How to Tell If an Email Is a Scam — 8 Red Flags (2026)

This is the single most reliable indicator of a scam email, and it takes five seconds to check. Look at the actual sending email address — not just the display name shown at the top. Scammers put legitimate-looking names in the display field ("PayPal Security Team") while the real sending address is something entirely different.

What to look for:

• •The domain after @ should match the company's real domain exactly
• •PayPal emails come from @paypal.com — not @paypal-security.com, @paypal.helpdesk.net, or @secure-paypal.com
• •Legitimate companies use their own domains — not Gmail, Outlook, or Yahoo
• •Some scam domains are very subtle: paypa1.com (lowercase L vs number 1), paypal.com.verify.net (paypal.com is a subdomain of the scammer's domain)

The display name is trivial to fake and means nothing. The actual sending domain is what matters.

Manufactured urgency is the engine of email scams. It overrides your critical thinking and pushes you to act before verifying. Any email that demands immediate action under threat of consequences should make you suspicious, not compliant.

Common urgency tactics:

• •"Your account will be permanently deleted in 24 hours"
• •"Unusual sign-in detected — verify immediately to prevent loss of access"
• •"You have an outstanding payment — failure to respond will result in legal action"
• •"Your parcel will be returned unless you pay the customs fee by 5pm today"
• •"FINAL NOTICE — Your tax refund has been declined. Respond within 48 hours"

Legitimate companies do have deadlines and send reminders. The difference is that legitimate urgency is about your convenience ("renew before your subscription expires") rather than manufactured threats ("your account will be deleted for not verifying"). Real banks do not send emails threatening to arrest you.

Never click a link in a suspicious email without first checking where it actually goes. Hover your mouse over the link without clicking — the real destination URL will appear in the bottom left of your browser or email client.

The URL displayed and the URL you're being taken to are completely different things. A link can say "Click here to verify your Amazon account" and actually take you to amazon-account-verify.ru.

Signs that a link is malicious:

• •The domain doesn't match the claimed sender (paypal.com link actually goes to paypa1-secure.net)
• •The URL uses a subdomain to mimic the real domain (amazon.com.login.verify.net — note that the actual domain is verify.net)
• •The URL contains random characters, numbers, or very long strings
• •The URL uses a URL shortener (bit.ly, tinyurl) to hide the real destination
• •The URL doesn't start with https://

Copy any suspicious URL and paste it into SafeSearchScan's URL Checker to analyse the destination before visiting it.

Legitimate companies already have the information they need about you. Your bank knows your full account number, your password, your date of birth, and your address — because you gave them this information when you opened your account. They never need to ask you to "confirm" or "re-enter" this information by clicking a link in an email.

Information that legitimate companies will never ask for via email:

• •Your full password (they will ask you to reset it, not tell them what it is)
• •Your full card number, CVV, or PIN
• •Your National Insurance or Social Security number
• •Your "verification code" that was just texted to you (this is a two-factor bypass attempt)
• •Your answers to security questions
• •Copies of your ID documents (initial account setup via secure portal is different — unsolicited requests are not)

If you're ever unsure whether a request is genuine, do not use the contact information in the email. Look up the company's official number and call them directly.

The most dangerous scam emails are the ones that feel relevant to your life — a delivery notification, a receipt for something, a bill that's overdue. Attackers know you're more likely to click if the email connects to something real.

This is why it's important to pause on any unexpected email that asks you to take action, even if it seems to concern a service you actually use. Ask yourself: was I expecting this?

Common unexpected email pretexts:

• •Delivery notifications for packages you don't remember ordering
• •Invoices or receipts for purchases you didn't make
• •Password reset emails you didn't request
• •Account suspension notices out of nowhere
• •"Someone is trying to access your account" alerts

If you receive an unexpected email about your account with a service you use, don't click the link in the email. Instead, open a new browser tab, navigate to the service's website directly by typing the address, and log in to see if there's actually an issue.

Every email carries technical routing information in its headers — a record of every server it passed through on its way to you. Legitimate companies set up email authentication records (SPF, DKIM, and DMARC) to prove their emails are genuine. Scammers frequently fail these checks.

What the three protocols check:

• •SPF (Sender Policy Framework): verifies that the email was sent from a server authorised to send on behalf of the claimed domain
• •DKIM (DomainKeys Identified Mail): uses a cryptographic signature to verify the email wasn't tampered with in transit
• •DMARC: defines what should happen to emails that fail SPF or DKIM checks

You don't need to understand the technical details — SafeSearchScan's Email Header Analyzer checks all three automatically. Paste in the raw email headers (available in every email client) and you'll see instantly whether the email passes or fails these authentication checks.

"Dear Customer", "Dear User", "Hello Account Holder", "Dear Valued Member" — your bank, your streaming service, and your email provider all know your name. Bulk scam emails are sent to millions of addresses simultaneously, which is why they use generic greetings.

Personalised scam emails (called spear phishing) do use your real name, sometimes gathered from previous data breaches or social media. So a generic greeting is a red flag, but a personalised greeting doesn't mean the email is safe.

How scammers get your name:

• •Data breaches (check if your email is in a breach at SafeSearchScan's Email Breach Checker)
• •Social media profiles (your name is often public)
• •Purchased lists from underground forums
• •The first part of your email address (john.smith@email.com → "Dear John Smith")

The absence of your name is a reliable red flag. The presence of your name is not a guarantee of legitimacy.

This sounds vague, but your instincts are a genuine and underrated security tool. After years of using email, most people have an intuitive sense of what legitimate email from their bank, delivery company, or streaming service looks and reads like. When something deviates from that pattern — even in ways that are hard to articulate — pay attention.

Things that might trigger a feeling something is wrong:

• •The logo looks slightly different from usual
• •The writing style is slightly off compared to normal communications from this company
• •The email layout is different from what you normally receive
• •The email is from a company you've never actually interacted with
• •The offer or claim seems too good or too alarming to be plausible
• •The email refers to an account you don't have

When you feel uncertain, don't click anything. Navigate to the company's website directly, log in, and check whether the communication is genuine. Two minutes of verification is worth far more than the consequences of being wrong.