How to Tell if an Email Is Fake: Red Flags to Watch Out For

Imagine this: you open your inbox and see an urgent message from your bank. They claim your account has been compromised and you need to verify your information immediately. You immediately want to click the link, ready to protect your hard-earned money. But wait—have you just fallen for one of the oldest tricks in the book?

Phishing attacks like this are everywhere. In fact, over 3.4 billion phishing emails are sent daily, and 90% of cyberattacks begin with a phishing email. Scammers have gotten alarmingly sophisticated, so knowing how to tell if an email is fake is more important than ever. 

There’s no single trick that works every time. However, by combining a few smart techniques, such as checking email headers and understanding how scammers manipulate human psychology, you can significantly reduce your chances of falling victim. 

Let’s break it all down and help keep your inbox and your identity safe.

What Does a Fake Email Look Like?

To catch a scammer, you need to think like one. Most scammers start with a simple goal: to trick you into taking some action, whether it’s clicking a link, downloading an attachment, or sharing your personal and financial information. But how do they get you to that point? The answer lies in a combination of psychology and technical tricks.

Let’s start with the simplest technique: looking at the email address itself.

Spotting Domain Imitations

First, check the email domain. If you’re expecting an email from a reputable company, the domain should match the company’s official website. For example, an email from Amazon should come from @amazon.com, not @amaz0n.com.

Spammers use techniques like typosquatting, where they register domains that are very similar to legitimate ones. For example, they might register gooogle.com (with three o’s) and use it to send phishing emails that look like they’re from Google.

Simplify Email Security with PowerDMARC!

Another common trick is to use subdomains to make a fake address look legitimate. For example, “paypal.secure-login.com” might look like it’s from PayPal at first glance, but “secure-login.com” is the actual domain here. Always look at the root domain (the part just before the .com, .org, etc.) to determine the true sender.

Look for Deceptive Display Names

Scammers can manipulate the display name in a phishing email to make it appear as if the email is from someone you know.

Example: An email might appear to come from “Amazon Customer Support,” but the actual email address is something like [email protected].

This technique is often used in order confirmation scams, where attackers impersonate popular brands to trick recipients into clicking on fake order updates or invoices.

The Unicode Trick

This clever trick involves using characters from non-Latin alphabets that look identical to standard letters. For example, the Cyrillic “а” (U+0430) looks exactly like the Latin “a”, but allows scammers to register a different domain.

Example: Legit email address: apple.com Spoofed scam email: аpple.com (notice the difference? There isn’t one visually!)

If you’re suspicious, you can copy and paste the address into a Unicode inspector tool to check for any non-standard characters. It will reveal any non-standard characters.

Random Characters in the Fake Email Address

Another thing to look for in the fake email address is random strings of numbers or letters. Real email addresses rarely have these, unless they’re automatically generated addresses for specific purposes. If you see an email from [email protected], it’s more likely to be fake than one from [email protected].

But again, this isn’t a hard and fast rule. Some people do use random numbers in their email addresses, especially if they have a common name and need to differentiate their address from others.

The Reply-To Field

The next thing to examine is the “reply-to” address. This tells your email client where to send replies.

Legitimate emails typically have the reply-to address set to the same domain as the sender. If it’s different, especially if it’s a free email service, that’s a warning sign. Scammers often have to use a different reply-to address since they don’t actually control the domain they’re spoofing.

Example: An email might appear to come from [email protected], but the ‘Reply-To’ address might be set to [email protected].

In Gmail, you can see the reply-to address by clicking the dropdown arrow next to the sender’s name. Other email clients may require you to start composing a reply to see it. If the reply-to doesn’t match the sender, be cautious.

Sometimes, scammers don’t even bother changing the reply-to field. Instead, they’ll include text in the email body asking you to reply to a different address. This is equally suspicious.

Common Content Red Flags in a Suspicious Email

Scammers are experts at manipulating emotions and creating scenarios that prompt immediate action. This tactic is known as “social engineering.” By creating a sense of urgency or appealing to your desire for financial gain, they hope to trick you into revealing personal information or clicking on malicious links.

For example, an email might urgently demand you to review your recent activity on an unfamiliar platform or provide a “my assignment help review” link to disguise malicious content. These phishing emails are designed to mimic legitimate organizations, complete with professional-looking logos and layouts, to trick users into trusting them.

Typical phishing scam emails might claim that:

• You’ve won a substantial sum of money.
• Your account has been compromised, and immediate action is required.
• A package delivery failed, and you need to reschedule.
• An urgent invoice or business request is pending.

These phishing emails are designed to look legitimate and may even use familiar logos, fonts, and layouts. The goal is to get you to react quickly without thinking critically about the authenticity of the email.

Urgency and Threats

Cybercriminals know that fear and urgency can prompt quick action. Fake emails might try to scare you and create a sense of urgency: “Your account will be closed if you don’t update your payment details immediately”; excite you, e.g. “Congratulations! You’ve won $100,000! Click here to claim your prize”; or create a sense of natural curiosity (“See who viewed your profile”). This kind of phishing attack is meant to bypass your rational thinking.

If you receive a phishing email like this, pause and think. Does it make sense for a legitimate company to threaten you over email? Most real organizations don’t use these tactics. Also, if you have not entered any contest or raffle, it’s unlikely that you would win one. Remember, legitimate organizations do not give away large sums of money via unsolicited emails.

If you receive such a phishing email, contact the company directly using a verified contact method to check if the email is legitimate.

Requests for Sensitive Information

Legitimate companies generally don’t ask for sensitive information via email. If an email asks you to reply with your personal details, account credentials, social security number, or credit card details, it’s almost certainly fake.

For example, you might receive a fake university email claiming to be the Financial Aid Office (for example: [email protected]) requesting your Social Security Number to process a scholarship or student loan. Not only is the request unusual, but the suspicious domain (like the misspelled “paypall”) is a clear red flag that this is likely a phishing attempt. You can read more about how fake university emails target unsuspecting students and staff.

Unexpected Attachments

Many scammers often use malicious attachments to deliver malware or viruses, which can infect your computer and steal your personal information. If you receive an unexpected attachment, especially if it’s a .zip file or an unusual file type like .exe, .scr, or .vbs, be very cautious. Even seemingly harmless file types like PDFs or Word documents can carry harmful macros.

What to do with suspicious attachments:

• Do not open them: If you receive an unexpected attachment, do not open it unless you are sure it is from a trusted source.
• Use antivirus software: Ensure your antivirus software is up to date and use it to scan any attachments before opening them.

Grammar, Spelling Errors, and Inconsistencies

While not watertight (as some legitimate emails have errors too), poor grammar and multiple mistakes can be a red flag. Scammers might not always have a firm grasp of the language they’re writing in, or they may intentionally use broken grammar as a filter to weed out more discerning recipients (People who notice and are put off by grammatical errors are less likely to fall for the phishing attempt). That’s why one of the easiest ways to identify a fake email address is by checking for grammar, spelling, and grammatical errors.

Legitimate companies have dedicated teams to ensure their communications are professional and free of errors. They usually have consistent, professional-looking email templates. If an email claiming to be from a major company looks amateurish or has inconsistent formatting, it might be fake.

“Dear Customer” or “Hello User” might also be dead giveaways. Legitimate companies usually address you by your name, as they have your details on file. Fake emails often use generic greetings because they’re sent out en masse.

Mismatched Links

One of the most common tactics used by scammers is embedding malicious links in emails. These suspicious links often lead to fake unexpected websites designed to steal your login credentials or infect your device with malware.

Example: The text of a malicious link in an email might say “www.yourbank.com,” but when you hover over it, the actual URL is something entirely different, like “www.scamsite.com/login.” This is called a masked or hidden URL.

How to verify links

You can:

Hover over the link

Place your cursor over the link without clicking it. This will show the actual URL destination. If it looks suspicious or does not match the official website, do not click on it. Instead of clicking a link, type the company’s name into a search engine to find their official website. Be cautious though, Spammers can use URL shorteners or other techniques to hide the real destination of a link. And some email clients don’t let you hover over the embedded links to see where they go.

Look for HTTPS

Legitimate websites will usually have a URL that begins with “https://” and a padlock icon. However, this is not airtight, as scammers can also secure their malicious websites.

Phony Package Delivery Notices

With the increase in online shopping, scammers have turned to fake package delivery notices to trick people into clicking on malicious links.

Example: “Your package delivery attempt failed. Click here to reschedule.”

What to do:

• Check the sender’s email address: Verify that the email comes from the official domain of the shipping company (e.g., @fedex.com or @ups.com).
• Log into your account directly: Instead of clicking on links, go to the company’s website directly to track your package.

Advanced Methods to Spot a Fake Email

Now we’re getting into the more technical stuff. Don’t worry if this seems complicated at first, once you know what to look for, it’s not that hard.

Use Authentication Indicators

These are checks that verify an email actually came from the domain it claims to be from. The three main types of authentication indicators are:

• SPF (Sender Policy Framework): This helps verify that the sender’s IP address is authorized to send emails for that domain. If an email comes from a server that’s not on this list, it’s likely fake.
• DKIM (DomainKeys Identified Mail): DKIM is like a tamper-evident seal for emails. It adds a digital signature to your emails to prove that the email really came from you and hasn’t been changed on the way to the recipient.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC policy builds on SPF and DKIM, allowing domain owners to specify how to handle suspicious emails that fail these checks. It also provides a way for receivers to report back to senders about emails that pass or fail these checks.

How to Check Them

Unfortunately, most email clients don’t prominently display important authentication information, making it harder for users to quickly verify an email’s legitimacy.

Some, like Gmail, show ‘mailed-by’ and ‘signed-by’ information directly in the email view, giving you a quick indication of the email’s authenticity. For a more thorough check, you can access the full email headers.

In Gmail, click the three dots next to the reply button and select “Show original” to reveal detailed SPF and DKIM check results

What to Look For

For major reputable organizations like Google, Apple, Microsoft, etc., you should see all three of these (SPF, DKIM, DMARC) passing. For smaller companies, at least SPF and DKIM should pass.

Any failures here are very suspicious for supposed emails from large organizations. That said, passing these checks doesn’t guarantee an email is safe. It just means it truly came from the domain it claims. A scammer could set up a fake domain with proper authentication. So you still need to verify it’s the correct domain you expect.

But reading email headers isn’t easy. They’re full of technical information that most people don’t understand. And spammers know this, so they’ve gotten better at forging headers that look legitimate.

Check Digital Signatures

One of the more advanced methods for identifying a fake email is by checking for a digital signature, also known as an S/MIME signature. Think of it like a virtual wax seal that verifies the email really came from the person or organization it claims to be from. When an email is signed with S/MIME, it means the sender has a trusted certificate that confirms their identity and ensures the message hasn’t been tampered with.

If you use Outlook or Gmail, you can verify these signatures yourself. In Outlook, signed emails show a blue ribbon icon near the sender’s name. Clicking on that will give you details about the certificate and whether it’s valid.

In Gmail, signed emails will display a “signed by” message in the email header or next to the sender’s address. If the signature is missing or invalid, it’s a red flag that the email might be fake or altered.

Reverse Search the Sender

Another smart move is to do a little detective work on the sender before trusting their email. You can perform a reverse lookup on the email address or domain using WHOIS services that show you who owns the domain and when it was registered. If the domain was created very recently or the owner’s info looks suspicious or private, that’s a warning sign.

You can also check social profiles linked to the sender’s name or email address. LinkedIn, Twitter, or even the company’s website can help you verify if the person really exists and if they’re associated with the organization they claim to be from. If you find no trace or the info doesn’t line up, it’s best to be cautious.

Prevent Phishing Scams with PowerDMARC!

Examples of Phishing Scams

Let’s look at a few examples to see how these principles apply in practice.

The Classic PayPal Scam

The Classic PayPal Scam is one of the most common phishing tactics, where scammers impersonate PayPal to trick you into revealing sensitive information or sending money.

From: [email protected]

Subject: Your account has been limited! Body: Dear valued customer, We have noticed unusual activity on your account. Please click the link below to verify your information and restore full access to your account. [LINK]

Red Flags:

• Domain spoofing (paypal.com.secure-account.com)
• Urgent subject line
• Generic greeting
• Request to click a link and enter information

The Sophisticated CEO Fraud

One of the most dangerous forms of phishing is known as executive phishing, where attackers impersonate high-level executives to trick employees into transferring money or sensitive information.

From: [email protected]

Subject: Urgent wire transfer needed

Body: [Employee’s Name], I need you to process an urgent wire transfer for a new acquisition. This is time-sensitive and confidential. Please transfer $50,000 to the following account immediately: [ACCOUNT DETAILS]

Let me know once it’s done.

[CEO’s Name]

Red Flags:

• Urgent request for money
• Pressure for quick action
• Request for confidentiality
• Unusual request from a high-level executive

This type of scam, known as Business Email Compromise (BEC), has cost companies billions of dollars. It often involves compromising or spoofing an executive’s email account to request fraudulent transfers.

The Legitimate Email That Looks Fake

You receive an email from a small business you’ve dealt with before. The authentication checks don’t pass, and the email contains a few typos. Your first instinct might be to mark it as spam.

However, you notice that the sender’s address matches previous correspondence you’ve had with this business. The content of the email references specific details about your last interaction with them. In this case, despite the failed checks, the email might be legitimate – the small business may simply not have proper email authentication set up. This example illustrates why it’s important to consider multiple factors, including the context and your relationship with the sender, not just technical checks.

How to Protect Yourself From Fake Emails

Being aware of the signs of fake addresses is only half the battle. Taking proactive steps to protect yourself and your organization is equally important.

Staying Informed About Current Scams

Fake email tactics evolve constantly. Staying informed about current phishing scams can help you spot new types of fake emails. Many organizations publish regular updates about new email scams. For example, the FBI’s Internet Crime Complaint Center (IC3), publishes alerts about current cyber threats and scams. Similarly, the Federal Trade Commission (FTC) offers valuable insights into the latest fraudulent activities. And if you want to get really deep into it, there’s the Anti-Phishing Working Group (APWG), which focuses specifically on phishing scams.

Also, watch out for AI-generated scams and voice phishing (vishing). Artificial Intelligence is making it easier for scammers to create convincing, personalized phishing messages at scale. Meanwhile, some scammers are combining these email tactics with voice and phone calls, often using AI to clone voices, creating a more complex and potentially believable scam. This technique, known as vishing, adds an auditory element to traditional phishing attacks, making it even more challenging for potential victims to discern the truth.

Using Email Filtering Solutions

Advanced spam filters can help detect and block fake emails before they reach your primary inbox. These solutions use machine learning and artificial intelligence to analyze email content, sender information, and other metadata to identify potentially malicious emails.

Use Data Breach Notification Services

Use legitimate services like Have I Been Pwned, Avast Hack Check to see if your email address has been involved in a data breach.

Implement Email Authentication Protocols

Using email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help protect your domain from being spoofed.

Unfortunately, email authentication isn’t as widespread as you might hope. According to some estimates, over 80% of domains have no SPF record at all. And of those that do, many don’t enforce strict policies. DMARC, which is considered the most comprehensive email authentication method, is used by even fewer domains. Even when these protections are in place, they’re not always configured correctly.

For businesses looking to implement robust email authentication, PowerDMARC offers a comprehensive solution. Their platform simplifies the process of setting up and managing DMARC, SPF, and DKIM records.

Key Features:

• DMARC Record Generator: Easily create and manage DMARC records.
• SPF Record Management: Optimize your SPF records to prevent email spoofing.
• DKIM Setup Assistance: Implement DKIM signing for your domain with the DKIM generator tool.
• Forensic Reporting: Get detailed insights into email authentication failures.
• Threat Intelligence: Identify potential threats to your company’s domain.

By using a service like PowerDMARC, organizations can significantly reduce the risk of their domain being used in phishing attacks, protecting both their brand reputation and their customers.

Secure Your Inbox

Scammers are constantly evolving their techniques. But by carefully examining the sender address, reply-to field, and authentication results, you can catch most fake emails. Think of these methods as aids to amplify your natural skepticism, not replacements for it. They’re like the safety features in a car – they can help prevent accidents, but you still need to drive carefully. In the end, if an email seems at all suspicious, treat it as such. It’s better to occasionally ignore a real email than to fall for a phishing scam.

Remember, no one is immune to these phishing scams. Even tech-savvy individuals can be fooled by a clever enough fake.

Frequently Asked Questions

Can fake emails infect my device just by opening them?

Usually, just opening an email won’t infect your device. However, clicking on malicious links or downloading attachments can install malware, so always exercise caution.

What should I do if I’ve replied to a phishing email?

Stop any communication immediately. Change your passwords, monitor your accounts for suspicious activity, and consider running a security scan on your device.

Is it safe to unsubscribe from a suspicious email?

It’s safer not to. Clicking “unsubscribe” can confirm your address to scammers. Instead, mark the email as spam or block the sender.

Can I report fake emails to the authorities?

Yes! You can report phishing emails to organizations like the Anti-Phishing Working Group (APWG), the Federal Trade Commission (FTC), and the FBI’s Internet Crime Complaint Center (IC3).

• About
• Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

Latest posts by Ahona Rudra (see all)

• What Is Spam Email? Definition, Types & How to Stop It - July 11, 2025
• How to Tell if an Email Is Fake: Red Flags to Watch Out For - July 11, 2025
• Have I Been Pwned? Steps to Check, Fix, and Stay Safe - July 11, 2025