Safety Tips

How to Tell If an Email Is a Scam — 7-Point Checklist

A simple 7-point checklist to instantly identify phishing emails, scam messages, and fraud attempts before they cost you money.

How to Tell If an Email Is a Scam — 7-Point Checklist

Every day, over 3.4 billion phishing emails are sent worldwide. That’s 3.4 billion attempts to steal your money, your identity, or your login credentials. The good news: nearly all of them share the same telltale signs.

This 7-point checklist will help you identify a scam email in under 30 seconds.

The 7-Point Scam Email Checklist

✅ 1. Check the Sender’s Email Address (Not Just the Display Name)

This is the most important check — and the most overlooked.

Scammers can make an email appear to come from “PayPal Customer Service” or “Microsoft Support” while the actual sending address is something like paypal.service@gmail.com or support@microsoft-secure.ru.

How to check: In most email clients, hover over (or click on) the sender’s name to reveal the actual email address.

What to look for:

  • The domain must match the company’s official domain exactly
  • support@paypal.com = legitimate
  • support@paypal-security.com = phishing
  • paypal.support@gmail.com = phishing

Look especially hard at domains — scammers use tricks like paypai.com (using a lowercase ‘i’ instead of ‘l’), paypa1.com, or paypal.security-portal.com.

✅ 2. Look for Urgency and Threats

“Your account will be suspended in 24 hours.” “Immediate action required.” “Your payment has been declined.”

Legitimate companies rarely send threatening, urgent emails about account suspensions or required “immediate” action. They have multiple ways to contact you and give you adequate time to respond.

Urgency is a manipulation tactic. It short-circuits rational thinking and pushes you to act before you think.

If an email claims something urgent is happening to your account, open a new browser tab and go directly to the company’s website (type the URL yourself, don’t click the link). Check your account there.

✅ 3. Hover Over Links Before Clicking

Before clicking any link in an email, hover your mouse over it. The destination URL will appear in your browser’s status bar or as a tooltip.

The destination URL must match the company’s official domain.

Example: An email supposedly from Chase bank contains a link that says “click here to verify your account.” Hover over it. If it shows anything other than chase.com as the domain, it’s a phishing link.

Watch for these tricks:

  • chase.com.phishing-site.com (the chase.com part is a subdomain, the real domain is phishing-site.com)
  • chase-secure-login.com (looks legit, isn’t)
  • bit.ly/abc123 (URL shortener hiding the real destination — always suspicious in security-related emails)

✅ 4. Check the Greeting

Legitimate emails from companies you have accounts with generally know your name. They address you as “Dear John Smith” or “Hello, Jane.”

Phishing emails often use generic greetings:

  • “Dear Customer”
  • “Dear Account Holder”
  • “Dear User”
  • “Hello,”

This is because phishing campaigns send millions of emails to purchased lists — they don’t know your name.

Exception: Some legitimate newsletters and automated emails do use generic greetings. Use this check alongside the others, not in isolation.

✅ 5. Look for Spelling, Grammar, and Formatting Errors

Major companies have professional content teams and multiple rounds of proofreading. Their emails are polished, consistent with their branding, and error-free.

Phishing emails often contain:

  • Spelling and grammar mistakes
  • Inconsistent capitalization
  • Awkward phrasing (often a sign of translation from another language)
  • Mismatched fonts or colors
  • Low-quality or stretched logos

Important caveat for 2026: AI tools like GPT-4 have made scam emails significantly more polished. You can no longer rely on grammar errors as a primary indicator. Use this alongside other checks.

✅ 6. Don’t Trust Attachments You Didn’t Request

An unexpected attachment is a major red flag. Common malicious file types include:

  • .exe, .bat, .vbs (executable files)
  • .zip or .rar files containing executables
  • Office documents (.docx, .xlsx) with macros enabled
  • PDFs with embedded malicious code

Even if the email appears to come from someone you know, if they’re sending an unexpected attachment, verify by calling them. Email accounts get compromised, and scammers use legitimate contacts to spread malware.

Tip: Microsoft Office documents requesting you “Enable Editing” or “Enable Content” are a classic malware delivery mechanism. Never enable macros for documents from unknown sources.

✅ 7. Ask: Did You Initiate This?

This is the simplest check: did you ask for this email?

  • Did you just request a password reset? No? Then that reset email is suspicious.
  • Did you just make a purchase? No? Then that order confirmation with a “click to view” link is suspicious.
  • Did you enter a contest? No? Then that “You won!” email is 100% a scam.

Legitimate companies send emails in response to your actions. Unsolicited “action required” emails are almost always fraudulent.

Bonus: The 3-Second Rule

When you receive a suspicious email, ask yourself three questions before doing anything else:

  1. Am I expecting this? Did I initiate an action that would trigger this email?
  2. Does the sender check out? (Hover over the address, inspect the domain)
  3. Is there urgency or pressure? (A manipulation tactic)

If any answer raises a flag, assume it’s a scam. Go directly to the company’s official website or call their official number.

What to Do With a Phishing Email

  1. Don’t click anything. Not links, not attachments.
  2. Mark it as phishing in your email client (not just spam — this helps train filters).
  3. Report it:
    • PayPal phishing: phishing@paypal.com
    • IRS phishing: phishing@irs.gov
    • General phishing: reportphishing@apwg.org
    • FTC: reportfraud.ftc.gov
  4. If you clicked something: Run a malware scan immediately. Change passwords for any accounts you might have logged into via the phishing site.

If You Already Clicked and Entered Credentials

Act immediately:

  1. Change your password on the real company’s website
  2. Enable two-factor authentication (2FA)
  3. Check for unauthorized activity in your account
  4. If financial accounts were involved: Contact your bank, monitor for fraudulent transactions
  5. Consider a credit freeze if you entered sensitive personal information

The faster you act, the better.

Phishing attacks succeed because they exploit trust and urgency. With this checklist, you have the tools to spot them before they succeed. Bookmark this page and share it — the more people who know these signs, the fewer victims scammers find.

phishingemail scamschecklistsafety
← Back to all articles