Account Verification Emails: Real vs Fake
You just signed up for a new service and receive an email: "Please verify your email address." You click the link without a second thought. Now imagine receiving the exact same type of email when you haven't signed up for anything. Your reaction might still be to click — because verification emails are so common that clicking them has become automatic. Scammers exploit this muscle memory to steal credentials from millions of people.
When Verification Emails Are Legitimate
Real account verification emails arrive in three situations:
1. You just created an account. Immediately after signing up for a service, you receive an email asking you to confirm your email address. This is standard, expected, and safe — as long as the email actually came from the service you just signed up for.
2. You requested a password reset. You clicked "Forgot Password" on a login page, and the service sent a reset link. Again, this is expected and legitimate because you initiated it.
3. You added a new email to an existing account. If you changed or added an email address in your account settings, the service sends a verification email to the new address.
The common thread: you did something first. Legitimate verification emails are responses to your actions. If you receive a verification email when you haven't done anything, that's a red flag.
How Fake Verification Emails Work
Fake verification emails exploit the legitimate verification process by mimicking its visual design and language:
"We noticed unusual activity on your account. To continue using [Service], please verify your identity by confirming your email address and password.
[Verify My Account]
If you don't verify within 24 hours, your account will be temporarily suspended."
Notice the differences from a real verification email: it mentions "unusual activity" (creating fear), asks for a password (real verification emails don't), and imposes a deadline (creating urgency). These three elements — fear, password request, urgency — are the hallmarks of a phishing email disguised as a verification request.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
The phishing page behind the "Verify" button mimics the service's login page. You enter your email and password, thinking you're verifying your account. Instead, you've handed your credentials to the attacker.
Side-by-Side Comparison: Real vs Fake
Real verification email: Arrives immediately after you take an action. Contains a simple "Verify Email" or "Confirm Email" button. Does not ask for your password. Does not mention unusual activity or security threats. Does not impose urgent deadlines. Comes from the service's official domain.
Fake verification email: Arrives without you taking any action. Mentions security threats, unusual activity, or policy violations. Asks you to "verify" by entering your password. Imposes a deadline (24 hours, 48 hours). Comes from a lookalike domain. Contains language designed to create fear or urgency.
Specific Services and Their Real Verification Practices
Google: Sends verification emails from noreply@google.com. Never asks for your password in an email. You can verify any email Google sent by checking Settings → Security → "Recent emails from Google."
Apple: Sends from @apple.com or @id.apple.com. Never asks for your Apple ID password, credit card number, or Social Security number via email.
Microsoft: Sends from @account.microsoft.com or @microsoft.com. Verification links always point to login.microsoftonline.com or account.live.com.
Amazon: Sends from @amazon.com. Never asks you to verify payment information through email links. All account verification happens within your Amazon account at amazon.com/your-account.
PayPal: Sends from @paypal.com. Always addresses you by your full name (first and last). Never uses generic greetings like "Dear User" or "Dear PayPal Customer."
The OAuth Verification Trap
A more sophisticated variant doesn't steal your password at all. Instead, the "verification" link takes you to a real login page for the service (Google, Microsoft, etc.) that asks you to grant permissions to a third-party app. The page is genuinely hosted by Google or Microsoft — it's a real OAuth consent screen. But the app requesting access is controlled by the attacker. If you click "Allow," the attacker gains access to your email, contacts, or files without ever seeing your password.
Always read OAuth permission requests carefully. If an unfamiliar app is requesting access to your email or files, deny it — regardless of how you arrived at the permission screen.
What to Do When You Receive a Verification Email
Ask: did I just do something? If you didn't sign up for an account, request a password reset, or change your email address in the last few minutes, the verification email is suspicious.
Go to the service directly. Instead of clicking the link, open the service's website or app directly and check your account status. If verification is genuinely needed, you'll see a prompt there.
Check the sender and link. Verify the sender address matches the service's known domain. Hover over the link to see where it actually points.
Never enter your password through an email link. If a "verification" page asks for your password, close the tab and go to the service directly.
Received something suspicious? Check it now for free →