The "CEO needs gift cards" play
The original — and still the most common. The attacker scrapes your team page, finds the CEO's name, and sends a panicked note from a near-identical Gmail address asking the office manager to pick up Amazon cards "for a client gift." The tells: it always arrives between 4–6 PM, the sender domain is wrong, and there is always an excuse for why the CEO can't take a phone call. The fix: every wire and gift-card request gets a phone call to a known number. No exceptions.
The fake invoice from a real vendor
A vendor you actually use sends an invoice — except they don't. The attacker has compromised the vendor's email and sent a real-looking PDF with new bank routing details. The tells: the routing number is different from last month, the email signature is slightly off, and there's urgency about a "new ACH system." The fix: any change to a vendor's payment details requires a call to a phone number you already have, not the one in the email.
The DocuSign / Microsoft login lure
A "shared document" notification that looks exactly like a real DocuSign or M365 message. Click the link and you're on a pixel-perfect login page that quietly captures your credentials. The tells: the URL bar shows a suspicious domain, the sender is a vaguely familiar name with an unfamiliar address, and the document title is generic ("Q4 Plan.pdf"). The fix: never log in via an email link. Open Outlook, M365, or DocuSign in your browser directly.