7 Signs an Email Is Trying to Scam You (With Real Examples)

Most people think they’d spot a scam email immediately.

They’re wrong — and that’s not an insult. It’s just the reality of how far scam emails have evolved. The days of obvious broken grammar, Nigerian princes, and laughably fake logos are still out there, but they share space with something far more dangerous: highly polished, meticulously researched, psychologically sophisticated attacks that fool smart, careful people every single day.

The FBI’s Internet Crime Complaint Center reported that phishing — the umbrella term for scam emails designed to steal your information or infect your device — costs Americans hundreds of millions of dollars annually. And that figure only counts reported cases. The real number is substantially higher.

Here’s what makes this so important: email is still the number one delivery method for malware, ransomware, identity theft, and financial fraud. Before ransomware encrypts your files, before a Trojan installs itself on your computer, before your bank account gets drained — in the majority of cases, someone clicked something in an email they shouldn’t have.

This guide gives you the seven most reliable warning signs that an email is trying to scam you. Each one comes with real-world examples drawn from documented attack campaigns. Read through all seven. Some will confirm what you already suspect. Others might genuinely surprise you.

Why Scam Emails Are Harder to Spot Than Ever

Before getting into the signs, it’s worth understanding why this problem has gotten so much worse in recent years — because the context changes how seriously you take the warning signs.

Scammers now have access to tools and information that weren’t available a decade ago. Data breaches have exposed billions of email addresses, names, phone numbers, employer details, and even partial financial information. Attackers buy this data cheaply and use it to personalize attacks in ways that feel uncannily accurate.

They know your name. They know where you work. They know which bank you use. They might know you recently made a purchase, because retail breach data is widely traded. When a scam email addresses you by your full name, references your employer, and appears to come from your actual bank — the psychological barrier to clicking is dramatically lower than it would be for a generic “Dear Customer” message.

Add to this the rise of AI-assisted writing tools that eliminate the grammatical errors that used to be easy red flags, and the improved ability to clone legitimate brand emails pixel-for-pixel, and you have a threat environment that demands real vigilance — not just casual skepticism.

Knowing the signs isn’t about becoming paranoid. It’s about building a checklist that takes seconds to run through and saves you from decisions you can’t take back.

Sign #1: The Sender’s Email Address Doesn’t Match the Brand

This is the single most reliable technical indicator of a scam email, and it’s the first thing you should check before reading anything else.

Every legitimate company sends email from a domain it owns. Apple sends from apple.com. PayPal sends from paypal.com. Your bank sends from its actual domain. This isn’t complicated — it’s basic infrastructure.

Scammers can make the display name say anything they want. The name you see in your inbox — “Apple Support,” “PayPal Security Team,” “Chase Bank” — is just a label. It costs nothing to fake. What matters is the actual sending address hidden behind that label.

How to check: On desktop email clients, hover over or click on the sender’s display name to reveal the actual email address. On mobile, tap the sender’s name to expand the full address. On Gmail, click the small dropdown arrow next to the sender’s name.

Real-world examples of what scammers use:

  • apple-support@appleid-verify.com (not apple.com)
  • security@paypal-account-alert.net (not paypal.com)
  • noreply@amazon-customer-service.co (not amazon.com)
  • support@microsoft-helpdesk.org (not microsoft.com)

The deceptions range from obvious to subtle. Some use entirely different domains. Others use slight misspellings — arnazon.com, paypa1.com, rnicrosort.com. Others use legitimate-looking subdomains that are actually owned by the attacker — paypal.com.account-verify.net looks plausible at a glance, but the actual domain is account-verify.net, which has nothing to do with PayPal.

A subtler variation is domain spoofing — where technically sophisticated attackers use methods to make emails appear to come from a legitimate domain. This is less common for consumer phishing campaigns but worth knowing exists. When in doubt, log into your account directly by typing the website address yourself.

The rule: If the sending domain doesn’t exactly match the company’s official website, treat the email as suspicious regardless of how legitimate everything else looks.

Sign #2: The Email Creates Urgent Pressure to Act Immediately

Urgency is the psychological engine that powers most scam emails. It’s not accidental — it’s deliberate design.

When you feel urgently pressured, your brain shifts out of careful analytical thinking and into reactive mode. You stop asking “does this make sense?” and start asking “what do I need to do right now?” Scammers engineer exactly this response because a person acting from urgency skips the verification steps that would expose the scam.

Common urgency tactics:

  • “Your account has been compromised. Verify your information within 24 hours or your account will be permanently suspended.”
  • “Unauthorized access detected. Click here immediately to secure your account.”
  • “Your payment failed. Update your billing information now to avoid service interruption.”
  • “You have 48 hours to claim your refund before it expires.”
  • “Final notice: Legal action will be initiated within 72 hours.”
  • “We’ve detected suspicious activity. Your account has been temporarily limited.”

The countdown timer is a specific escalation of this tactic — some phishing pages actually display a ticking clock to amplify pressure. The ransomware note in our ransomware article uses the same technique for the same psychological reason.

What legitimate companies actually do:

Real companies do send time-sensitive emails — but they don’t demand that you click a link in the email to resolve security issues. A legitimate bank fraud alert will tell you to call the number on the back of your card or log in directly to your account. A legitimate service suspension notice will give you days or weeks to respond, not hours. Real security alerts don’t threaten permanent consequences within 24–48 hours for failing to click.

The rule: The more urgent and threatening the email feels, the more skepticism it deserves. Genuine urgency can wait the thirty seconds it takes to verify through an official channel.

Sign #3: Links Don’t Go Where They Claim to Go

A link in an email can display any text while pointing to a completely different destination. “Click here to verify your account” might visually present as www.paypal.com while actually pointing to paypal-verification.ru. This gap between displayed text and actual destination is one of the most exploited mechanics in phishing.

How to check on desktop: Hover your mouse over any link without clicking it. In the bottom left corner of your browser or email client, you’ll see the actual URL the link points to. This takes two seconds and reveals the deception immediately.

How to check on mobile: Press and hold the link (don’t tap) to see a preview of the full URL before opening it.

What to look for when examining a URL:

  • Does the domain match the company’s official website exactly?
  • Is there a long string of random characters after a legitimate-looking domain?
  • Does the URL use HTTP instead of HTTPS? (HTTPS isn’t a guarantee of legitimacy, but HTTP for a login page is an immediate red flag)
  • Is there a legitimate domain buried in the middle of a longer string? (amazon.com.order-tracking.suspicious-site.ru — the real domain here is suspicious-site.ru)
  • Does the link use a URL shortener like bit.ly or tinyurl to hide the destination?

A documented real-world campaign: Security researchers have documented widespread phishing campaigns mimicking shipping notifications from major carriers. The emails display “Track Your Package” as the link text, pointing to URLs like fedex-tracking-892764.com — a domain registered days before the campaign launched, with no connection to FedEx. Thousands of people clicked before the campaign was flagged.

The rule: Never click a link in an email when you can instead type the website address directly into your browser or use a bookmark you’ve already saved. For any account-related action, going directly to the official site is always safer than clicking through email.

Sign #4: The Email Asks for Information a Legitimate Company Already Has

This one cuts through a lot of sophisticated scam emails with a single logical question: Why is this company asking me for information it already has?

Your bank already knows your account number. It already has your Social Security Number on file. PayPal already knows your full name, address, and the card on file. Amazon already has your delivery address. A legitimate company contacting you for security reasons will never ask you to re-submit information it already holds.

What scam emails ask for:

  • Full name, address, and date of birth “to verify your identity”
  • Social Security Number “for account verification purposes”
  • Full credit card number, expiration date, and CVV
  • Bank account and routing numbers
  • Passwords and PINs — a legitimate company will never, under any circumstances, ask for your password by email
  • “Mother’s maiden name” and other security question answers

Some phishing campaigns are more subtle. Rather than asking for information directly in the email, they direct you to a convincing fake login page where harvesting your credentials is the actual goal. The page looks identical to the real site — same logo, same layout, same color scheme — but the URL is wrong, and every credential you type goes straight to the attacker.

A real example of this tactic: A widely-documented IRS phishing campaign sent emails claiming that the recipient was eligible for a tax refund. The email directed users to a convincingly designed fake IRS webpage requesting their Social Security Number, bank account details, and driver’s license number to “process the refund.” The IRS, of course, does not initiate contact by email and never requests sensitive information this way.

The rule: No legitimate financial institution, government agency, or major service provider will ask for sensitive personal information, passwords, or full financial details via email. Ever. If you receive such a request, contact the organization directly through a phone number from their official website — not any number provided in the suspicious email.

Sign #5: The Attachment Wasn’t Expected and Doesn’t Make Obvious Sense

Email attachments are one of the primary delivery mechanisms for malware — including ransomware, Trojans, and keyloggers. And the most dangerous attachments often come disguised as entirely mundane files: invoices, receipts, shipping notifications, HR documents, contract updates.

The reason document-based malware is so effective is psychological: people are conditioned to open documents that relate to things they’re expecting. An invoice from a vendor, a contract attached for signature, a notification about a package — these feel routine. When an attacker crafts an attachment to match that expectation, the instinct is to open first and think second.

High-risk attachment types:

  • .doc and .docx files that prompt you to “Enable Macros” or “Enable Editing” — this prompt is the attack. The document itself may appear blank or corrupted once you enable macros, because the content was never the point.
  • .pdf files from unknown senders containing links or embedded scripts
  • .zip and .rar archives containing executable files
  • .exe files — though these are increasingly filtered by email providers
  • .xls and .xlsx spreadsheets with macro-enabled content
  • .html attachments that open a fake login page locally in your browser

A documented campaign worth knowing: Security firm Proofpoint has documented extensive phishing campaigns using Word documents disguised as shipping invoices. The email claims a package couldn’t be delivered and attaches an “invoice” for review. Opening the document displays a blurry image and a prompt to “Enable Content to View.” Enabling content executes a macro that downloads and installs a banking Trojan. The documents are carefully designed to look partially legitimate — just corrupted enough that enabling macros seems like a reasonable troubleshooting step.

The rule: Apply a single test to every unexpected attachment: Was I expecting this specific file from this specific person? If the answer is anything other than a clear yes, verify with the sender through a separate channel — a phone call, a separate email typed fresh, a text message — before opening anything. Never enable macros in a document you weren’t explicitly expecting to receive.

Sign #6: The Greeting Is Generic or Oddly Specific in a Suspicious Way

How an email addresses you tells you a lot about where it actually came from.

The generic greeting problem:

Legitimate companies that have an account relationship with you know your name and use it. When a company that supposedly manages your account greets you as “Dear Customer,” “Dear User,” “Dear Account Holder,” or “To Whom It May Concern,” it’s a sign that the email was mass-sent to addresses scraped from a breach or spam list — with no actual account data attached.

This is a traditional red flag that still applies. A real PayPal email will say “Dear [Your Name].” A real Amazon email will reference your actual account. Generic greetings indicate the sender doesn’t actually know who you are — which is inconsistent with the premise that they manage your account.

The oddly specific problem — more dangerous:

Here’s where things get more sophisticated, and where many people’s existing instincts fail them.

As data breaches have exposed increasingly detailed personal information, scammers have begun using specifics to build false trust. An email that addresses you by full name, references your employer, mentions a recent purchase, or includes your partial address feels legitimate because it contains accurate details. That accuracy is precisely what makes it dangerous.

This technique — called spear phishing when targeted at specific individuals — is responsible for some of the most financially damaging attacks on record. A business owner receives an email addressed to them by name, referencing their company and a vendor they actually work with, asking them to approve an invoice attachment. The invoice is a Trojan. The accuracy of the details didn’t mean the email was safe — it meant the attacker had done their homework.

The real-world example: A well-documented spear phishing campaign targeted small business owners by combining LinkedIn data (name, company, role) with breach data (email address, sometimes phone number). Recipients received emails that appeared to come from their bank, addressed them by name, referenced their business by name, and informed them of a “hold” on their business account. The emails directed them to a flawlessly designed fake banking portal. The specificity of the targeting made open rates — and credential theft rates — dramatically higher than generic phishing campaigns.

The rule: Generic greetings are a traditional red flag. But specific, accurate details in an unsolicited email aren’t proof of legitimacy — they may be proof of research. Verify through official channels regardless of how well the email appears to know you.

Sign #7: Something Just Feels Off — And That Instinct Deserves Respect

This one is harder to quantify than the others, but it belongs on this list because security researchers and fraud investigators consistently identify it as real and reliable.

Humans have finely tuned social instincts. We detect subtle inconsistencies — slightly off phrasing, a tone that doesn’t quite match the brand, a request that makes logical sense but feels contextually strange — faster than we can consciously articulate why. When something triggers that instinct, there’s usually something there.

Subtle signs that trigger legitimate unease:

  • The email’s tone doesn’t match previous communications from the same company — slightly more formal, slightly more casual, slightly more urgent
  • The phrasing is technically grammatically correct but reads as if translated — natural in structure but unnatural in flow
  • The email references something you do have an account for, but the specific request is something that company has never contacted you about before
  • The logo and branding look right, but something in the layout feels slightly misaligned — spacing, font weight, or color that’s just slightly off from what you’re used to
  • The email mentions a transaction or account activity you don’t recognize — which could be fraud worth investigating, or could be a hook to get you to click a “dispute this charge” link
  • The reply-to address differs from the sending address — a sophisticated technique where the email appears to come from a legitimate domain but replies go to the attacker

A documented use of subtle mismatch: Security researchers have analyzed phishing emails that passed every basic visual test — correct logos, proper formatting, legitimate-looking sending domain via spoofing — but used slightly unusual phrasing in their call-to-action buttons. Where the real company’s emails said “Review Your Account,” the phishing email said “Verify Your Account Now.” Small difference. But longtime customers who were used to the brand’s specific language noticed something was slightly wrong, even if they couldn’t immediately say why.

The rule: Your instincts about communication are calibrated by years of experience. If something feels off about an email, don’t override that feeling with logic about how convincing the rest of it looks. The correct response to “this feels slightly wrong” is always verification — not clicking.

A Quick Reference: The 60-Second Email Scam Check

Before you click anything in a suspicious email, run through this checklist. It takes under a minute and covers the vast majority of scam techniques:

1. Check the sending address. Does the actual email domain — not the display name — exactly match the company’s official website?

2. Check the urgency level. Is the email pressuring you to act within hours? Is it threatening consequences for inaction? Legitimate companies don’t operate this way.

3. Hover over links before clicking. Does the URL the link actually points to match the company’s official domain? Any mismatch is disqualifying.

4. Ask what they’re requesting. Are they asking for information the company should already have? Are they asking for a password, SSN, or full financial details?

5. Check the attachment. Were you expecting this file? Does the request to open it make clear, specific sense?

6. Check the greeting. Is it generic when it should be personal? Or is it suspiciously specific about details you haven’t shared with the company?

7. Trust your instincts. Does something feel off, even if you can’t immediately articulate why?

If any of these checks raises a flag, don’t click, don’t open, and don’t reply. Contact the company directly through their official website or a phone number you look up independently.

What to Do When You Spot a Scam Email

Recognizing a scam is only half the job. Here’s what to do with it.

Don’t click anything in the email — not even an “unsubscribe” link, which can confirm to the sender that your address is active and monitored.

Don’t reply. Replying confirms your address is real and may open you to further targeting.

Report it. In Gmail, use the “Report phishing” option. In Outlook, use “Report” → “Report phishing.” You can also forward phishing emails to reportphishing@apacs.org.uk (UK) or phishing-report@us-cert.gov (US). The FTC accepts reports at reportfraud.ftc.gov.

If you clicked before reading this: Don’t panic — but act quickly. Change the password for any account the email related to, do it from a different device if possible, and enable two-factor authentication. Run a full antivirus scan immediately. If you entered financial information, contact your bank or card issuer directly. Check out our full guide on what to do after clicking a phishing link for a complete step-by-step response.

Check if your email has been in a breach. Phishing campaigns are frequently targeted using breach data. If scammers have your email and password from a previous breach, they can make attacks even more convincing. Our guide to checking your breach exposure shows you how to find out what data of yours is already out there.

The Role of Antivirus in Email Protection

Personal vigilance is your first line of defense against scam emails — but it has limits. Nobody is perfectly alert every single time, for every single email, on every single day.

This is where antivirus software with email scanning and web protection fills the gap. Good security software intercepts malicious attachments before they open, flags phishing links before you click them, and blocks known malicious domains even if you do follow a link.

Most premium antivirus suites include dedicated phishing protection that operates at the browser level — comparing URLs against constantly updated databases of known phishing pages and warning you before you enter any information. This catches the campaigns that have already been identified, while behavioral analysis catches the newer ones.

Free antivirus tools and Windows Defender provide limited email-specific protection compared to premium solutions. If you’re relying solely on your own judgment to catch every scam email, adding a layer of technical protection significantly reduces the risk that one moment of inattention costs you. We’ve compared how leading antivirus solutions handle phishing and email threats — the results are worth reviewing before you decide what protection is right for you.

The Honest Bottom Line

Scam emails work because they’re designed by people who understand human psychology and invest real effort into making deception feel like normalcy. The sophistication of modern phishing means that no single red flag is always present — scammers have specifically engineered their attacks to eliminate the most obvious warning signs.

But they can’t eliminate all seven at once. Checking the sender address, evaluating the urgency, verifying links before clicking, questioning unusual requests, treating unexpected attachments with suspicion, reading greetings carefully, and trusting your instincts — run through all seven, and the vast majority of scam emails reveal themselves before they do any damage.

The goal isn’t to make you afraid of your inbox. It’s to make the thirty-second verification habit feel as automatic as buckling a seatbelt. You don’t think about it. You just do it. And you’re dramatically safer for it.

Frequently Asked Questions

How can you tell if an email is a phishing scam? The most reliable indicators are a sending address that doesn’t match the company’s official domain, artificial urgency demanding immediate action, links that point to different domains than they display, requests for information the company already has, unexpected attachments, and generic or suspiciously specific greetings. Running through a quick mental checklist before clicking anything in an unsolicited email catches the majority of phishing attempts.

Can scam emails look exactly like real ones? Yes, and increasingly so. Modern phishing emails can replicate the exact branding, formatting, and tone of legitimate company emails down to fine details. Logo placement, font choices, footer text, and color schemes can all be copied precisely. This is why visual appearance alone is not a reliable indicator of legitimacy — checking the actual sending address and link destinations provides more reliable technical verification.

What happens if you open a scam email but don’t click anything? Simply opening most scam emails carries minimal risk on modern, updated email clients. The danger lies in clicking links, opening attachments, or providing information. Some older or unpatched email clients can execute scripts on email open, but this is rare with current software. The important thing is not to click, not to open attachments, and not to reply — then report and delete the email.

Should you click unsubscribe on suspicious emails? No. Clicking unsubscribe on a suspicious email can confirm to the sender that your address is active and monitored, potentially increasing the volume of scam emails you receive. For emails from legitimate companies you’ve genuinely subscribed to, using the unsubscribe link is fine. For suspicious or unsolicited emails, mark as spam and delete without interacting.

What should I do if I accidentally clicked a link in a scam email? Act quickly but calmly. If you entered any credentials, change those passwords immediately from a clean device. Enable two-factor authentication on affected accounts. If you entered financial information, contact your bank directly. Run a full antivirus scan on the device you used. Monitor your accounts closely for unusual activity over the following days and weeks. See our complete guide on responding to phishing clicks for a full step-by-step walkthrough.

Are scam emails illegal? Yes, in virtually every jurisdiction. Phishing constitutes fraud and unauthorized computer access under laws including the Computer Fraud and Abuse Act in the US, with equivalent legislation across most countries. Reporting phishing to the FTC, FBI’s IC3, and your email provider contributes to enforcement efforts and helps protect other potential victims.

Can antivirus software protect against phishing emails? Antivirus software with email scanning and web protection significantly reduces phishing risk by flagging malicious attachments before they open and blocking known phishing URLs before you enter any information. It’s not a replacement for personal vigilance — novel phishing pages not yet in databases can slip through — but it provides a meaningful safety net that catches a large proportion of known campaigns, especially during moments of inattention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

How Social Engineering Attacks Work and How to Defend Against Them
Virus vs Malware vs Spyware vs Ransomware: What’s the Difference?
The Complete Guide to Two-Factor Authentication: Why You Need It Now
A Complete Guide to VPN Services: Protecting Your Online Privacy