Phishing Examples That Fool Smart People

The CEO of a Port Arthur manufacturing company received an email from what appeared to be their CFO (cfo@theircompany.com) asking for an urgent wire transfer. The email thread looked completely legitimate—there was context about a deal in progress, specific numbers, a plausible reason for urgency.

The CEO approved the transfer. $68,000 went to an account in Florida, then disappeared.

The email didn't come from their company. It came from cf0@theircompany.net—a domain the attackers had registered with a zero instead of the letter O. Most email clients display the display name without checking the actual sender address.

This happens constantly. Smart people fall for phishing because modern phishing doesn't look like the Nigerian prince emails of the past. It's contextual, targeted, and designed to pass a quick glance.

Real phishing examples

The Microsoft 365 "Your session will expire" email:

From: Microsoft 365 <noreply@microsft-365-support.com>
Subject: Action Required: Your Microsoft 365 session will expire in 24 hours

Your mailbox storage is almost full. Click here to upgrade your storage or your account will be suspended.

[Link to: microsft-365-support.com/upgrade]

Red flags if you look: unusual sender domain, generic greeting, urgency about suspension, link to a domain that isn't microsoft.com. But it looks like Microsoft at a glance.

The DocuSign "Document waiting for your signature":

From: "Docusign" <no-reply@docusign-documents.com>
Subject: John Smith sent you a document for signature

John Smith from Acme Supplies is requesting your signature on the attached contract.

[Click to Review Document]

This one is particularly effective because it references real people and businesses (often from prior breaches or public data), uses legitimate-looking sender addresses, and people are conditioned to click DocuSign links.

The QuickBooks "Your invoice is ready":

From: Intuit QuickBooks <billing@quickb00ks.online>
Subject: Invoice #7294 from Your Vendor Name

Your invoice #7294 is ready for review.

Amount Due: $3,847.00
Due Date: March 15, 2026

[View Invoice]

Again, the sender domain isn't intuit.com or quickbooks.com. But many people don't notice—their brain sees "QuickBooks" and "invoice" and clicks.

The voicemail "You have a new message":

From: "RingCentral" <messages@ringcentra1.com>
Subject: New Voicemail from (409) 555-0123

You have a new voicemail from (409) 555-0123.

Duration: 1:47

[Play Voicemail]

This one plays on the expectation of work-related voicemails. People see "RingCentral," assume it's their phone system, and click without checking.

What can go wrong

Credential theft: You enter your password on a fake login page. Attacker now has your email, cloud storage, or whatever service the fake page imitated.

Malware installation: Clicking links or downloading attachments installs infostealers, remote access tools, or ransomware on your computer.

Wire fraud: BEC-style phishing where you approve payments to attacker-controlled accounts.

Data theft: Links that lead to forms asking for sensitive business or customer information.

Account takeover: If you reused passwords, phishing one account can lead to compromises across your business.

What it costs

• Credential-based breach: $5,000 to $50,000 for incident response and account recovery
• Wire fraud: $500 to $500,000+ depending on the payment amount and recovery success
• Ransomware delivered via phishing: $50,000 to $500,000+ including ransom, downtime, and recovery
• Customer data exposure: Notification costs, potential liability, regulatory fines

Vendor questions (copy/paste)

"How does your email filtering detect phishing emails? What's your false positive rate?"

"Can your solution identify emails sent from lookalike domains that impersonate known vendors?"

"What happens if an employee clicks a phishing link on their work computer? How would we detect and respond?"

"We use [Microsoft 365/Google Workspace]. What built-in protections come with our subscription, and what are we still missing?"

"How do I train employees to recognize phishing without making them afraid to click anything?"

"We're a small team and can't afford a full security operations center. What's realistic for us?"

Minimum viable implementation

1. Enable MFA on everything. This is the single most effective control. If an attacker gets your password via phishing, MFA stops them from using it. Use phishing-resistant MFA (hardware keys, passkeys, or authenticator apps) where possible—SMS is better than nothing but can be bypassed.

2. Train employees on what phishing actually looks like. Not "be careful of suspicious emails"—show them the real examples above. The more they see, the better they recognize. Run occasional simulations with safe test phishing emails.

3. Check before you click—hover over links. Teach employees to hover over links to see the actual URL before clicking. If it doesn't go to a domain you recognize, don't click.

4. Verify requests for sensitive actions outside email. If an email asks you to wire money, change passwords, or send sensitive data, verify by phone or in person using a known number. Don't use the number in the email.

5. Use email filtering. Microsoft 365, Google Workspace, and third-party services like Proofpoint or Abnormal Security can catch a lot of phishing before it reaches inboxes. The built-in tools are better than nothing but may not be enough for targeted attacks.

6. Report suspected phishing. Make it easy for employees to report suspicious emails (often a "report phishing" button in email clients). When someone reports something, investigate it—those reports often catch things filters miss.

7. Separate administrative tasks. Your admin accounts—email admin, domain registrar, cloud console—should never be used for regular email and web browsing. Dedicated admin workstations or jump boxes limit what phishing can reach.

8. Have a response plan for when someone clicks. If an employee clicks a phishing link or enters credentials on a fake site, time matters. Immediate steps: change the password from a clean device, check for unusual activity, monitor the account, consider disconnecting the affected computer from the network.

When to hire help

Call someone today if:

• An employee clicked a phishing link or entered credentials on a fake site
• You're seeing unusual activity in your email or cloud services
• A vendor or customer called asking why you sent them a phishing email (your domain may be spoofed)

Call someone this week if:

• You want help setting up email filtering and MFA properly
• You need phishing simulation and training for your team
• You want to audit your email security and identify gaps

You can probably handle it yourself if:

• You've enabled MFA on critical systems and tested it works
• Your team has seen real phishing examples and knows to verify sensitive requests
• You have a clear process for reporting and responding to suspected phishing

Phishing works because it exploits trust and urgency. The fix isn't to make people paranoid—it's to build habits that create verification before action. Click first, regret later is the pattern we're breaking.