Wednesday, June 3, 2026
Latest:
Feature

The inbox is fine, it is you and me who are not

HackAcademy

Scam emails people are most likely to fall for, and why the same tricks keep working

We keep losing to very ordinary emails. Not the Hollywood hacker kind, the everyday ones with invoices, follow ups, calendar holds, and a polite please review. That is the point. Phishing succeeds because it hides in plain sight, it mimics routine. Awareness has never been higher, yet the click still comes. On average it arrives in 21 seconds. In targeted campaigns more than half of recipients comply. That is not a security gap, that is a human pattern.

The new normal looks boring on purpose

Invoices still dominate, around 30 percent of attempts, with payment prompts and simple follow ups close behind. Subject lines are short, urgent, and familiar. Action required. Are you available. Your account is locked. Many now arrive as calendar invites that place themselves on your diary, complete with a link that looks like Zoom or a software update. The routine is the camouflage.

Credential harvesting is the volume play. Think Microsoft 365, Google, DocuSign, payroll portals, and a fake login one click away. Business email compromise is the high yield tactic. The fake executive, the quiet favour, the overdue invoice, the bank detail change. Email filters often miss these because the messages are plain text and look like your internal style guide wrote them.

AI did not invent deception, it just industrialised it

Generative tools cut and paste your voice, your brand, your punctuation. Domains are spoofed, logos are crisp, the tone reads like last quarter’s memo. Voices are cloned for follow up calls. Attackers chain the touch points, an email, then an SMS, then a voicemail, often with a QR code in the mix. Quishing is phishing through QR codes, vishing is the same con over voice. The multichannel flow builds trust and short circuits doubt.

Why we still click

Urgency, authority, fear, and trust remain undefeated. The email asks you to act before you think. It impersonates a person you serve or a service you need. It arrives at the worst time, during a commute, at school pick up, five minutes before a meeting, just as your attention runs thin. We do not fall for technology, we fall for timing.

The playbook to stop losing

You do not need perfect security, you need consistent friction. Add small speed bumps that force a second look.

For everyone

  • Read the sender, not just the name. Expand the address every time. Look for subtle swaps, rn for m, l for I, extra characters that vanish at a glance.

  • Treat links as hostile by default. Hover, long press, or copy, then inspect the domain before you click.

  • Never approve a surprise MFA prompt. If your phone keeps asking, your credentials may already be in play.

  • Decline unsolicited calendar invites. Disable auto add to calendar in your settings.

  • Use passkeys or a password manager, then turn on multifactor everywhere. Prefer app or hardware keys over SMS.

  • Assume a QR code is a link you cannot hover. If you would not click the same link in an email, do not scan it on paper.

For teams and leaders

  • Publish a money playbook. No executive will ever request gift cards, urgent wires, or bank changes by email or chat. Require a two person check and a phone call to a known number.

  • Lock sender identity. Enforce DMARC with reject, not monitor. Pair it with SPF and DKIM. Remove lookalike domains from circulation.

  • Shrink attack surface. Disable auto forwarding, block legacy authentication, and expire stale accounts.

  • Instrument the workflow. Label external mail, quarantine lookalikes, and flag new senders in long threads.

  • Practice real drills. Run phishing simulations that mimic your own tone, your projects, and your quarter end pressures. Reward reporting, not just perfect scores.

  • Close the loop. When someone reports a phish, tell them what it was, what you did, and how to spot the next one.

The 30 second gut check

Before you click, ask three questions.

  1. Was I expecting this, at this time, from this person, in this channel.

  2. Can I verify it without using the link or number provided.

  3. What is the worst case if I wait five minutes and phone a known contact.

If you cannot answer yes, yes, and nothing catastrophic, you can wait. The honest truth is that most fraud relies on you moving fast. Slow is a security control.

The metric that matters

We often quote complaint counts, for example 323,972 phishing victims in 2021 in the United States, falling to 193,407 in the most recent report, yet phishing still dwarfs other categories. We admire that the average campaign pulls a 17.8 percent click rate. None of that will change your risk tomorrow. What will change it is your team’s time to doubt. Measure how quickly people report suspicious messages, how quickly security responds, and how quickly you can block and roll credentials. Shorten those times, and the 21 second click loses its sting.

Final thought

You cannot filter your way out of a human problem. You can design for it. Make the safe action the easy action. Make the wrong action slightly harder. Teach the pause. The inbox will keep looking ordinary, attackers will keep getting better, and that is fine. You can win with low drama, clear rules, and a culture that rewards the moment someone says, this looks a bit off.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *