An email lands in your inbox with the subject “EMAIL ON HOLD” or something similar. Its design looks clean, it claims there are 13 pending messages, and a large button urges you to “View Pending Emails.” The language is urgent: read and respond promptly. Your heart skips because one of those messages might be an invoice, a bank notice, or a work update. You click — and suddenly you’ve handed your login credentials to attackers.
This scenario is not hypothetical. The “Email On Hold” phishing campaign is one of many increasingly convincing scams that prey on urgency and trust. In this article you’ll find a complete, SEO-optimized breakdown of the scam: an in-depth overview, a step-by-step explanation of how it works, exact actions to take if you were targeted or compromised, and practical prevention strategies to keep your accounts safe. Read on — quickly, but carefully — because speed matters if your credentials have already been exposed.
Scam Overview
The “Email On Hold” scam is a phishing campaign that impersonates email service notifications to trick recipients into disclosing login credentials. It uses the appearance and tone of administrative mail — a subject line formatted like an automated system alert, a clean layout with a prominent call-to-action button, and a small table listing alleged pending messages — to appear legitimate. The message claims that several messages were not delivered to the inbox and are currently pending or held for review. The recipient is urged to click a button such as “View Pending Emails” or “Deliver Messages to Inbox” to release those messages.
Phishers choose this framing for several reasons:
High perceived urgency. Users worry about missing invoices, payment confirmations, job offers, or other time-sensitive correspondence.
Low suspicion. The email mimics the look and language of common system alerts and often includes typical elements such as timestamps, a recipient field, and a professional footer that mentions a webmail product (e.g., Roundcube) or a corporate-sounding legal line.
Broad applicability. The concept of “pending” or “on hold” messages applies to nearly all email users, so the campaign scales easily.
Attackers use one or more of the following delivery methods for this scam:
Mass phishing campaigns sent from disposable or compromised mail servers.
Spoofing the display name so it resembles a legitimate service while the underlying sending domain is fake.
Targeted phishing against specific organizations (spear-phishing), where subject lines and content are tailored to increase credibility.
The core objective is credential harvesting. The “View Pending Emails” button takes the target to a fake login page. That page is designed to look like the victim’s email provider or a generic webmail login. When the user types a username and password, the data is captured and transmitted to the attacker. In more sophisticated variants, the fake page may also request multi-factor authentication (MFA) codes or redirect to a second page instructing the user to verify identity using an SMS code — a trick to capture one-time passcodes or to prompt users into disabling MFA.
Once attackers have the credentials, they may:
Log into the victim’s email account to harvest sensitive messages or attachments.
Reset passwords on services that use email-based password recovery.
Send further phishing emails from a trusted address to that user’s contacts (amplifying the attack).
Use the account for financial fraud, business email compromise (BEC), or identity theft.
Sell credentials on dark web markets.
Although the initial email often includes fabricated details to enhance credibility (number of unread messages, timestamps, subject labels), all claims are false. No legitimate email provider will ask users to click a link in an unsolicited email to recover or release messages under threat of service interruption. This scam leverages the human factors of hurry, worry, and reliance on email for critical communication.
How the Scam Works — Step-by-Step (Detailed)
Below is a granular, step-by-step walkthrough of how an attacker creates and operationalizes an “Email On Hold” phishing campaign. Understanding each stage helps you spot signs of a scam and respond quickly if targeted.
Step 1 — Preparation and Infrastructure
Attackers prepare by setting up the infrastructure needed to send convincing phishing emails and to receive stolen credentials. This includes:
Phishing domains: Attackers register domain names that look similar to common email providers (for example, using subtle typos or extra words) or they host landing pages on compromised websites that evade easy detection.
Email servers: They use misconfigured SMTP relays, disposable VPS hosts, or compromised mail servers to send large volumes of mail.
Phishing kits and templates: Ready-made phishing kits, commonly available in cybercriminal markets, provide the HTML templates and backend scripts for capturing credentials. The kits often include responsive, mobile-friendly designs to mimic popular webmail UIs.
Tracking mechanisms: Attackers often include unique tracking tokens in each email so they can monitor which messages were opened and which victims clicked the links.
Step 2 — Crafting the Email
The phisher crafts the email with the following elements:
Subject: Variations include “EMAIL ONHOLD,” “Email On Hold,” “Incoming Mail On Hold,” or “ALERT: EMAILS PENDING.” This text is intended to trigger immediate concern.
Header/Timestamp: A line like “Notifications 7:13 PM / Pending / September 28, 2025” is inserted to look like a system log.
Prominent title: An on-email banner reading “EMAIL ONHOLD” or “Email On Hold” gives a corporate notification look.
Table of pending messages: A small table lists unread messages (e.g., “Unread Messages: 13 pending messages,” “Latest: Saturday, 28/09/2025 | 7:13:59 PM”) and a blurred or redacted “Recipient” field. The table mimics legitimate quarantine or spam folder summaries.
Call to action: A large button — “View Pending Emails” — in green or blue is placed centrally to attract clicks.
Footer copy: A formal footer mentioning a webmail vendor, copyright, or privacy notice adds perceived legitimacy.
Step 3 — Delivery
The email is delivered to recipients in bulk or targeted subsets. Delivery tactics may include:
Spray-and-pray: Thousands to millions of emails sent broadly to hit as many possible inboxes.
Targeted lists: Attackers purchase or compile lists of email addresses, sometimes from data breaches, to increase hit rates.
Compromising accounts: If attackers have access to compromised corporate mailboxes, they can send the phishing messages from trusted internal addresses — a highly effective but dangerous method.
Step 4 — The Click: Redirect to Phishing Landing Page
When a recipient clicks the button, they are redirected to a landing page under the attacker’s control. Techniques used at this stage:
URL cloaking: The clickable button text may look like a genuine link; hovering over it (on desktop) reveals a suspicious URL. Attackers increasingly use shortened URLs or domain names with visually similar characters to hide the true destination.
SSL certificate usage: Many phishing pages now serve over HTTPS (with a padlock icon) because SSL certificates are cheap and widely available. The padlock only indicates encryption, not legitimacy, so users often mistake it for trust.
Step 5 — The Fake Login Page
The phishing landing page imitates the look-and-feel of a real webmail login. Common elements:
Service logo: The attacker copies a provider’s logo or uses a neutral, clean header.
Input fields: Prompts for email/username and password. Some pages ask for secondary verification details.
Hidden scripts: The backend uses scripts to capture entered credentials and store them in remote databases or forward them via email to the attacker.
Deceptive behaviors: After credential submission, phishing pages often display error messages (“Session timed out — please log in again”) or redirect to the real email provider to reduce suspicion and buy time for attackers to act.
Step 6 — Credential Capture and Validation
Once credentials are submitted:
Immediate capture: The phish server records credentials (username/password) and typically logs metadata such as IP address, timestamp, and user agent.
Credential validation: Many phishing systems attempt to validate credentials in near real-time by automatically trying to log into the provider (or use the credentials on common services). If validation succeeds, attackers mark the victim as “valid” and prioritize follow-up.
Secondary harvesting: If the phishing kit requests MFA codes or secondary authentication, attackers capture these too — sometimes by instructing the victim to copy and paste an SMS or authenticator code under the guise of re-verification.
Step 7 — Exploitation of Access
Armed with valid credentials, attackers can immediately:
Access the inbox: Reading messages, downloading attachments, harvesting bank statements, invoices, contracts, tax documents, or sensitive personal data.
Perform BEC attacks: Send fake invoices or payment instructions to clients, vendors, or internal finance teams.
Pivot to other accounts: Use the email inbox for password resets on other accounts (shopping, banking, cloud services).
Spread the phishing: Use the compromised account to send additional phishing emails to contacts, leveraging trust to amplify reach.
Cover tracks: Modify email rules (e.g., forwarding, auto-delete) to intercept or hide communications related to discovery and remediation.
Step 8 — Monetization and Persistence
Monetization strategies include:
Direct fraud: Use accounts to request fraudulent wire transfers, access stored payment methods, or siphon funds.
Credential resale: Sell validated email/password combos (sometimes with attached metadata) on illicit marketplaces.
Long-term espionage: For targeted campaigns against organizations, attackers may remain dormant to monitor communications and harvest strategic information for corporate espionage.
Step 9 — Cleanup & Reuse
Attackers often reuse successful infrastructure. Domains or kits that work are rotated through to avoid detection and ensure a steady stream of harvested credentials.
Understanding each step shows where detection, prevention, and rapid response can break the chain — from email filtering to careful inspection of links, to immediate credential resets if a compromise occurs.
Signs You’ve Been Targeted or Compromised
Detecting whether you were targeted or compromised requires checking for a number of indicators:
You clicked a suspicious link in an unsolicited email and entered credentials.
Unrecognized logins show up in your email’s recent activity (unknown IP addresses, unusual locations).
Out-of-office rules or forwarding addresses have been created without your consent.
Sent folder activity shows messages you didn’t send (phishers often use your account to propagate scams).
Password reset requests or notifications from other services that you didn’t request.
Contacts report phishing or receiving strange emails appearing to be from you.
Files or emails are missing or attachments were downloaded without authorization.
If you observe any of these, follow the recovery steps listed below immediately.
What To Do If You Have Fallen Victim (Actionable, Numbered Steps)
Time is the most critical factor after a potential compromise. The sooner you act, the less damage attackers can do. Follow these steps carefully and in order.
1. Disconnect from the Internet (if possible)
If you believe malware may have been installed (for example, you clicked attachments or downloaded software from the phishing page), temporarily disconnect the affected device from the internet to reduce the risk of ongoing data exfiltration or remote control.
2. Change Your Email Password Immediately
Open a browser and navigate directly to your email provider’s official site by typing the URL yourself (do not use stored links or email links).
Change your password to a new, strong, unique password — at least 12 characters including upper/lowercase letters, numbers, and symbols, or use a passphrase.
Do this on a trusted device that you believe is not compromised.
3. Enable or Reconfigure Two-Factor Authentication (2FA)
If you haven’t enabled 2FA, do so now. Prefer authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) or hardware keys (YubiKey) over SMS-based codes.
If 2FA was enabled but you provided a code to the attacker, reset 2FA methods and inspect backup codes — revoke and regenerate backup codes and update your authentication devices.
4. Review and Revoke Active Sessions and App Access
In your email account settings, review recent login sessions. Sign out of all other devices/sessions.
Go to “Connected apps” or “Third-party access” and remove any unknown or suspicious applications and tokens.
5. Check and Remove Unauthorized Mail Rules or Forwarding
Inspect your filters and forwarding rules. Attackers commonly set rules to auto-forward incoming mail to external addresses so they can monitor communications without maintaining direct access.
Delete any unfamiliar rules and temporary auto-responses.
6. Inform Your Contacts
Send a notification to colleagues, friends, and family warning them not to open any suspicious messages coming from your address.
If your email is used for business, notify IT or your security team immediately so they can take organization-level protections.
7. Check for Financial and Account Compromise
Review bank and credit card statements for unauthorized charges.
For accounts linked to your email for password recovery (shopping, social media, financial accounts), change passwords and enable 2FA.
Contact your bank immediately if there are any signs of fraudulent activity.
8. Scan and Clean Your Devices
Run a full virus and anti-malware scan with a reputable product.
If the device shows evidence of persistent infection (rootkits, remote access tools), consider wiping and reinstalling the OS from a clean image. Backup important files first, but ensure those backups are clean.
9. Report the Phishing Incident
Use your email provider’s “Report phishing” or “Report spam” function to help block the sending domain.
In the U.S., file a report with the FTC and consider reporting to local law enforcement if financial loss occurred.
In the U.K., forward phishing emails to report@phishing.gov.uk. In the EU, report to your national cybercrime center.
10. Consider Credit Monitoring or Freezing
If personal identity or financial data may have been accessed (attachments with SSNs, tax documents), consider placing a fraud alert or credit freeze and enrolling in credit monitoring.
Is Your Device Infected? Scan for Malware
If your computer or phone is slow, showing unwanted pop-ups, or acting strangely, malware could be the cause. Running a scan with Malwarebytes Anti-Malware Free is one of the most reliable ways to detect and remove harmful software. The free version can identify and clean common infections such as adware, browser hijackers, trojans, and other unwanted programs.
Malwarebytes works on Windows, Mac, and Android devices. Choose your operating system below and follow the steps to scan your device and remove any malware that might be slowing it down.
Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android
Run a Malware Scan with Malwarebytes for Windows
Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.
Download Malwarebytes
Download the latest version of Malwarebytes for Windows using the official link below. Malwarebytes will scan your computer and remove adware, browser hijackers, and other malicious software for free.
(The above link will open a new page from where you can download Malwarebytes)
Install Malwarebytes
After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes
When the Malwarebytes installation begins, the setup wizard will guide you through the process.
You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
Malwarebytes will now begin the installation process on your device.
When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.
Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.
In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.
Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.
To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware
Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.
Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.
When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.
Once the scan completes, remove all detected threats. Your Windows computer should now be clean and running smoothly again, free of trojans, adware, and other malware.
If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future. If you are still having problems with your computer after completing these instructions, then please follow one of the steps:
Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.
Download Malwarebytes for Mac.
You can download Malwarebytes for Mac by clicking the link below.
When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.
When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.
When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.
The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.
To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.
Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.
Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.
After scanning, delete any detected threats. Your Mac should now be free from adware, unwanted extensions, and other potentially harmful software.
If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future. If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.
Run a Malware Scan with Malwarebytes for Android
Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.
Download Malwarebytes for Android.
You can download Malwarebytes for Android by clicking the link below.
In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.
When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process
When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options. This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue. Tap on “Got it” to proceed to the next step. Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue. Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android
You will now be prompted to update the Malwarebytes database and run a full system scan.
Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.
Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.
When the scan is finished, remove all detected threats. Your Android phone should now be free of malicious apps, adware, and unwanted browser redirects.
If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future. If you are still having problems with your phone after completing these instructions, then please follow one of the steps:
Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
After cleaning your device, it’s important to protect it from future infections and annoying pop-ups. We recommend installing an ad blocker such as AdGuard. AdGuard blocks malicious ads, prevents phishing attempts, and stops dangerous redirects, helping you stay safe while browsing online.
Frequently Asked Questions (FAQ) About the “Email On Hold” Email Scam
What is the “Email On Hold” email scam?
The “Email On Hold” scam is a phishing campaign that sends fake notifications claiming that unread or pending emails are being held in your account. Victims are told to click a button such as “View Pending Emails” to review or release them. The link instead leads to a fake login page that captures email credentials for cybercriminals.
Is the “EMAIL ONHOLD” message legitimate?
No. The “EMAIL ONHOLD” notification is not associated with any legitimate email provider. Real email services will not send messages claiming you have pending or held emails that must be manually released through a link. Any such email is a phishing attempt and should be deleted immediately.
Why does the scam mention 13 pending messages?
Phishers add details such as “13 pending messages” or timestamps to make the email appear more convincing. These details are fabricated. The goal is to create urgency so recipients believe they might miss important emails, invoices, or financial documents if they do not act quickly.
What happens if I click “View Pending Emails”?
Clicking the button redirects you to a phishing site disguised as an email login page. If you enter your username and password, attackers immediately collect the information. Some sites may also request additional security codes or personal information to expand the compromise.
What can scammers do with stolen email credentials?
With stolen credentials, scammers can access your inbox, read and download sensitive messages, and use your account for further phishing attacks. They may reset passwords for other services linked to your email, commit financial fraud, impersonate you to scam your contacts, or sell your login details on dark web marketplaces.
How can I identify if the “Email On Hold” email is fake?
Red flags include generic greetings, urgent language, suspicious sender addresses, inconsistent formatting, and links that do not match the domain of your real email provider. Hovering over the button or link usually reveals a suspicious or unfamiliar URL.
What should I do if I entered my password on the phishing site?
Immediately change your email password by visiting your provider’s official website. Enable two-factor authentication for extra protection. Check your account’s login history for unfamiliar activity and log out of other active sessions. Remove any unauthorized forwarding rules or connected apps. Notify your contacts in case phishing messages are sent from your account and report the scam to your email provider and relevant authorities.
Can this scam also infect my device with malware?
Most “Email On Hold” campaigns focus on credential theft rather than malware. However, some phishing campaigns include attachments or links to malicious downloads. It is wise to run a full antivirus scan on your device after interacting with a suspicious email.
How can I protect myself from phishing scams like this?
Always verify suspicious emails by logging directly into your email provider through its official website instead of clicking on embedded links. Use strong and unique passwords, enable two-factor authentication, and keep software updated. Learn to recognize phishing indicators such as urgency, unusual requests, and mismatched domains.
Should I report the “Email On Hold” scam?
Yes. Reporting helps providers and security organizations improve phishing detection. Use the “Report phishing” function in your email client or forward the email to reportphishing@apwg.org. In the U.S., you can report to the FTC. In the U.K., forward phishing emails to report@phishing.gov.uk. In the EU, report to your national cybercrime authority.
The Bottom Line
The “Email On Hold” phishing campaign is a dangerous, deceptively simple scam that succeeds because it exploits routine email behaviors and human reactions to urgency. The email’s core lie — that messages are pending and require immediate action — is a compelling lure precisely because people rely on email for critical communications.
Protecting yourself requires vigilance: never click unsolicited links for account recovery, enable robust multi-factor authentication, use unique passwords stored in a password manager, and treat login pages accessed from email with skepticism. If you clicked a phishing link or submitted credentials, act immediately: change passwords from a trusted device, enable or reset 2FA, inspect login activity and mail rules, notify contacts, and scan devices for malware.
Phishing remains one of the most effective attack vectors because it targets people rather than systems. A combination of technical defenses and user education reduces risk significantly. If you or your organization is hit, a fast and thorough response dramatically reduces financial and reputational damage.
Stay cautious, verify before you click, and treat urgency in emails as the number one red flag.
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
