Email scams: phishing, invoice fraud, and account takeover

Email phishing has evolved well past obvious typo-laden "Nigerian prince" messages. The campaigns landing in inboxes today use real-looking display names, perfectly cloned brand templates, and reply-to addresses that survive a casual glance. This hub covers the dominant 2026 patterns — retail-account compromise, invoice and procurement fraud, and credential-harvest lures — and shows the header-level checks that catch them.

The most-impersonated email senders in 2026

• Amazon email scam — order-confirmation, refund, and "unusual sign-in" lures
• PayPal email scam — fake invoice, payment-received, and account-limited variants

Three header checks that catch most phishing

1. Open the full reply-to address, not the display name. Mobile mail clients hide the address by default — tap it to expand. Real Amazon emails come from @amazon.com or @amazon.<tld>; phishing comes from look-alikes like @amaz0n-support.com or free-mail (@gmail.com) addresses with Amazon in the display name.
2. Check the link's true destination by hovering on desktop or long-pressing on mobile. Free-host TLDs (.weebly.com, .vercel.app, .pages.dev, .webflow.io) inside a "Sign in to your account" link are an immediate red flag — see our investigation on phishing on free site builders.
3. Check whether your address has been recently breached via our free breach checker — targeted phishing follows breach lists by 2-6 weeks.

Invoice and procurement fraud (BEC)

Business email compromise — fake invoices and "the wire instructions changed, send to this account instead" emails — is the highest-dollar email-fraud category, with $2.9 billion in reported losses to the FBI's IC3 last year. The defense is process, not technology: any change to wire instructions must be confirmed by phone using a number from the vendor's existing record, never one supplied in the email itself.

If you already clicked or replied

Change the affected password from a different device, enable hardware-key MFA where available, run a dark-web exposure scan, and submit the phishing email's full headers and the lure URL to ScamRadar's report form so the next recipient gets a warning.

ScamRadar · Blog · Scam Database · Is It Legit? · About