How to Tell a Legitimate Email from a Scam

Scam messages arrive dressed like routine correspondence: a shipping update, a password alert, a tax reminder, a quick request from a colleague. You don’t need forensic tools to sort most of them. A calm, repeatable routine will do the work, with a few technical checks when the stakes are high.

Start by looking past the display name and into the actual sender address. Mail apps love to show a friendly label such as “Apple Support,” but the only part that proves anything is the text after the @. A message from no-reply@apple.com belongs to Apple; a message from apple.support@billing-portal.help does not, no matter how polished the logo or footer appears. On phones, tap the sender’s name to reveal the full address. On a computer, click or hover the address field. If the domain doesn’t match the brand exactly, treat the message as untrusted until you can confirm it elsewhere.

Links deserve the same scrutiny before you ever open them. Every browser and mail client lets you preview a link location—hover on desktop, long-press on mobile—and the part to read is the registered domain, the piece just before the last dot. A password reset that points to accounts.google.com belongs to Google; a reset that points to google.com.security-check.info belongs to someone who registered security-check.info . Homograph tricks rely on look-alike characters, so a capital “I” masquerading as a lowercase “l” can turn paypal.com into paypaI.com . If the domain looks unfamiliar, don’t negotiate with it: navigate to the site yourself by typing the address or using the official app.

Most scams press for action. The theme is urgency joined to money or credentials: a suspension in twelve hours, an overdue invoice you don’t remember, a supplier who claims new bank details and needs payment today. Routine messages don’t force split-second decisions, and real organizations offer more than one way to complete a task. When timing or money is involved, switch to a channel you already trust. Call the number printed on your card or invoice, open the company’s app, or sign in by typing the web address into your browser. Do not reply to the suspicious message and do not use the phone number it provides.

Attachments are a separate hazard. If you weren’t expecting a file, there is no penalty for pausing. Compressed archives, disk images, installers, and Office documents that ask to enable macros are all common delivery vehicles for malware. If a partner truly needs you to open a document, they can send it through the portal you normally use or provide a password-protected PDF with the password sent through another channel.

Appearances are the least reliable signal. Logos, fonts, and legal footers are easy to copy, and clean grammar is no guarantee. Conversely, typos appear in genuine messages, especially when the sender is writing in a second language. Trust the domain and the link preview first and the visual dressing last.

When the message matters—a wire transfer, a legal notice, a change to payroll—it is worth checking a built-in technical signal. Every received email carries an audit line called “Authentication-Results.” You don’t have to read every header; you only need to see whether SPF, DKIM, and DMARC passed for the domain that appears in the visible From address. In Gmail on the web, open the message, choose the three dots, and select “Show original.” In Outlook on the web, open the message, choose the three dots, then “View” and “View message details.” You’re looking for a short verdict for each mechanism. SPF verifies that the server was allowed to send on behalf of the domain. DKIM verifies that the domain digitally signed the message and it wasn’t altered in transit. DMARC ties those results to the visible From address and declares a policy. A set of passes is not an absolute guarantee—compromised accounts exist—but a failure, particularly on DMARC for a large brand that is known to enforce it, is a strong warning.

There are a few honest reasons these checks sometimes fail. Simple forwarding can break SPF because the forwarder becomes the new sending server, even though the original sender’s domain is still in the From field. Mailing lists sometimes modify a subject line or footer in a way that invalidates a DKIM signature, and older systems that don’t support ARC (a mechanism that preserves trust through intermediaries) can look suspicious even when the content is harmless. When you see a failure and the message seems otherwise plausible, verify through an independent channel before making any decision.

Fraud that involves invoices and supplier details deserves special caution because it often hijacks real conversations. An attacker who has access to a mailbox can reply inside an existing thread with a small change to bank details. In a situation like that, authentication will look perfect because the message truly came from the correct account. Process, not headers, is your protection. Treat any change to payment instructions as a reason to pause, and confirm by voice using a number you already have on file. Many companies prevent losses simply by writing down this rule and following it without exceptions.

If you clicked a link and now have doubts, close the page rather than interacting with it. Change the password to the account you may have exposed, and enable two-factor authentication if you haven’t already. Run a reputable malware scan, especially if you downloaded a file or enabled macros. If you sent payment details or approved a transfer, call your bank immediately; speed matters more than embarrassment.

Organizations can make life easier for their readers by stating clear boundaries. Publish a short notice on your site that you will never ask for passwords or full card numbers by email, that payment details only change after voice confirmation using a number already on file, and that links in your emails are conveniences rather than requirements because customers can always reach you by typing your address into the browser. Back those promises with technical steps on your side: align SPF and DKIM, set DMARC to a reject policy once you’ve tested, and enable MTA-STS and TLS reporting for better transport security and visibility.

What separates a legitimate email from a scam is rarely a single tell. It’s the way the address, the links, the tone, and the ask line up—or fail to. A genuine message comes from the brand’s true domain, points back to that same domain, and survives a short delay while you confirm. A scam usually stumbles on at least one of those checks. Build the habit of pausing, reading the domain, previewing the link, and verifying through a channel you trust. With that routine in place, most phishing attempts stop being traps and become noise.