How to Tell If an Email Is a Phishing Scam (Practical Checklist)

Phishing emails are designed to feel ordinary: a shipping update, a payroll notice, a security alert. The goal is the same—get you to click, log in, call a number, or open an attachment before you have time to think. The good news is that most phishing emails still leave a trail of inconsistencies once you know what to look for.

Start with the story, not the logo

Attackers borrow brand names and copy legitimate layouts. Treat branding as untrusted by default. Ask: does this message needsomething sensitive from you right now—passwords, MFA codes, bank details—or does it push you toward a link that is not strictly necessary? Legitimate services rarely need you to "verify everything" through a surprise email.

Inspect the sender carefully

Look at the full address, not just the display name. Typos, extra words, or domains that are "close enough" to a real company are common. Also watch for look‑alike domains (for example, extra hyphens, country codes you do not expect, or free email providers pretending to be enterprise support).

Headers can reveal spoofing clues

If you have raw email headers (for example Authentication-Results), they can show whether SPF, DKIM, and DMARC align with the claimed sender. PhishCheck accepts optional headers so the model can weigh authentication context alongside the message body.

Links: hover, copy, and compare

Before clicking, compare the visible text to the real destination. Short links, redirects, and misspelled hostnames are frequent in phishing. When in doubt, open the service by typing the known domain yourself—or use your password manager's saved entry, which only fills on the real site.

For a structured walkthrough, see our guide on how to check if a link is safe.

Urgency, fear, and "helpful" pressure

Phishing thrives on time pressure: "within 24 hours," "your account will be closed," "unusual login from another country." Slow down. Open the official app or site from a bookmark, review notifications there, or call the number printed on your card—not the one in the email.

Attachments and unexpected downloads

Unexpected invoices, "secure message" HTML files, and macro documents are common malware delivery paths. If you did not expect the file, do not open it. Ask the sender through a separate channel you already trust.

When you are unsure, get a second opinion

Paste the email (and optional headers) into PhishCheck for an AI-assisted triage readout. It is not a guarantee, but it can surface risky patterns and give you plain-language questions to ask before you act.

Build a simple verification habit

Most successful phishing relies on speed. A repeatable habit beats memorizing every attack type: pause, compare the request to how the service normally behaves, open the app from a trusted install, and only then decide whether the email deserves follow-up. If the message references an action you can check independently—payroll, a purchase, a login alert—verify that fact through the official interface rather than through the email channel.

Over time, you calibrate your instincts without becoming paranoid. PhishCheck is there for the edge cases where expertise would help but you do not have hours to spare: one paste, a clear risk framing, and concrete next checks.