High riskEmail Scams

Email Thread Hijacking Scam

This scam happens when attackers who have compromised a contact's mailbox reply within a real, existing email thread, using the genuine history to make a malicious link or attachment look trustworthy because it continues a conversation you recognise.

Quick verdict

Risk level
High risk
Scam type
Reply-chain phishing scam
Main red flag
A reply in a familiar thread that suddenly adds an unexpected link or attachment.
What to do first
Do not open the link or attachment. Verify with the sender through a separate, known channel before acting.

What this scam usually looks like

This scam happens when attackers who have compromised a contact's mailbox reply within a real, existing email thread, using the genuine history to make a malicious link or attachment look trustworthy because it continues a conversation you recognise.

Example message pattern

Example pattern — not a real report
Example pattern: 'Re: Project update — Thanks for the notes. Please see the revised document attached and let me know your thoughts: [unfamiliar link]'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

  • An unexpected link or attachment appearing in a thread that was previously normal
  • A reply that feels slightly off in tone, timing or wording compared with the real contact
  • A request to log in to view a file, or to enable content in an attachment
  • A sender address that looks almost right but has small differences on close inspection
  • Pressure to open or act quickly within an otherwise familiar conversation

What to do

  • Do not open the link or attachment without verifying it first
  • Confirm with the contact through a separate, known channel such as a phone call
  • Check the sender's full email address carefully for subtle changes
  • Report the message to your IT or security team and avoid forwarding it

If you already clicked or replied

  • Do not enter any credentials or enable content if prompted
  • Disconnect the device from the network if you ran an attachment, and run a security scan
  • Change passwords for any account you may have exposed, from a trusted device
  • Report it to your IT or security team so they can check for further compromise

What not to do

  • Do not assume a reply is safe just because the thread is real
  • Do not enter your login on a page reached through the email
  • Do not enable macros or 'protected content' in an unexpected attachment

Similar scams

High risk Email

Malware Attachment Scam

In a malware attachment scam, an email arrives with a file posing as an invoice, receipt, CV, statement or delivery note. Opening the attachment, or clicking a prompt to 'enable content' or 'enable macros', can quietly install malware that steals passwords, banking logins or files. The message is often crafted to feel urgent or routine so you act before thinking. Treating every unexpected attachment with caution, and verifying it through a separate channel, is one of the most effective defences.
Medium risk Email

Fake Invoice Email Scam

This scam emails an invoice or receipt for something you did not buy, hoping you call a fake 'support' number or click a link to dispute it.
High risk Email

CEO Fraud Scam

CEO fraud, a form of business email compromise, involves a scammer pretending to be a senior leader and pressuring an employee to move money or buy gift cards quickly and quietly. The email often mimics the executive's name and writing style, claims they are busy or travelling, and stresses secrecy. Because it exploits authority and urgency, even careful staff can be caught out. Slowing down and verifying any unusual payment request through a known channel is the most reliable defence.

Frequently asked questions

How can the scammer reply inside a real conversation?
They usually gain access to a contact's mailbox, then reply within an existing thread. Because the history is genuine, the message looks trustworthy, which is what makes this pattern effective.
If the email comes from someone I know, is it safe?
Not always. A trusted contact's account can be compromised, so an unexpected link or attachment in a familiar thread is still worth verifying through a separate channel first.
How do I verify without tipping off the attacker?
Reach the person through a different, known channel such as a phone call or a fresh message, rather than replying in the same thread, which the attacker may be monitoring.
I opened the attachment. What should I do?
Disconnect from the network, run a security scan, change exposed passwords from a trusted device, and tell your IT or security team so they can check for any further compromise.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.