The ugliest calls I get are never about some fancy zero-day exploit.
They’re about money that almost left the account.
One of those calls still sticks with me. A founder rang late in the evening, voice shaking, because their accounts team had just processed a large vendor payment. The invoice looked completely normal. Same vendor, same template, same polite tone. The only tiny difference? Updated bank details at the bottom and a “please treat this as urgent” line.
By the time I got involved, the payment was sitting in a pending queue at the bank. We managed to stop it. If that delay hadn’t existed, they would have lost more than ₹2.8 crore to a single, well-crafted email.
That’s the reality of modern email scams: they don’t look like obvious junk. They look like your everyday work.
Over the last few years, working with founders, finance teams and IT leaders, I’ve seen the same patterns repeat again and again. Different companies. Different industries. Same playbook.
In this guide, I’ll walk you through 5 common types of email scams, share real stories inspired by what I’ve seen on the ground, and explain how you can reduce the chances of becoming “that” story everyone at your company whispers about for years.
What We Really Mean by “Email Scams”
When I say email scam, I’m talking about any message that uses email as the main weapon to do one of three things:
- Take your money
- Take your credentials
- Take your data
Some attacks are loud and obvious. Most successful ones aren’t. They hide inside daily routines: invoices, password resets, tax notices, policy updates, meeting invites.
The painful part is that email was never designed as a fully authenticated, identity-safe channel. That gap is exactly where attackers live. They register lookalike domains, spoof trusted brands, copy writing styles, and now even use AI to fine-tune tone and grammar until the messages feel almost… familiar.
Once you understand the main patterns, you start seeing them everywhere.
Why These Scams Still Work on Smart People
People often assume only “careless” or “non-technical” users fall for scams. That’s not what I see.
Very smart, very experienced professionals get caught because of three simple realities:
- Everyone is busy. When you’re closing the month, chasing payments, or preparing reports, the last thing on your mind is forensic analysis of every email.
- Attackers study your habits. They read old threads, learn your internal language, and time their messages to match your real workflows.
- Filters catch the noisy stuff, not the clever stuff. Traditional spam engines are good at blocking obvious junk, not subtle invoice edits or carefully crafted internal emails.
So instead of blaming people, I prefer to show them the patterns. Once someone has “seen” a pattern with their own eyes, you can almost watch their instincts sharpen.
Let’s go through five of those patterns
1. QR Code Phishing (“Quishing”) - Scan Here, Lose There
QR codes used to feel harmless. Scan to see a menu. Scan to pay. Scan to download an app.
Attackers love that comfort.
In a QR code phishing (often called “quishing”) scam, the email doesn’t use a normal link. Instead, it embeds a QR image. When you scan it with your phone, you’re quietly redirected to:
- A fake login page that harvests your credentials, or
- A malicious site that steals card data or pushes malware
A Story From the Tax Season
During a busy filing period, a mid-level manager at a services firm received a formal-looking email claiming to be from a tax portal. The subject line was anxious but believable: “Pending discrepancy - action required.”
The email used a decent logo, polite government-style language, and a QR code with a short instruction:
“Scan to quickly verify and resolve this issue."
On a mobile screen, the fake site looked almost identical to the real portal. Same colours. Same layout. The only thing wrong was the domain name, a small, slightly awkward variation most people would miss at a glance.
Had the manager gone ahead, they would have typed their ID, password and OTP straight into a scammer’s system.
How to Stay Safer Around QR Emails
When an email suddenly asks you to scan a QR code for tax issues, payments, refunds, ticket problems or login verification, treat it as suspicious by default. If it feels important, go to the official website by typing the address yourself or using your own saved bookmark. Don’t let a square of black and white pixels decide where your phone goes.
2. Business Email Compromise & Invoice Fraud – The Costliest “Routine” Emails
If I had to pick one category that silently drains the most money, it would be Business Email Compromise (BEC) and classic invoice fraud.
In these scams, the attackers don’t ask you to click anything strange. They simply pretend to be:
- A known vendor changing bank details
- A senior executive approving a “confidential” transfer
- A partner following up on an “overdue” payment
The emails are short, calm and professional. That’s what makes them so effective.
The Vendor Who “Updated” Their Bank
In one incident I worked on, attackers spent time watching a compromised mailbox. They saw that a particular vendor was paid on a predictable schedule every month.
A week before the usual payment date, they sent a very normal-looking email to the accounts team. It referenced the right invoice number and attached a neat PDF on company letterhead:
“Due to our recent audit and banking partner migration, please use the below updated account details for this and all future payments.”
No spelling mistakes. No dramatic language. Just a simple operational update.
The only reason the fraud was caught is because the accountant, almost casually, mentioned the change to the vendor on a phone call about something else. That “wait, we never changed our bank” moment saved them.
Practical Protection Against BEC
If your company moves money, you need a boring, non-negotiable rule: no bank detail changes without an out-of-band verification. That means a phone call to a trusted, verified number, or confirmation through your official vendor portal not a reply to the same email thread.
Processes like this feel slow until you compare them with the cost of a single wrong transfer.
3. Brand Spoofing & Email Impersonation - When the Logo Isn’t the Problem
Another very common pattern is brand spoofing and email impersonation.
Here, the attackers pretend to be a bank, a cloud service, a courier, an e-commerce site, or even your own IT team. The goal is usually to make you:
- Log in to a fake portal
- Confirm or “verify” sensitive details
- Download a malicious file
“Your Account Will Be Locked in 24 Hours”
A senior leader at a tech company once forwarded me an email that claimed to be from their cloud storage provider. The subject line: “Security alert: account review required.”
The message said there had been unusual activity, and if they didn’t confirm their identity within 24 hours, the account could be locked. There was a big blue “Verify now” button.
At first glance, everything looked right the logo, colour scheme, footer. But the sender’s domain, when viewed carefully, was a lookalike. The login page was also hosted under a strange, long URL that no real provider would use.
This is how attackers win: they don’t rely on you reading every character of the address. They rely on you recognising the overall “shape” of the brand and reacting emotionally to the word “locked.”
Building Better Instincts Around Brand Emails
Anytime a service claims there is a critical security issue with your account, pause and ask:
- Is this how they usually contact me?
- Is the URL exactly the same as I normally use?
- Could I just go to the service directly instead of clicking this?
Getting into the habit of typing known URLs or using trusted bookmarks eliminates a huge chunk of these scams immediately.
4. Spear Phishing - When the Email Feels Almost Too Personal
Most people now understand the idea of generic phishing: a vague email sent to thousands of addresses at once.
Spear phishing is different. It’s personal. It’s aimed at a specific person or small group, and it’s crafted carefully using real information about your role, your team, or your company.
Attackers pull that information from LinkedIn, company websites, public filings, social media, conference talks and sometimes previous data breaches.
AI tools have made this even more dangerous. It’s now trivial for an attacker to plug your public information into a writing assistant and generate messages that sound clean, fluent, and tailored to you.
“Can You Quickly Review This Before the Board Meeting?”
One VP I worked with received an email that looked like it came from their CEO. It referenced a real investor, mentioned an upcoming board meeting, and asked for a quick review of an “updated deck” hosted on a cloud link.
The writing style matched the way their CEO normally wrote. The signature looked identical.
Except the CEO was mid-flight on a long international journey and offline. The link didn’t go to the company’s usual document platform either. It pointed to a file hosting site the company never used.
The attached document was booby-trapped. Had they opened it and enabled macros, the attacker would have gained remote access to their machine.
Defending Against Spear Phishing
With messages like these, your best defence is a healthy level of doubt around anything that:
- Mixes urgency with secrecy (“keep this confidential”, “need this today”)
- Comes at unusual hours from senior leaders
- Asks you to open files or log in somewhere you don’t normally use
A quick “Did you actually send this?” over your usual chat tool or a short phone call is often enough to expose the fake.
5. Cloud Account Phishing - Stealing the Keys to the Kingdom
Modern attackers don’t only want your email password. They want access to your entire cloud footprint — Microsoft 365, Google Workspace and any SaaS tools linked to your identity.
Once they get into one account, they can often pivot and:
- Reset passwords for other services
- Read internal conversations and forward mail silently
- Send convincing internal phishing emails from your address
“New Work-From-Home Policy, Please Acknowledge”
In a mid-sized company I worked with, employees started receiving an email that appeared to come from HR. The subject sounded harmless: “Updated work-from-home policy for this quarter.”
The email explained that, due to changes in regulations, everyone needed to acknowledge the updated policy in the “secure HR portal” and included a link.
The portal copied the look of their Microsoft login page. Same background, same fields. The only difference was the domain in the address bar. Once employees entered their Microsoft 365 usernames and passwords, the attackers logged into the real accounts and started exploring.
From there, they launched internal-looking emails from compromised accounts, targeting finance and operations with “shared invoice” and “updated agreement” links. Those messages are far harder for users to doubt, because they appear to come from people they actually know.
Raising the Bar for Cloud Security
If you rely heavily on cloud platforms, treating login pages like sacred ground helps a lot. Encourage people to check the domain every time they see a login prompt, especially if it comes from an email link. Combine that with strong multi-factor authentication, and you’ve already forced attackers to work much harder.
Making Your Organisation a Harder Target
You don’t need to be perfectly secure to avoid most email scams. You just need to be noticeably harder to fool than the average organisation.
From what I’ve seen, three layers make the biggest difference:
1. Habit Training, Not One-Off Awareness Sessions
Real change happens when people adopt small habits:
- Pausing for two seconds before clicking a link
- Checking the actual sender address, not just the display name
- Being especially careful around anything involving money, accounts, or confidential data
This works best when training is ongoing, realistic, and uses examples that feel familiar to your employees’ daily lives, not generic screenshots from some overseas campaign.
2. Stronger Identity and Access Practices
Good security hygiene around accounts gives you more breathing room when someone does click something they shouldn’t:
- Multi-factor authentication for email and critical apps
- Limited admin access
- Regular checks for unusual logins or device changes
It’s not glamorous, but it consistently limits damage.
3. Simple but Firm Processes Around Money
Every company should decide, in writing, how it handles:
- Changes to vendor bank details
- Large, urgent payments
- Requests from senior leaders that bypass normal approval chains
Once those rules are clear, they should be followed even when it feels inconvenient. A five-minute verification call is nothing compared to explaining to your board why several crores disappeared from the company account.
If You Think You Might Have Fallen for a Scam
If you ever catch yourself thinking, “I clicked something and now I’m not sure…”, act quickly instead of freezing.
Change your password for the affected service, then for any others that share the same or similar credentials. Turn on or reset multi-factor authentication. Let your IT or security team know what happened so they can log you out of active sessions and watch for strange activity. If money or bank details were involved, contact your bank immediately, early hours matter.
I’ve seen enough incidents to know that even experienced, well-trained people can be tricked on a bad day. The difference between “we had a scare” and “we lost everything” is how fast that first reaction happens.
One Thing to Remember
If you only remember one line from this guide, let it be this:
Most disasters don’t start with some legendary hack. They start with a very normal-looking email that arrived at exactly the wrong moment.
Teach your people to treat unexpected emails, especially those about money, passwords or urgent approvals, with a little suspicion. Build a few simple process speed-breakers into your finance and HR workflows. Strengthen your identity and access controls.
Do those consistently, and you’ll already be far ahead of many organisations that only wake up to email scams after they become a case study.
