A phishing email is a fraudulent message that impersonates a trusted organisation, such as a bank, a courier, a colleague, or a government agency, to trick you into revealing passwords, card numbers, or other sensitive data, or into clicking a malicious link. It usually creates urgency ("your account will be suspended") and copies real logos and layouts, so a genuine-looking email is exactly what makes phishing dangerous. At SiberMate, we see the same handful of patterns hit Malaysian inboxes over and over: fake bank verifications, "Apple ID locked" alerts, parcel-delivery fees, and CEO wire-transfer requests.
Recognising those patterns early is the single most useful defence. The human element featured in 68% of all breaches analysed in the Verizon 2024 Data Breach Investigations Report, and the median time for someone to fall for a phishing email was under 60 seconds. In Malaysia the pressure is just as real: phishing made up 73% of all fraud incidents reported to CyberSecurity Malaysia's Cyber999 centre in Q4 2024. This guide breaks down the common types of phishing emails, real example patterns with their red flags, and the exact steps to identify and report them.
Read: What is Phishing and How to Avoid It
A phishing email is a form of online fraud that uses email to obtain sensitive information such as passwords, credit card details, or login credentials. These messages masquerade as official emails from trusted organisations (banks, service providers, courier companies, or coworkers) and push the reader to act quickly before they think.
Phishing emails are built to look authentic. They copy real logos, formal language, and a layout that mimics the genuine sender, then exploit urgency or trust to deceive the target. A message might warn of "suspicious activity on your account" or dangle an attractive prize. If it works, the result can be identity theft, financial loss, or a breach of a company's systems. According to the Anti-Phishing Working Group (APWG), more than one million phishing attacks were recorded in the first quarter of 2025 alone, the highest quarterly total since 2023, which shows how routine this threat has become.
Phishing emails come in several forms, each using different techniques and targeting different audiences. Knowing the type helps you gauge how personalised (and therefore how convincing) an attack is likely to be. Below are the phishing email types you are most likely to meet.
This technique sends mass emails through automated systems to as many people as possible. The messages are generic but plausible: a prize offer, or a warning that "your account needs attention." It is not aimed at any one person, so it relies on volume rather than accuracy.
Spear phishing targets a specific individual using real details such as their name, job title, or employer. Because the message is tailored, it is far harder to spot. Attackers usually research the target first so the email feels personal and trustworthy.
Whaling targets senior executives such as a CEO or CFO. The messages are formal and urgent, and they exploit the victim's authority, for example a fake instruction to approve a payment. Because the target holds real power, a successful whaling attack can cause large losses.
Here an attacker redirects the victim to a fake website that looks identical to the real one, even when the correct address was typed. It is often done by manipulating DNS or planting malware on the device. Victims rarely notice the switch because the counterfeit page mirrors the original.
These emails carry links that look safe but lead to malicious pages designed to harvest passwords or card details. The visible text may show a familiar domain while the underlying URL points somewhere else entirely.
The threats from all of these are serious, hitting individuals and organisations alike with financial loss, data leaks, and reputational damage. Attack methods keep evolving, so understanding how each type works is the practical starting point for defending against them.
Read: Key Factors Why Employees Are Unaware of Phishing Attacks
Phishing emails are designed to look convincing, but each common pattern carries tell-tale signs. Here are the example patterns SiberMate sees most often in Malaysian inboxes, with the red flags that give each one away.
You receive an email claiming your Apple ID, Google account, or Microsoft account has been "locked" or "suspended" and must be verified within 24 hours. A button links to a fake login page that captures your credentials. Red flags: a sender address that is not the official domain, a countdown or deadline, and a login link that does not start with the real service's URL when you hover over it.
An email that appears to come from Maybank, CIMB, or another bank asks you to "verify" or "reactivate" your account and threatens to freeze it if you do not act. In Malaysia this is the single most common theme: Cyber999 recorded 810 phishing reports in Q4 2024, most impersonating banks and e-wallets. Red flags: a request for your full password or TAC/OTP (real banks never ask for these by email), and a link to a look-alike domain such as maybank-verify.com instead of the official site.
A message impersonating your CEO, manager, or a supplier asks the finance team to make an urgent payment or change bank account details, often marked "confidential." This is business email compromise, a form of whaling. Red flags: urgency plus secrecy, a reply-to address that differs from the display name, and a payment instruction that bypasses normal approval steps.
You get an email or SMS from "Pos Malaysia," "J&T," or a customs office saying a parcel is held and a small fee must be paid to release it. The link leads to a fake payment page that steals card details. Red flags: a delivery you were not expecting, a tiny "fee" designed to seem harmless, and a payment link on an unfamiliar domain.
Each example shows how scammers dress fraud in familiar branding. The habit that protects you is the same every time: pause, check the sender's real address, and verify through an official channel before you click.
Recognising a phishing email is a skill you can learn, and it is the cheapest security control you have. Watch for these signs.
Look closely at the sender's address, not just the display name. Phishing often uses a domain that resembles a legitimate one with a small change, such as a swapped letter, an extra word, or a different suffix. Unusual grammar or spelling errors are another common giveaway, because attackers frequently rely on machine translation.
Hover your cursor over any link (without clicking) to reveal the real URL. A link that reads like an official address can hide a completely different destination, sometimes with a single character replaced by a number or symbol. If in doubt, type the official web address directly into your browser instead of clicking.
Unexpected attachments can carry malware, so avoid opening files from unknown or suspicious senders. Treat any email that pressures you to act immediately, or that asks for a password, OTP, or card number, as suspect. Legitimate organisations do not request those details by email.
Reducing phishing risk takes a mix of awareness, habits, and technology. These steps make the biggest difference.
Since the human element sits behind most breaches, regular security awareness training is the highest-leverage fix. Teach staff to spot the red flags above (suspicious senders, urgent language, mismatched links) and reinforce it with realistic phishing simulations. This is exactly what SiberMate's platform is built to do: run safe simulated phishing campaigns and turn each result into targeted coaching.
Keep spam filters, email authentication, and antivirus software up to date so most malicious messages are blocked before they reach an inbox. Enable multi-factor authentication (MFA) everywhere it is supported, so a stolen password alone is not enough to break in.
Never respond to an email requesting sensitive data without confirming it through a separate, trusted channel. Call the sender on an official number or visit the organisation's real website. This one habit defeats most bank, CEO, and courier scams.
Check the sender's full email address for look-alike domains, hover over links to see where they actually lead, and treat any urgent request for passwords, OTPs, or payment as a red flag. Legitimate banks and services never ask for those details by email.
A typical phishing email impersonates a trusted brand, often a bank, Apple, or a courier, and warns of a problem ("account locked," "parcel held") that must be fixed immediately by clicking a link and entering your details on a fake page.
The 2016 email that compromised a US presidential campaign chairman's account is a well-known case: a fake "Google security alert" tricked him into entering his password on a counterfeit login page, the same account-verification pattern still used today.
Report it to CyberSecurity Malaysia's Cyber999 centre (cyber999@cybersecurity.my or the Cyber999 hotline), and forward emails impersonating your bank to that bank's official fraud line. Reporting helps authorities track and take down phishing campaigns.
Phishing works because it looks ordinary and moves fast, but the same few patterns show up again and again. Learn the types, memorise the red flags for bank, Apple, CEO, and parcel scams, verify through official channels, and report anything suspicious to Cyber999. For organisations, turning that awareness into a lasting habit through training and realistic simulations is what keeps one careless click from becoming a breach.