Is This Email a Scam? A Complete Guide to Checking

You're staring at an email that doesn't feel right. Maybe it's an unexpected invoice, a password reset you didn't request, or a prize notification for a contest you never entered. Here's a systematic method for deciding whether that email is legitimate or a scam — no technical expertise required.

Step 1: Check the Sender's Email Address

The display name is meaningless. Anyone can set their display name to "Amazon" or "Bank of America." What matters is the actual email address.

On desktop email clients, the full address is usually visible. On mobile, you often need to tap the sender name to expand it. Look at the part after the @ sign — that's the domain.

• Legitimate: no-reply@amazon.com, alerts@chase.com
• Suspicious: amazon-support@account-verify.net, chase-alerts@secure-banking-login.com

Scammers register domains that look plausible at a glance. They add the real brand name as a subdomain or prefix: amazon.security-check.com is owned by security-check.com, not Amazon. Read domains right to left — the last two segments before the first slash tell you who owns it.

Step 2: Examine the Subject Line and Opening

Scam emails almost always create urgency. They want you to act before you think. Common pressure tactics:

• "Action required within 24 hours"
• "Your account has been compromised"
• "Payment failed — update immediately"
• "You have a pending refund"
• "Verify your identity or lose access"

Legitimate companies do send alerts, but they typically provide context, reference your actual account details (last 4 digits of a card, your name), and give you multiple ways to resolve the issue — including calling them directly.

Step 3: Hover Over Links (Don't Click)

On desktop, hover your mouse over any button or link in the email. A small tooltip or status bar at the bottom of your browser will show the actual URL. On mobile, long-press the link to preview the URL without opening it.

Check whether the URL domain matches the company. A legitimate PayPal link goes to paypal.com. A phishing link might go to paypa1-secure.com (note the number "1" replacing the letter "l") or paypal.com.scam-domain.xyz.

If the email contains a shortened URL (like bit.ly or tinyurl.com), that's a red flag. Legitimate transactional emails from major companies virtually never use URL shorteners.

Step 4: Look for Personalization (or Lack of It)

Does the email address you by name? By your actual account username? Or does it say "Dear Customer," "Dear User," or "Dear Account Holder"?

Scammers send millions of emails at once and usually don't have your personal details. They use generic greetings because the same template goes to everyone. A real email from your bank will typically include your first name and may reference the last four digits of your account number.

Exception: some legitimate marketing emails use generic greetings. But combined with other red flags, a generic greeting is significant.

Step 5: Check for Attachments You Didn't Expect

Unexpected attachments are one of the most dangerous elements in a scam email. Common malicious attachment types:

• .zip or .rar files — often contain malware disguised as documents
• .exe or .scr files — executable programs that install malware
• .doc or .xls with macros — "Enable editing" prompts that run malicious code
• .html files — fake login pages that run locally in your browser
• .pdf files — can contain embedded links to phishing sites or exploit vulnerabilities

If you didn't expect an attachment, don't open it. If an email claims to be an invoice from a company you do business with, log into that company's website directly to check your account.

Step 6: Verify Independently

The most reliable test: can you verify this message through a channel that the email doesn't provide?

1. Open a new browser tab (don't use links from the email)
2. Type the company's URL directly or use a bookmarked link
3. Log into your account
4. Check for any alerts, messages, or action items

If the email claims your package is delayed, go to the shipping carrier's website and enter your tracking number from your original order confirmation. If it claims your bank account is locked, call the number on the back of your debit card.

Scammers hate this step because it bypasses their entire setup. They need you to interact with their link, their phone number, their fake website.

Step 7: Use an Email Analysis Tool

When you've gone through the steps above and you're still unsure, use a dedicated scam detection tool. Copy the email text — including the sender address and subject line — and paste it into IsThisAScam. The tool analyzes the content for known scam patterns, checks the language for manipulation tactics, and gives you a clear risk assessment with specific reasons.

This is especially useful for well-crafted phishing emails that don't have obvious spelling errors or generic greetings. Modern phishing often passes a casual inspection — automated analysis catches the subtle patterns that humans miss.

Common Scam Email Categories

Understanding the most common formats helps you recognize them faster:

• Account verification: Claims you need to verify your identity or account details. Creates urgency with a deadline.
• Payment/invoice scams: Sends a fake invoice or claims a payment failed. Targets your fear of financial loss.
• Prize/lottery notifications: Tells you that you've won something. Requires you to pay a "processing fee" or provide personal details to claim it.
• Tech support: Claims your computer or account has a virus/breach. Asks you to call a number or install remote access software.
• Delivery notifications: Fake tracking updates for packages you didn't order. Links lead to credential-harvesting pages.
• Job offers: Unsolicited high-paying job offers that require you to provide personal information or pay for training materials.
• Romance/relationship: Establishes an emotional connection over time, then requests money for emergencies, travel, or medical expenses.

Advanced Techniques: Reading Email Headers

For a more technical analysis, email headers reveal the actual path an email took to reach you. This information can't be spoofed as easily as the "From" address.

In Gmail: Open the email → click the three dots (⋮) → "Show original." Look for the Received: headers, which show each server the email passed through, and the Authentication-Results: header, which shows SPF, DKIM, and DMARC results.

In Outlook: Open the email → File → Properties → Internet Headers.

What to look for:

• SPF: pass means the sending server is authorized to send for that domain. A "fail" or "softfail" means it's not — strong evidence of spoofing.
• DKIM: pass means the email's content was cryptographically signed by the claimed domain and wasn't altered in transit.
• DMARC: pass means both SPF and DKIM align with the domain in the "From" address. A DMARC failure is a near-certain indicator of spoofing.

You don't need to become an email header expert. If you see "fail" next to any of these three protocols, the email isn't from who it claims to be. That alone is enough to confirm it's a scam.

Why Scam Emails Are Getting Harder to Spot

The era of obvious scam emails with broken English and Nigerian prince stories is fading. Modern scam emails are difficult to distinguish from legitimate ones because:

• AI writes flawless copy. Scammers use language models to generate emails that match the tone, formatting, and vocabulary of the brand they're impersonating.
• Stolen branding is pixel-perfect. Scammers download entire email templates from legitimate companies and modify only the links.
• Attacks are personalized. Data from previous breaches (your name, employer, recent purchases) makes scam emails feel relevant and personal.
• Timing is strategic. Scam campaigns launch during events that create natural urgency — tax season, holiday shopping, service outages, data breach announcements.

This evolution is exactly why a systematic checking process — like the seven steps above — matters more than relying on gut instinct. Your instincts were trained on the obvious scams of the past. The current generation of phishing is designed to bypass instinct entirely.

What Happens If the Email Is a Scam

If you've determined the email is fraudulent:

1. Don't interact with it. No clicking, no replying, no downloading.
2. Report it as phishing in your email client (Gmail, Outlook, and Apple Mail all have dedicated "Report phishing" options).
3. Forward it to the impersonated company if they have a phishing report address (e.g., spoof@paypal.com, reportphishing@apple.com).
4. Delete it. Don't archive it "just in case." It serves no purpose sitting in your inbox.
5. If you already clicked a link or entered information, see our guide on what to do after clicking a phishing link.

Quick Reference Checklist

Save this checklist for the next time you're unsure about an email:

1. Does the sender's actual email address match the company?
2. Is the email creating urgency or threatening consequences?
3. Do the links point to the real company's website?
4. Does the email address you by name with correct account details?
5. Were you expecting this email?
6. Can you verify the claim by logging in directly to the company's site?

If two or more of those checks fail, treat the email as suspicious. You can always get a second opinion by running it through IsThisAScam's free analysis tool.

Remember: scammers count on you being too busy, too stressed, or too trusting to run through these checks. The five minutes you spend verifying a suspicious email can save you weeks of dealing with identity theft, financial fraud, or compromised accounts. Make verification a habit, not an afterthought.