Threat Examples and Phishing Scams

Explore realistic examples of phishing attacks across 7 categories. Every example is educational and uses a safe placeholder domain — no actual malicious links are shown. Use these to recognize the tactics attackers use in the wild.

Educational use only. All domain names shown are fictional placeholders. Never copy or visit domains from phishing examples.

  • Privacy Focused
  • No Login Required
  • No Personal Data Collected
  • Anonymous Analysis
  • Educational Security Platform

Showing 21 examples

Very High RiskSMSDelivery Scam

Fake Royal Mail Redelivery Fee

What you see

Royal Mail: Your parcel (RM789012UK) could not be delivered. Pay the £1.99 redelivery fee to reschedule delivery: royal-mail-redeliver.example-phishing-domain.com

Why this is suspicious
  • Royal Mail never charges redelivery fees through SMS links.
  • The domain royal-mail-redeliver.example-phishing-domain.com is not royalmail.com.
  • A small fee is used deliberately to lower your guard — entering card details exposes your full payment information.
  • The tracking number looks realistic but has no real meaning here.
Very High RiskSMSDelivery Scam

DHL Customs Fee Demand

What you see

DHL Express: Your parcel is being held due to an outstanding customs clearance fee of £2.40. Pay now to avoid return to sender: dhl-customs-uk.example-phishing-domain.com

Why this is suspicious
  • DHL communicates customs fees through official channels, not random SMS links.
  • The domain is not dhl.com — it uses 'dhl' in the subdomain to appear legitimate.
  • Entering card details to pay a small customs fee gives attackers your complete payment information.
High RiskEmailDelivery Scam

Amazon Order Verification Scam

What you see

There is a problem with your recent Amazon order (#113-2847291-3827465). Please verify your delivery address within 24 hours to avoid cancellation: amazon-order-verify.example-phishing-domain.com

Why this is suspicious
  • Legitimate Amazon order communications link only to amazon.com or amazon.co.uk.
  • The 24-hour deadline is a pressure tactic designed to make you act before thinking.
  • Amazon never asks you to verify an address through a non-Amazon domain.
Very High RiskEmailBrand Impersonation

PayPal Account Limited — Typosquat Sender

What you see

From: PayPal Security <noreply@paypa1.example-phishing-domain.com> Your PayPal account has been limited due to unusual activity. Verify your identity within 24 hours to restore full access.

Why this is suspicious
  • The sender domain paypa1.example-phishing-domain.com uses the number "1" instead of the letter "l" — this is typosquatting.
  • All genuine PayPal emails originate from @paypal.com.
  • "Account limited" is one of the most common pressure phrases in PayPal impersonation attacks.
High RiskEmailBrand Impersonation

Microsoft 365 Subscription Expiry

What you see

Your Microsoft 365 subscription expires in 3 days. Your files, email, and applications will become inaccessible. Renew now: microsoft-365-renew.example-phishing-domain.com

Why this is suspicious
  • Microsoft subscription renewals always link to microsoft.com or microsoft365.com — never to external domains.
  • The link places "microsoft-365" in the subdomain to appear official, but the actual domain is not Microsoft's.
  • Microsoft sends renewal notices through the admin portal at admin.microsoft.com, not through unsolicited emails with external links.
Very High RiskEmailBrand Impersonation

Apple ID Locked — Subdomain Impersonation

What you see

Your Apple ID has been locked after multiple failed sign-in attempts from an unrecognised device. Unlock your account immediately: appleid-verify.example-phishing-domain.com

Why this is suspicious
  • Apple ID management is handled exclusively at appleid.apple.com — no other domain is legitimate.
  • The subdomain appleid-verify is designed to look official at a glance but belongs to an unrelated domain.
  • "Failed sign-in attempts you did not make" is a fear tactic designed to make you act immediately without reading carefully.
Very High RiskQR CodeQR Scam

Fake Parking Enforcement QR Code

What you see

QR code on a windscreen penalty notice → parking-fine-payment.example-phishing-domain.com "Scan to pay your Penalty Charge Notice. Unpaid fines attract an additional 50% surcharge."

Why this is suspicious
  • Legitimate parking enforcement authorities use council-registered portals or gov.uk payment pages — not generic external domains.
  • QR code stickers are commonly placed over real codes on parking notices in public car parks.
  • The surcharge threat creates urgency that discourages checking whether the domain is legitimate.
High RiskQR CodeQR Scam

Tampered Restaurant Menu QR Code

What you see

QR code sticker on a restaurant table → restaurant-order.example-phishing-domain.com/login "Sign in to view the menu and place your order."

Why this is suspicious
  • Restaurant menus never require a login — any QR code that leads to a sign-in page is almost certainly malicious.
  • Attackers place sticker QR codes over legitimate restaurant codes; the replacement is often undetectable.
  • The /login path is a clear red flag — there is no legitimate reason for a menu to require credentials.
Very High RiskQR CodeQR Scam

Email QR Code Bypassing Security Scanners

What you see

Email body (claiming to be from Microsoft): "For additional security, we have disabled the login link. Please scan the QR code below to verify your Microsoft account identity." [QR image] → microsoft-account-verify.example-phishing-domain.com

Why this is suspicious
  • QR codes in emails are specifically designed to bypass email security scanners that inspect links but cannot read embedded images.
  • Microsoft account verification never requires scanning a QR code sent in an unsolicited email.
  • The destination domain is not microsoft.com or any recognized Microsoft property.
High RiskEmailEmail Phishing

Fake Invoice from Unknown Sender

What you see

Subject: Invoice INV-2024-8821 — Payment Required Please find your invoice attached for services rendered. Confirm payment or dispute this invoice at: invoice-portal.example-phishing-domain.com Amount due: £1,240.00. Due date: 3 days.

Why this is suspicious
  • Legitimate invoices come from known business contacts with verifiable company domains — not external payment portals.
  • An unexpected invoice demanding payment within 3 days is a common Business Email Compromise (BEC) tactic.
  • Entering payment details or login credentials on the portal would hand full financial access to the attacker.
Very High RiskEmailEmail Phishing

HR Payroll Update — Internal Impersonation

What you see

From: HR Department <hr-payroll@example-phishing-domain.com> Dear Team Member, We are migrating to a new payroll system. Please update your bank details by end of day: payroll-update.example-phishing-domain.com

Why this is suspicious
  • HR departments update payroll details through internal, verified systems — never through external links sent via email.
  • The "end of day" deadline creates artificial urgency typical of social engineering attacks.
  • Entering your bank details on the page would redirect your salary payments to an attacker-controlled account.
High RiskEmailEmail Phishing

Unsolicited Password Reset Link

What you see

Subject: Password Reset Request Someone requested a password reset for your account. If this was you, click here to set a new password: account-reset.example-phishing-domain.com If you did not request this, you can safely ignore this email.

Why this is suspicious
  • A genuine password reset link comes from the service's own domain — not from an unrelated external site.
  • "If you did not request this, ignore this email" is designed to stop you inspecting the link carefully.
  • Clicking the link leads to a fake login page that captures your current credentials under the pretence of resetting them.
Very High RiskSMSSMS Phishing

Bank Suspicious Activity Alert

What you see

HSBC: Suspicious activity has been detected on your account ending in 4821. Your card has been temporarily suspended. Verify your identity immediately: hsbc-secure-verify.example-phishing-domain.com

Why this is suspicious
  • Banks contact customers about account issues through their official app, the phone number on the back of your card, or a letter — never through SMS links.
  • The domain hsbc-secure-verify.example-phishing-domain.com is not hsbc.co.uk or any HSBC-owned domain.
  • "Suspended card" is a high-pressure tactic designed to trigger immediate action without critical thought.
High RiskSMSSMS Phishing

Prize Winner Notification

What you see

Congratulations! You have been selected to receive a £500 Amazon gift card as part of our customer loyalty programme. Claim your reward within 24 hours: amazon-loyalty-reward.example-phishing-domain.com/claim

Why this is suspicious
  • Amazon does not send unexpected prize notifications via SMS with external links.
  • The 24-hour expiry is a classic urgency tactic to prevent you from verifying the offer.
  • The claim page will request personal information or a small "processing fee" to harvest your details.
High RiskSMSSMS Phishing

Account Verification or Suspension Threat

What you see

Your account has been suspended due to a failed security check. Your access will be permanently revoked in 12 hours unless you verify your identity: account-verify-now.example-phishing-domain.com

Why this is suspicious
  • No specific brand is named — the message relies on generic account fear to prompt action from as many recipients as possible.
  • "Permanently revoked in 12 hours" is a fabricated deadline intended to create panic.
  • Legitimate services never suspend accounts based on security checks communicated via anonymous SMS links.
Very High RiskSMSGovernment Scam

HMRC Tax Refund Notification

What you see

HMRC: Following a review of your tax payments, you are owed a refund of £312.40 for the tax year 2023-24. To claim your refund, complete the short form: hmrc-refund-claim.example-phishing-domain.com

Why this is suspicious
  • HMRC processes tax refunds automatically and pays them directly into your bank account — you never need to "claim" one through a link.
  • HMRC does not send refund notifications via SMS with external links.
  • The specific refund amount is included to make the message appear credible and personalised.
High RiskEmailGovernment Scam

DVLA Driving Licence Renewal

What you see

Subject: DVLA — Your Driving Licence Renewal is Due Your driving licence expires on 14 March 2025. Complete your renewal and pay the £14 fee online: dvla-licence-renew.example-phishing-domain.com

Why this is suspicious
  • DVLA sends driving licence renewal reminders by post — not by email with external payment links.
  • Driving licence renewal is processed exclusively through gov.uk/renew-driving-licence.
  • The fake portal collects your personal details, driving licence number, and payment information.
Very High RiskSMSGovernment Scam

Universal Credit Payment Suspended

What you see

DWP: Your Universal Credit payment has been suspended due to incomplete verification information. Update your details within 48 hours to avoid losing your payment: dwp-uc-update.example-phishing-domain.com

Why this is suspicious
  • DWP communicates with Universal Credit claimants through the official UC journal — not via SMS with external links.
  • "Suspended payment" creates extreme financial anxiety to force immediate action.
  • The fake portal is designed to harvest National Insurance numbers, bank account details, and personal information.
Very High RiskDownloadMalware Delivery

Invoice PDF with Hidden .exe Extension

What you see

Email attachment: Invoice_2024-3371.pdf.exe "Please find your invoice attached for immediate payment. Total due: £4,850.00. Contact us if you have any queries."

Why this is suspicious
  • The file is named to look like a PDF invoice but the actual extension is .exe — an executable program, not a document.
  • Double extensions are used to disguise malware as legitimate files; Windows hides known extensions by default, making .pdf.exe appear as .pdf.
  • Running this file gives the attacker full remote control of your device.
Very High RiskLinkMalware Delivery

Fake Browser Security Update

What you see

"Your browser is critically out of date and your connection is not secure. An immediate update is required to continue browsing safely." [Download Update Now] → browser-security-update.example-phishing-domain.com/ChromeSetup.exe

Why this is suspicious
  • Browser updates are delivered automatically through the browser itself — never through a website popup or an unsolicited link.
  • The link downloads a .exe file, not a real browser installer.
  • "Critically out of date" and "not secure" are scare phrases designed to override your caution.
High RiskDownloadMalware Delivery

Malicious ZIP in Job Application

What you see

Email subject: Application for Senior Developer Role "Dear Hiring Manager, please find my CV and portfolio attached." Attachment: CV_Portfolio_JohnSmith_2024.zip

Why this is suspicious
  • Professional CVs are submitted as PDF or Word documents — a ZIP archive from an unknown sender is a red flag.
  • ZIP and RAR archives can contain executable files disguised with document icons.
  • Opening the archive and running any file inside — even something named "CV.pdf" — may silently install malware.

Learn More

Frequently Asked Questions

Are these real phishing examples?

These examples are based on real attack patterns but all domain names have been replaced with a safe placeholder (example-phishing-domain.com). No actual malicious URLs are shown. The tactics, message text, and psychological techniques reflect patterns seen in real-world attacks.

How do QR code scams work?

Attackers replace legitimate QR codes (on parking meters, restaurant tables, or printed materials) with sticker QR codes that redirect to malicious sites. They also embed QR codes in phishing emails specifically to bypass email security scanners that check links but cannot read images.

Why do delivery scams always ask for a small fee?

A small fee (£1.99, £2.40) is used deliberately to make the scam feel low-risk and plausible. But the goal is not the £2 — it is your payment card details. Once you enter them, attackers can use them for much larger fraudulent transactions.

How can I tell a phishing SMS from a real one?

Genuine SMS messages from banks, couriers, and government agencies never ask you to click a link to enter payment details or login credentials. If you receive an unexpected message requiring immediate action, go directly to the organization's official website by typing the address yourself — never through the link provided.

What makes a domain look legitimate at first glance?

Attackers use several tricks: placing a brand name in the subdomain (paypal.example-phishing-domain.com), swapping letters for similar-looking characters (paypa1.com using '1' instead of 'l'), adding security-sounding words (secure, verify, account), or using the brand name as part of a longer domain (paypal-secure-verify.com).

What should I do if I have already clicked a suspicious link?

Do not enter any information on the page. Close the tab immediately. If you entered credentials, change those passwords right away and enable two-factor authentication. If you entered payment details, contact your bank immediately to report potential fraud. Run a malware scan if you downloaded any files.

How do I use the 2check.click analyzer on a suspicious message?

Copy the URL or message and paste it into the analyzer on the home page. For messages, you can paste the full text — the analyzer will extract and check any links automatically while also analyzing the message language for scam patterns.

Ready to check a suspicious link?

Analyze a URL, message, email or QR code →