Phishing Email Examples for Training: 10 Variants Your Team Should Recognize

Phishing and spoofing generated 193,407 complaints to the FBI's Internet Crime Complaint Center in 2024. Behind each of those complaints is an employee who opened a message, made a judgment call, and either spotted the phishing attempt in time or fell for it.

Email filters and secure gateways block a large share of malicious messages, but those that slip through land in an inbox, and from there, the employee becomes the last line of defense. Whether they recognize a phishing attempt depends almost entirely on how well their training has equipped them to spot the social engineering patterns attackers use.

10 Phishing Email Examples to Improve Your Security Awareness Training

Different phishing email variants target different workflows, such as finance approvals, customer support tickets, vendor invoices, or IT alerts. So, the lures, pretexts, and red flags differ in ways that matter for training. Working through them gives your security awareness program a concrete inventory of the messages employees actually need to recognize at a glance.

1. Executive Impersonation Emails

Often classified as business email compromise (BEC), the email appears to come from the CEO, CFO, or another senior leader, with the attacker spoofing or compromising an address that resembles the real one. It typically requests a wire transfer, credentials, or sensitive data, using urgent language to bypass normal approval workflows.

• Red flags: Unusual request from leadership sent outside normal channels. Pressure to bypass standard processes. Reply-to address that differs from the display name.
• Verification step: Confirm any request involving money, access, or sensitive documents through a pre-stored phone number or internal messaging platform. Use trusted contact details already on file rather than contact information included in the email.

2. Customer Support Spoof Emails

The email mimics a customer or a customer support channel, such as a known account holder, a service desk, or a ticketing system. The body of the message typically asks the recipient to reset a customer's access, share account details, or follow a link to a "support ticket" that opens a credential-harvesting page.

• Red flags: Support request from an external address that doesn't match the customer's known domain. Urgency around restoring access or resolving a complaint. Embedded link to a ticketing system the team doesn't normally use.
• Verification step: Look up the customer in the CRM and reach out using the contact details on file. Treat any support request that arrives only by unsolicited email as suspect until verified.

3. Brand Imitation Using Lookalike Domains

The email comes from a domain that looks nearly identical to a trusted brand, using a swapped letter, an added hyphen, or a different top-level domain. This tactic, known as typosquatting, is paired with a visual design that closely mirrors the real brand's communications. The lookalike domain is what lets the message land in an inbox without tripping obvious suspicion.

• Red flags: Sender domain that is close to, but not exactly, the legitimate brand domain. Logos and templates that match a known brand but arrive from an unfamiliar address. Links that resolve to a domain different from the brand's official website.
• Verification step: Inspect the sender domain character by character before acting. If the message claims to come from a known brand, navigate to the brand's website directly rather than using any link in the email.

4. Vendor Invoice Manipulation

A common form of vendor impersonation fraud involves an email that appears to be a routine invoice from a known vendor, but the attacker has altered the payment details to route funds to an account they control. These messages often arrive during high-volume billing cycles, when accounts payable teams are moving quickly.

• Red flags: Updated banking information in an otherwise routine invoice. Slight differences in the sender's domain (extra character, swapped letters). Urgency language, like "past due" or "final notice," on an invoice the team didn't expect.
• Verification step: Confirm any change in payment details by calling the vendor's finance department at a number from existing records, rather than the contact details printed on the invoice.

5. Supply Chain and Third-Party Vendor Phishing

The email appears to come from a supplier, contractor, or outsourced service provider, sometimes from a spoofed address and sometimes from a real but compromised vendor account. Because the relationship is real, the message often references active projects, shared systems, or routine deliverables, which makes it especially convincing.

• Red flags: A familiar vendor contact suddenly changing how they communicate, what they ask for, or where they send files. Requests to log into a portal that the vendor doesn't normally use. Messages that route conversations away from established communication channels.
• Verification step: Confirm any unusual vendor request through a known phone number or a separate communication channel before responding. Assume any vendor account can be compromised, and verify accordingly.

6. Shared Document Credential Harvest

This email appears to come from Google Drive, Microsoft OneDrive, or SharePoint, asking the recipient to view or sign a document. The link opens a convincing login page that captures credentials, often feeding directly into account takeover attempts.

• Red flags: Document share notification from a colleague who doesn't normally share files this way. Login prompt for a service the employee is already signed into. URL that doesn't match the legitimate service domain.
• Verification step: Go directly to the document-sharing platform by typing the URL into a browser. If the document exists, it will appear without clicking the email link.

7. Clone Phishing

A clone phishing email is a near-exact copy of a legitimate message the recipient already received, where the attacker has swapped the original link or attachment for a malicious version and added a short note like "updated link" or "resending per your request." Because the original message was real, the clone inherits the trust the recipient already granted.

• Red flags: A duplicate of a previously received email with a slightly different link. Sender address that doesn't exactly match the original. Language explaining why the message is being resent when no resend was expected.
• Verification step: Compare the URL in the new message against the original. Contact the sender through a separate channel to confirm they resent it.

8. QR Code Phishing (Quishing)

In QR code phishing, also called quishing, the email contains a QR code in place of a clickable URL.

Scanning the code on a personal phone can redirect the employee to a credential-harvesting page outside the organization's endpoint protection and network monitoring. QR-code phishing now appears regularly in enterprise phishing campaigns.

• Red flags: QR code in an email where a link would normally appear. The message claims the employee must scan the code to complete a compliance action, verify an account, or receive a payment. No alternative URL provided.
• Verification step: Navigate directly to the service through a browser rather than scanning QR codes embedded in an email for login or verification. Report the email to the security team and include the full email headers.

9. Fake System Alerts

The email mimics an internal IT or system notification, such as a security warning, a quota limit, a mailbox over capacity, or an MFA prompt, that pressures the recipient to click through and "resolve" the issue. The visual design closely replicates the real IT communications employees are used to seeing.

• Red flags: System alert pushing immediate action via an email link. Sender domain that differs from the organization's IT or SSO provider. Generic greeting paired with company-specific branding pulled from a public source.
• Verification step: Navigate directly to the relevant internal portal to check for any real alerts. Report the email to the security team rather than acting on it from the inbox.

10. Password Reset Phishing

Password reset phishing is a close version of fake system alerts and a common form of password reset fraud. The email claims that the employee's password has expired, that their account will be suspended, or that a security update requires immediate reauthentication. The link points to a fake SSO or login page that captures credentials.

• Red flags: Password reset request the employee didn't initiate. Link points to a domain that differs from the organization's SSO provider. They also use countdown language ("your account will be locked in 24 hours").
• Verification step: Navigate directly to the IT portal or SSO provider. If a real password reset is needed, the prompt will appear there. Report the email to the security team.

How to Use These Phishing Email Examples to Enrich Your Security Awareness Training Program

Many social engineering attacks still reach employees via email, and a single wrong click can authorize a wire transfer or hand over credentials. A security awareness training program teaches employees to recognize social engineering attacks, and the phishing email component is one of its highest-leverage pieces.

The 10 phishing email examples in this article can help you enrich the content of your security awareness training program by giving your team a working catalog of the variants they'll actually face. To get the most out of these phishing email examples, you need to take three strategic actions.

First, the phishing simulations and training scenarios should mirror the lures, brands, and pretexts attackers are using against your organization right now, rather than generic templates pulled off a shelf. The closer a simulation matches a real campaign, the more transferable the lesson is when a real message lands.

Second, the security awareness training should retire outdated detection heuristics. Grammar errors and misspellings no longer serve as reliable indicators of phishing, because AI-generated copy is too clean for that. Effective training shifts the focus to behavioral signals: unexpected requests, mismatched sender domains, urgency that discourages verification, and login pages reached through email links rather than bookmarks.

Third, the training program should require pre-stored, out-of-band verification for any high-risk action. An employee who calls back using a number from a suspicious email hasn't actually verified anything. Verification protocols for wire transfers, credential resets, and sensitive data requests should rely on pre-stored phone numbers, internal ticketing systems, or in-person confirmation, with contact details supplied by the message itself treated as untrusted.

Sharpen Your Employees' Ability to Spot Phishing Emails

Email filters, secure gateways, and DMARC enforcement strip out much of the malicious mail, but some phishing emails will still get past even the strongest technical controls. The ones that slip through are, by design, the hardest to distinguish from legitimate messages, and from that point on, the outcome rests on the employee reading it.

That's where Human Risk Management capability comes in. Doppel is a Social Engineering Defense platform that combines Digital Risk Protection with Human Risk Management, turning the impersonation campaigns Doppel detects in the wild into the training materials that help your employees spot emerging attacks.

When Doppel detects a phishing campaign targeting your brand, the Doppel Threat Graph connects the lure, landing page, and infrastructure pattern into a single campaign view. From there, Doppel dismantles the attacker infrastructure and turns the defanged campaign into a safe internal exercise with one-click threat-to-simulation conversion.

Doppel's Recon AI Agents extend that realism further by ingesting public signals about your organization, including job postings, partnership announcements, executive interviews, and 10-K filings, then weaving that context into simulation templates from day one. Vibe Phishing closes the production-cost gap with attackers: a security team member types a short prompt like "Okta two-factor login update" or pastes an internal SSO URL, and Doppel's agents generate the message, a hyper-realistic cloned landing page, and a role-specific coaching plan in 15 to 25 seconds.

Doppel Simulation extends the same approach across email, voice, SMS, Microsoft Teams, Zoom, Telegram, and WhatsApp, with content that adapts in real time. Each employee carries a personal risk profile, with click rates, response speed, data submission rates, and per-channel behavior synthesized into a written explanation of what drives their risk and what to test next. People who frequently fail receive automatic reinforcement, and SIEM and IDP integrations trigger just-in-time training when an employee clicks a flagged URL or attempts a risky login in production. The goal is to ensure that the lesson arrives at the moment the behavior happens, not on the next quarterly cycle.

Preview Doppel Simulation to see how Doppel's phishing simulation works, or request a demo to see how Doppel's threat-to-simulation loop works across every channel.