phishing emails still contain subtle errors
• You didn't expect it — Were you actually expecting a shared document or security alert?

Why it's dangerous

This is the most common phishing type because Microsoft 365 is used by millions of businesses. A stolen Microsoft 365 account gives attackers access to email, files, Teams conversations and often the entire company network.

Protection tip: Enable multi-factor authentication (MFA) on all Microsoft 365 accounts. Even if credentials are stolen, the attacker can't access the account without the second factor.

Example 2: CEO fraud (Business Email Compromise)

How it works

You receive an email that appears to come from your director, CEO or another senior manager. The message is personal and urgent:

*"Hi Sarah, I need you to process a payment urgently. I'm in a meeting and can't call. Please transfer €14,750 to account NL91ABNA0417164300 (supplier invoice, urgent). I'll send the details later. Thanks, David."*

The email address may be spoofed (made to look exactly like the real address) or use a near-identical domain (david@virtualcomputing.nl vs david@virtual-computing.nl).

How to recognise it

• Unusual request — Does your CEO normally ask for urgent payments via email?
• Can't be reached — The attacker always has a reason why you can't call to verify: "in a meeting," "on a flight," "phone is broken"
• Pressure to act quickly — "Must be done today" or "confidential, don't discuss with others"
• Different from normal process — Most organisations have approval procedures for payments
• Slightly off email address — Look very carefully at the sender domain

Why it's dangerous

CEO fraud is highly effective because employees naturally want to comply with requests from leadership. The amounts involved are often significant — €10,000 to €100,000+ per incident. Once the money is transferred, it's nearly impossible to recover.

Protection tip: Establish a verification policy: any payment request above a certain threshold requires phone verification with the requester — no exceptions.

Example 3: Package delivery notification

How it works

You receive an email or SMS claiming to be from PostNL, DHL, UPS or another courier. The message states that a package couldn't be delivered and you need to click a link to reschedule delivery or pay a small shipping fee.

*"Your parcel could not be delivered. Click here to reschedule delivery: [link]. If no action is taken within 48 hours, the parcel will be returned."*

How to recognise it

• Were you expecting a package? — If not, be suspicious immediately
• Generic greeting — Real courier notifications include your name and tracking number
• Payment request — Legitimate couriers don't ask for payment via email links
• Urgency — "48 hours" or "today only" are pressure tactics
• Link destination — The URL won't be postnl.nl or dhl.com but something unrelated

Why it's dangerous

In an office environment, someone is always expecting a delivery. These emails are designed to catch the one person who thinks "oh, that must be my order." The link typically leads to a credential-harvesting page or triggers a malware download.

Protection tip: Always go directly to the courier's website and enter your tracking number there. Never click links in delivery notifications.

Example 4: Invoice phishing

How it works

You receive an email with an attached "invoice" — usually a PDF, Word document or Excel file. The email appears to come from a known supplier or uses a generic message like:

*"Please find attached invoice #INV-2024-3847 for services rendered. Payment is due within 14 days. If you have any questions, please don't hesitate to contact us."*

The attachment contains a macro or script that, when opened, downloads malware onto your computer.

How to recognise it

• Unexpected invoice — Do you actually have a relationship with this supplier?
• Generic content — No specific reference to your company, project or purchase order
• Attachment type — Invoices should be PDF. Be very suspicious of .docm, .xlsm or .zip files
• "Enable macros" prompt — If a document asks you to enable macros or content, close it immediately
• Sender address — Does it match the supplier's actual domain?

Why it's dangerous

Invoice emails bypass suspicion because finance departments receive dozens of them daily. One click on a malicious attachment can compromise the entire network. Ransomware attacks frequently start with an invoice phishing email.

Protection tip: Implement a policy where invoices from new suppliers must be verified by phone before opening attachments. Use email security tools that scan attachments automatically.

Example 5: Password reset notification

How it works

You receive an email stating that a password reset was requested for your account — at your bank, email provider, social media platform or business application. The email includes a link to "reset your password" or "cancel this request if it wasn't you."

*"We received a request to reset the password for your account. If this was you, click here to set a new password. If this wasn't you, click here to secure your account immediately."*

Both links lead to a fake login page designed to harvest your credentials.

How to recognise it

• You didn't request a reset — If you didn't initiate it, don't click either link
• Sender address — Check the actual email domain, not just the display name
• URL check — Hover over any links before clicking
• Clever psychology — Both options ("reset" and "cancel") lead to the same malicious page

Why it's dangerous

The "if this wasn't you" option is particularly clever because it creates alarm — making you feel your account is already compromised, which pushes you to act quickly without thinking.

Protection tip: Never click password reset links you didn't request. If you're concerned about your account, go directly to the website by typing the URL in your browser.

Example 6: QR code phishing (quishing)

How it works

This is a newer but rapidly growing technique. You receive a physical letter, an email or even see a poster with a QR code. The QR code leads to a malicious website — but because QR codes hide the URL, it's impossible to check the destination before scanning.

• An email claiming your MFA setup needs to be updated, with a QR code to scan
• A physical letter claiming to be from your bank, with a QR code for "identity verification"
• A sticker placed over a legitimate QR code in a public place (restaurant menu, parking meter)

How to recognise it

• QR codes in email are unusual — Legitimate services rarely ask you to scan a QR code from an email
• Check the URL after scanning — Most phone cameras show the URL before opening it — check it carefully
• Physical mail with QR codes — Banks and government agencies typically don't send QR codes by post for login purposes
• Unexpected MFA setup requests — Your IT department would announce MFA changes through official channels

Why it's dangerous

QR code phishing is particularly effective because it bypasses traditional email security filters — the malicious URL is encoded in an image, not in clickable text. It also moves the victim from their computer (where they might be more cautious) to their phone (where URLs are harder to verify).

Protection tip: Treat QR codes with the same suspicion as email links. If you receive a QR code claiming to be from your bank or IT department, contact them directly through known channels to verify.

Example 7: Spear phishing (targeted attacks)

How it works

Unlike mass phishing campaigns, spear phishing targets a specific individual or organisation. The attacker researches their target using LinkedIn, company websites, social media and publicly available information to craft a highly personalised message.

*"Hi Mark, great presentation at the Breda Business Network event last Thursday. I'd like to discuss potential collaboration — I've put together a brief proposal. Could you take a look? [link to malicious file]"*

How to recognise it

• Too specific to be random — The personal details make it feel legitimate
• Unexpected attachment or link — Even if someone references a real event, verify before opening attachments
• Verify through another channel — Can you confirm the person actually sent this by calling or messaging them directly?
• Slightly off details — The attacker may get some details wrong (wrong date, wrong event name)

Why it's dangerous

Spear phishing is extremely effective because the personalisation lowers your guard. It's typically used against executives, finance staff and IT administrators — people with access to money, data or systems.

Protection tip: Create a culture where verifying unexpected requests is normal and encouraged — even when they appear to come from known contacts.

How to spot phishing: the universal checklist

Regardless of the type, these checks apply to every suspicious email:

Check the sender

• Hover over the sender name to see the actual email address
• Look for misspellings in the domain (microsft.com, g00gle.com)
• Be suspicious of public email domains (@gmail.com) for business communication

Check links before clicking

• Hover over any link to see the actual URL
• Look for HTTPS — but note that attackers also use HTTPS, so this alone isn't sufficient
• When in doubt, navigate directly to the website by typing the URL yourself

Look for pressure tactics

• "Your account will be suspended"
• "Action required within 24 hours"
• "Urgent payment needed"
• "Confidential — don't share with others"

Trust your instincts

• Does something feel off?
• Is this request unusual for this person or organisation?
• Would this normally be communicated differently?

If in doubt, don't click. Instead, contact the supposed sender through a known channel to verify.

What to do when you receive a phishing email

1. Don't click any links or open any attachments
2. Don't reply to the email
3. Report it to your IT department or MSP immediately
4. Mark it as phishing in your email client (most clients have this option)
5. Delete it after reporting

What if you already clicked?

If you've clicked a phishing link or entered credentials on a suspicious page:

1. Change your password immediately — for the affected account and any other account using the same password
2. Notify your IT department — they need to check for compromise
3. Enable MFA if not already active
4. Monitor your account for unusual activity
5. Don't feel ashamed — phishing is designed to fool people. The sooner you report, the faster the damage can be contained

Technical measures to block phishing

While user awareness is crucial, technical controls add an essential layer of defence:

Email security

• Microsoft Defender for Office 365 — Scans links (Safe Links) and attachments (Safe Attachments) in real time
• DMARC, DKIM and SPF — Email authentication protocols that prevent sender address spoofing
• Spam filtering — Blocks known phishing campaigns before they reach inboxes

Multi-factor authentication

MFA is the single most effective technical measure. Even if credentials are stolen, attackers can't access accounts without the second factor. At Virtual Computing, MFA is standard on all managed workstations.

Password management

• Enforce minimum 14-character passwords
• Block commonly breached passwords
• Use a password manager for unique passwords per service
• Never reuse passwords across accounts

Web filtering

Block access to known phishing domains and malicious websites at the network or DNS level. This provides protection even if someone clicks a malicious link.

Endpoint protection

Modern endpoint protection detects and blocks malware downloaded through phishing, even if it's a new variant not yet in signature databases. Read more about comprehensive cybersecurity measures.

Security awareness training

Technical measures alone aren't enough — your employees need to be trained to recognise and respond to phishing. An effective awareness programme includes:

Regular training sessions

• At least quarterly, covering new and evolving threats
• Interactive — not just slides, but real examples and exercises
• Role-specific — finance teams need extra focus on invoice fraud, executives on CEO fraud

Simulated phishing campaigns

• Send fake phishing emails to test your team's awareness
• Track who clicks, who reports, and who enters credentials
• Use results for targeted training, not punishment
• Gradually increase difficulty over time

Clear reporting procedures

• Make it easy to report suspicious emails (one-click reporting button)
• Respond to reports quickly and positively — every report is a win
• Share anonymised results with the team to maintain awareness

Onboarding

Include security awareness in every new employee's onboarding. At Virtual Computing, we help clients set up and run awareness programmes as part of our managed IT services.

Frequently asked questions

How many phishing emails are sent daily?

An estimated 3.4 billion phishing emails are sent worldwide every day. While most are caught by spam filters, enough get through to make it the most common attack vector for businesses.

Can phishing emails contain viruses?

Yes. Phishing emails can contain malicious attachments (Word documents with macros, PDF exploits, executable files) or links to websites that automatically download malware onto your device.

Is phishing illegal?

Yes. Phishing is a criminal offence in the Netherlands and throughout the EU, falling under computer crime and fraud legislation. However, most attackers operate from jurisdictions where enforcement is difficult.

Why do phishing emails still get through spam filters?

Attackers constantly evolve their techniques to bypass filters. They use legitimate-looking domains, hide malicious content in images, use URL redirects and exploit new attack vectors like QR codes. No filter is 100% effective, which is why user awareness remains essential.

What's the difference between phishing and spear phishing?

Regular phishing casts a wide net — the same email is sent to thousands of people. Spear phishing targets specific individuals with personalised messages based on research. Spear phishing is harder to detect and typically more damaging.

How can I tell if my email address has been compromised?

Check haveibeenpwned.com to see if your email address appears in known data breaches. If it does, change your passwords immediately and enable MFA everywhere.

Should I pay if we're hit by ransomware from a phishing attack?

The overwhelming advice from law enforcement and security experts is: do not pay. Payment encourages more attacks and doesn't guarantee data recovery. Instead, rely on your backup and disaster recovery plan. Read more about preparing for ransomware in our cybersecurity guide.

How quickly can an attacker exploit stolen credentials?

Automated systems can use stolen credentials within minutes. In some cases, attackers access accounts and begin lateral movement within seconds of credentials being entered on a phishing page. This is why MFA and immediate reporting are so critical.

Protect your organisation against phishing

Phishing is a threat you can't eliminate entirely, but you can dramatically reduce its impact. The combination of technical controls, user awareness and clear procedures creates a resilient defence.

At Virtual Computing, we help SMBs build this layered defence. From advanced email security and MFA to security awareness training and 24/7 monitoring — we protect your organisation against phishing and other cyber threats.

Get in touch for a free phishing risk assessment, or become a client and let us protect your business from the most common cyber threat.