How to Spot a Fake Email: A Simple 4-Point Checklist
Phishing emails are getting more convincing. Use this simple 4-point checklist to identify a fake email before you click or reply.
Email is the most common way for scammers to reach their victims. While some "phishing" emails are easy to spot (bad grammar, weird fonts), modern attacks can look identical to official messages from brands like Apple, Amazon, or Microsoft.
To protect yourself, you need a systematic way to judge every urgent or unexpected email. Use this 4-point checklist before you trust any message in your inbox.
1. The Sender's Real Address
Don't trust the "Display Name." Scammers can set their name to "Apple Support" or "Netflix Billing," but they find it much harder to fake the actual email address.
- Check: Tap or click on the sender's name to reveal the full email address.
- Red Flag: The address doesn't match the company domain (e.g., `support@apple-security-check.net` instead of `support@apple.com`) or it is a generic Gmail/Outlook address for a large corporation.
2. The Link Destination
Scammers use buttons and links to send you to fake login pages. The text on the button might say "Verify My Account," but where does it actually go?
- Check: On a computer, hover your mouse over the link (don't click!) to see the destination URL in the corner of your browser. On a mobile device, long-press the link to see the preview.
- Red Flag: The URL is a random string of characters, a shortened link (like bit.ly), or a lookalike domain that is slightly different from the real one.
3. The Tone and Urgency
Phishing relies on "social engineering"—the psychological manipulation of people into performing actions or divulging confidential information. The most common tool is Urgency.
- Check: Does the email demand that you act "within 24 hours," "immediately," or "before your account is deleted"?
- Red Flag: Any message that tries to make you panic or act without thinking is a major red flag. Legitimate companies will usually give you ample time and multiple ways to resolve an issue.
4. The Request for Sensitive Data
Think about the "Logic" of the request. Does it make sense for this company to ask for this information via email?
- Check: Is the email asking for your password, your credit card number, your Social Security Number, or your 2FA security codes?
- Red Flag: Official companies will never ask for your password or full credit card details via an unsolicited email. They will always direct you to log in securely through their official website.
Summary: When in Doubt, Go Direct
If an email passes all 4 checks but you still feel "off" about it, do not interact with it. Instead: 1. Close the email. 2. Open your browser. 3. Manually type in the official website of the company. 4. Log in to your account there to see if there are any real alerts.
By following this 4-point checklist, you can stop 99% of phishing attacks before they even begin.
Stop Guessing. Know if it's a scam instantly.
Join thousands of users who trust IsThisSpam to automatically analyze suspicious emails, links, and messages before they do any harm.
Stop Guessing. Know if it's a scam instantly.
Join thousands of users who trust IsThisSpam to automatically analyze suspicious emails, links, and messages before they do any harm.