Copyright Newsweek
The most dangerous email scams often look like the most ordinary messages in your inbox, experts have said. From fake invoices to urgent messages impersonating company executives, phishing attacks are growing more personalized, more sophisticated—and more effective. Experts told Newsweek that despite awareness campaigns and new security technologies, cybercriminals are consistently staying ahead of detection by using urgency, deception, and increasingly artificial intelligence to trick victims. They opened up about the scam emails that people are most likely to fall for. "The most common type of phishing emails are still invoices, which make up around 30 percent of all phishing attempts,” Denis Vyazovoy, chief product officer at AdGuard VPN, told with Newsweek. “Emails asking for payment are responsible for roughly the same share, while follow-up emails round out the top three categories.” In 2021, 323,972 people reported being victims of phishing in the U.S., according to the FBI Internet Crime Complaint Center (IC3). That number dropped to 193,407 in the FBI’s most recent 2024 report—but still far exceeded complaints in other cybercrimes. Common Tactics and Themes Vyazovoy explained that many scams rely on basic social engineering—creating a sense of urgency to bypass rational thinking. Subject lines often include phrases like “action required,” “reply now,” or “are you available?” Others masquerade as confidential internal messages, bank account updates, or legitimate work-related calendar invites. “A newer phishing trend that’s been on the rise linked to the popularity of remote work involves fake calendar invites,” he said. “These scams automatically appear on your calendar without approval and often include links disguised as Zoom meetings or software updates.” Email personalization has reached new heights with the help of generative AI, which allows scammers to closely mimic corporate communication and writing styles, experts said. “Spear phishing is also a growing threat as these attacks are becoming more sophisticated and difficult to detect,” Alex García-Tobar, CEO of email security firm Valimail, told Newsweek. “Hackers are using social engineering to craft convincing emails tailored to individuals or departments.” Most Successful Scams Credential harvesting and business email compromise (BEC) remain the two most damaging phishing strategies, according to cybersecurity expert Michael Ko, CEO and co-founder of email authentication and security platform, Suped. In credential-harvesting scams, emails impersonate trusted brands such as Microsoft, Google, or Docusign and prompt recipients to click a link under urgent pretenses—like “your account is locked”—leading to fake login portals. BEC scams, on the other hand, are more targeted. “Scammers impersonate a high-level executive…with an urgent, confidential request to ‘pay this overdue invoice’ or ‘wire funds for a secret acquisition,’” Ko told Newsweek. Ko also highlighted the growing threat of “quishing”—phishing via QR codes—and “vishing,” or voice phishing, where scammers use AI-generated voices to impersonate real people. He said that click rates on phishing campaigns are alarmingly high. “Some reports show the average phishing campaign gets a 17.8 percent click rate,” Ko said. “Worse, highly targeted ‘spear-phishing’ attacks can fool over 50 percent of recipients. The median time for a user to click a malicious link is just 21 seconds.” Artificially Intelligent Deception Artificial intelligence has lowered the barrier to entry for cybercriminals and made their attacks harder to detect, according to multiple experts. “Attackers use very sophisticated methods today to make people believe the phishing emails they received would be from the company it impersonates,” Arne Möhle, co-founder of encrypted email service Tuta Mail, told Newsweek. “They fake the domain, the sending email address, make the email look nicely designed with logos and colors of the impersonated company and so on.” Rosario Mastrogiacomo, chief security officer at identity management company SPHERE, told Newsweek that fake login pages mimicking platforms like Microsoft 365 or payroll portals are now a staple of phishing campaigns. These pages often appear after users click on links embedded in seemingly harmless shared document notifications or password reset prompts. “We’re also seeing emails appearing to come from an executive requesting wire transfers, gift card purchases, or changes to banking details,” Mastrogiacomo said. “These often bypass spam filters by using plain-text formatting and language tailored to internal communication styles.” Multi-Channel Scams, Fake Voices and the Rise of 'Quishing' Phishing has evolved far beyond email. SMS text messages and messaging platforms like WhatsApp are now common delivery methods. “Mostly, it’s the same as always—messages from Microsoft, PayPal, banks, logistics firms… but without spelling mistakes and overall better made,” Artem Bovtiukh, senior IT security engineer at MacPaw, told Newsweek. “And it’s not only via email—SMS phishing is a very common thing now, as is phishing in messaging apps like WhatsApp.” QR code phishing, or “quishing,” is also becoming more widespread, Bovtiukh added, backing Ko. Robeson Jennings, senior VP of global services and intelligence at cybersecurity firm ZeroFox, told Newsweek that the most successful attacks combine these multiple vectors. “Phishing emails have increasingly become part of a larger scheme,” Jennings said. “We are seeing a surge in this multi-layered social engineering strategy.” After an initial phishing email, scammers may follow up with a text message or phone call—sometimes using AI-cloned voices to impersonate trusted figures in the organization. Experts warned to watch out for these. Seasonal and Psychological Exploits Scammers are acutely aware of the times when people are most likely to fall for deception—like the holidays or job-hunting seasons. “As we get closer to the holidays, the most prevalent phishing emails will exploit trusted brands and urgent scenarios,” Shaila Rana, a professor at Purdue Global who specializes in cybersecurity and AI, told Newsweek. “Think package delivery notifications claiming that deliveries failed and they need address verification.” Rana also cited a bizarre example that exploited emotional manipulation: a phishing campaign impersonating LastPass support with the subject line, “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).” “There are also work-from-home schemes and fake job offers that have proliferated,” Rana said. “It’s targeting those seeking remote employment.” Why People Still Fall for It “Phishing is one of the most common and effective types of email scams because it relies on deception and familiarity,” Anne Cutler, a cybersecurity expert at Keeper Security, told Newsweek. Attackers often impersonate coworkers, banks, or even family members. Slight variations in text—such as replacing the letter “m” with “rn”—can fool even attentive readers. “These scams often peak in frequency around events that involve digital transactions," she added. The common thread across all scams is psychological manipulation—urgency, authority, fear, and trust. “The main goal is to push the recipient to act quickly without taking time to think or double-check anything,” Vyazovoy said.
