Every day, 3.4 billion phishing emails land in inboxes worldwide. Some are laughably obvious — the Nigerian prince template still circulates — but the majority are polished, branded, and nearly indistinguishable from real corporate communications. In 2025, the Anti-Phishing Working Group recorded over 4.7 million phishing attacks, a record high. Knowing how to check if an email is legitimate is no longer optional; it is a core life skill.
This guide gives you seven concrete, repeatable steps that work on any email client — Gmail, Outlook, Apple Mail, or anything else. No technical background required.
Got a suspicious email right now? Paste it into IsThisAScam.to for an instant AI-powered analysis while you read this guide.
Step 1: Inspect the Sender Address Carefully
The display name in an email can say anything. A message that appears to come from "Apple Support" might actually originate from apple-support@randomdomain247.com. Always click or tap the sender name to reveal the full email address behind it.
Look for these red flags in the address:
- Misspelled company names:
support@amaz0n.com,noreply@paypa1.com - Extra words or subdomains:
security@amazon.billing-update.com— the real domain here is billing-update.com, not amazon.com - Free email providers for corporate messages: a legitimate bank will never email you from a Gmail or Yahoo address
- Random strings:
support@xk29dj.com
Legitimate companies send from their own verified domains. If the domain after the @ sign does not match the company's official website, treat the email as suspicious.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
Step 2: Analyze the Email Headers
Email headers are the metadata that travel with every message. They reveal the true origin server, authentication results, and routing path. In Gmail, click the three dots next to the reply button and select "Show original." In Outlook, open the message properties.
Check three header fields:
- SPF (Sender Policy Framework): Should say "pass." A "fail" means the sending server is not authorized to send on behalf of that domain.
- DKIM (DomainKeys Identified Mail): Should say "pass." This confirms the email was not tampered with in transit.
- DMARC: Should say "pass." This is the combined policy check. If all three pass and the domain matches the claimed sender, the email has strong authentication.
For a deeper dive, see our guide on how to check email headers step by step.
Step 3: Hover Over Every Link Before Clicking
Phishing emails succeed when you click a malicious link. Before clicking anything, hover your mouse over the link (or long-press on mobile) to see the actual URL destination.
"Your account has been suspended. Click here to verify your identity" — hovering reveals the link actually goes to http://verify-account-amzn.phishing-site.ru/login
Check that the URL domain matches the company. Look for HTTPS (though scammers use HTTPS too — it is necessary but not sufficient). Watch for URL shorteners like bit.ly or tinyurl.com, which hide the real destination. You can expand shortened URLs using tools like CheckShortURL.com before clicking.
For automated link checking, IsThisAScam runs every URL through six layers of detection including domain age analysis, SSL verification, and known-malicious URL databases — catching threats that manual inspection might miss.
Step 4: Look for Urgency and Emotional Manipulation
Legitimate companies rarely email you with 24-hour deadlines or threats of account closure. Scammers manufacture urgency because panic overrides critical thinking. Common urgency triggers include:
- "Your account will be permanently deleted in 24 hours"
- "Unauthorized login detected — act now"
- "Payment failed — update immediately to avoid service interruption"
- "You've won! Claim within 1 hour or forfeit"
Real companies give you reasonable timeframes. Your bank will not delete your account overnight. Apple will not deactivate your Apple ID because you did not click a link within a day. When you feel panicked, that is exactly when you should slow down.
Step 5: Check for Personalization (or Lack of It)
Mass phishing emails often use generic greetings: "Dear Customer," "Dear User," "Dear Account Holder." Your bank knows your name. Amazon knows your name. Any legitimate service you have an account with will address you by name in most communications.
However, spear-phishing attacks do use your real name — sometimes pulled from data breaches or LinkedIn. So personalization alone does not guarantee legitimacy. It is one signal among many.
Step 6: Verify Through a Separate Channel
This is the most reliable step and the one most people skip. If an email claims to be from your bank, do not click any link in the email. Instead, open a new browser tab and go directly to your bank's website, or call the phone number on the back of your card.
If the email is about a suspended account, log into your account directly. If it is about a package delivery, check the carrier's official tracking page. If it is from a coworker asking for something unusual, call them or message them on Slack. Verification through a separate channel defeats even the most sophisticated phishing emails.
Step 7: Use an Automated Scam Detection Tool
Manual checks catch most phishing emails, but AI-generated scams are becoming increasingly difficult to spot visually. Automated tools check signals that humans cannot easily verify — domain registration dates, IP reputation, pattern matching against millions of known scam templates, and real-time threat intelligence feeds.
IsThisAScam's 6-layer detection engine analyzes the sender, links, content patterns, domain data, threat databases, and AI-generated text markers simultaneously. It takes seconds and catches threats that even security-aware users might miss.
Quick Reference Checklist
Print this or save it to your phone:
- Does the sender address domain match the company? If no — suspicious.
- Do SPF/DKIM/DMARC pass? If any fail — suspicious.
- Do all links point to the correct domain? If not — do not click.
- Is the email creating panic or urgency? If yes — slow down.
- Does it use your real name? If "Dear Customer" — be cautious.
- Can you verify the claim through the company's official website? Always do this.
- Does an automated scan flag it? Trust the tool.
What to Do If You Spot a Phishing Email
Do not just delete it. Report it so the scam infrastructure gets flagged:
- Gmail: Click the three dots, then "Report phishing"
- Outlook: Right-click, then "Report" > "Phishing"
- Apple Mail: Forward to
reportphishing@apple.comif it impersonates Apple - FTC: Forward to
spam@uce.gov
For more phishing red flags, read our complete guide: 15 Red Flags in Phishing Emails.
Received something suspicious? Check it now for free →