Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


5 min read

Top 5 Types of Email Scams Employees Keep Falling For

Whether you know it or not, you and your employees are targets. Your personal and company information has value, and malicious actors are dying to get their hands on it. They’ll do anything they can – even target you personally.

Scammers approach this from multiple angles, and some are easier to spot than others.

We all know an unsolicited phone call regarding “your vehicle’s expired warranty” is a scam. Our phones even tell us the call is a possible scam before we even answer it. It’s the same with texting scams – most of us know not to click on that mystery link from a random number.

Email scams, on the other hand, tend to catch people off guard. There are so many tricks that scammers use – and they’re getting trickier each day.

Companies can be down for hours or sometimes DAYS following one wrong click, the stakes are too high to ignore the different types of email scams. Educating your employees on the kinds of scams and their purpose(s) can go a long way in a strong, united defense for your company.

5 Most Common Types of Email Scams

The umbrella term for all of these scams is social engineering. Its only purpose is to use deception to manipulate you into giving out confidential information. They then use this information to steal your intellectual property, customer data, credentials, money – anything of value.


Phishing is one of those times that imitation is NOT the sincerest form of flattery. In fact, that sentence should be re-written as “Imitation is the sincerest form of trickery.”

As the most popular type of email scam, most phishing emails will do the following things:

  • Ask for personal information: Phishing emails may outright ask for your personal/company information. They’ll ask for information such as your address, social security number, account number, etc. – anything else they can use to their advantage.
  • Embed malicious links: They trick unsuspecting recipients into clicking an embedded URL that appears real. For example, you’ll see a URL like, but when you hover your mouse over it, you see where the URL is really going. That address leads to a suspicious, dangerous, or fake website.
  • Convey a sense of urgency: Email scammers make their phishing attempts sound urgent so you’ll act immediately. Their goal is to make you rush, making you potentially do something that you wouldn’t otherwise. You might see words like “if you don’t act now” or threats of closing your accounts if you don’t address them immediately.
credit card phishing example

Example of a phishing scam attempting to steal credit card info

You used to be able to easily identify email scams because they were poorly written – that’s not the case anymore. They increasingly look, read, and sound legitimate. Their primary focus is to trick you so they can steal user credentials and/or other valuable information.



Baiting is very similar to phishing. The main difference between the two is the sense of urgency vs. the promise of goods. While phishing needs something accomplished immediately, baiting promises you something for free—things like free movie tickets, free music, and free subscriptions.

baiting email example

Example of a baiting email attempting to trick a target into clicking a malicious link

Another distinguishing factor is that baiting can be done via free goodies, like a thumb drive. Once the encrypted thumb drive is plugged into your computer, it can steal your passwords and data.

Spear phishing

Spear phishing attackers gather information about users and companies from the internet to make their emails as relevant as possible to the recipients. They typically impersonate someone the target knows and include personal details. This level of personalization can trick even the savviest of users.

Spear phishing can be aimed at specific people or a group of people within a company. And since the attackers have gone to great lengths to personalize their message, they’ve also taken steps to evade spam filter technologies, so it’s more likely that they’ll actually land in a user’s inbox.

A spear phishing email sent to a group might look like this:

password phishing email example

Example of a spear phishing email attempting to steal login credentials

A spear phishing email sent to an individual might look like this:

spear phishing accounting email example

Example of a spear phishing email attempting to trick the target into sending them money

You may be thinking, “I’d recognize that as a scam for sure.” And that may be true, especially seeing them in this context. But if you’re a busy accounting professional in the middle of closing the month and you get either one of the email examples above, you might take the actions they’re requesting since you’re in a hurry.


Whaling and spear phishing are the same type of email scam; the difference is the recipient.

While the scammer imitates trusted senders like a company’s CEO with spear phishing, whaling is when the C-levels are the email recipients.

These emails usually have personal information about the C-level and will look like a legitimate company sent it to them. While subject lines vary, they tend to say things like “critical” or “urgent.”

Attackers then embed links to malicious URLs or attachments, and the C-level’s computer becomes infected with malware when clicked. They are then able to collect whatever information they please.

whaling email example

Example of a whaling targeting a c-level with information sourced online

Seasonal: The Angle Changes With the Season or Current Events

Phishing attempts happen all year round, though the angle in the message may change to adapt to current events or holidays. Think: tax season, Black Friday, the Olympics, President’s Day sales, Amazon Prime Day, etc. COVID-related scams were also prevalent in 2020 and 2021.

For example, during the holiday shopping season, scammers trick unsuspecting recipients with tracking and delivery emails that appear to come from UPS, FedEx, etc., but lead to dangerous websites. It can be difficult to keep track of all the gifts you ordered online, and scammers take advantage of that fact by sending these fake shipping updates.

fake tracking email example

Example of a phishing email with fake tracking information

Keep Your Employees Aware and Secure

All email scams pose a danger to every business, no matter the size.  It’s vital that your employees are educated on how to identify the different types of scams in order to keep your business and personal information safe.

Whether you use a managed IT services provider or an internal IT department, look to them for guidance on best practices. Hold companywide training, and keep everyone in the loop on current threats.  

Editor’s Note: This article was originally published in June 2017. It has been revamped and updated with the latest information.


Let's talk about how VC3 can help you AIM higher.