Is This Email a Scam? How to Check If It's Real or Phishing

Short answer: you can usually tell a real email from a phishing scam in under a minute — but not by whether it "looks official." Looks are the easiest thing for a scammer to copy. You judge an email by three things they can't fake cleanly: who actually sent it, where the links go, and whether anyone is rushing you.

This is the general method that works for any sender — your bank, a retailer, a delivery service, a coworker. For a specific brand, jump to the related guides at the end.

Quick check: Read the full sender address (not the display name), hover the links before tapping, and ignore any countdown. Real companies never ask for your password, full card number, or a one-time code by email.

The 60-second check

Run any suspicious email through these in order. One clear failure is enough to stop.

1. The sender's real address. Tap or hover the sender name to reveal the address after the @. A display name of "PayPal" means nothing if the address is paypa1-secure.com.
2. Where the links actually go. Hover (or long-press on mobile) any button or link and read the destination. If it isn't the company's real domain, don't click.
3. The pressure. "Within 24 hours," "account will be suspended," "final notice." Manufactured urgency is the single most reliable scam tell.
4. The ask. Any request for your password, full card number, SSN, or a code you didn't request is a scam, full stop.
5. The greeting and details. "Dear Customer" instead of your name, or details that don't match your real account, are warning signs.

"Is this email asking for my password real?"

No. This one is worth its own line because it's so common. Legitimate companies do not email you to "confirm" or "verify" your password. If an email asks you to enter your password on a page it links to, assume it's phishing and go to the site directly instead.

A scam email, taken apart

Here's a typical phishing email. Almost every check above fails at once:

From: Account Security <no-reply@secure-account-update.com>
Subject: Your account has been temporarily limited

Dear Customer,

We detected unusual sign-in activity. For your protection, your
account access has been limited. Confirm your identity within 24
hours to avoid permanent suspension.

      [ Verify My Account ]

Security Team

What gives it away:

• The sender — secure-account-update.com belongs to no real company; it's a generic domain built to sound official.
• "Dear Customer" — a company with your account would use your name.
• "within 24 hours" — a manufactured deadline to rush you.
• "Confirm your identity" — code for "hand over your login on our fake page."
• The button — official-looking text hiding a link that doesn't go anywhere legitimate.

Notice none of these depend on a typo. A clean, well-designed version of this exact email is just as fake.

Real email vs. phishing at a glance

| Signal | Real email | Likely phishing | | --- | --- | --- | | Sender domain | The company's real domain | Look-alike or generic domain | | Greeting | Your name | "Dear Customer/User" | | Links | Go to the real domain | Go elsewhere | | Asks for | Nothing sensitive by email | Password, card, or code | | Tone | Informational | Urgent, threatening | | Attachments | Expected, if any | Surprise PDF or HTML file |

The fastest way to verify any email

You almost never need to analyze the email at all. Instead:

1. Don't use the links in the email.
2. Open the company's official app, or type their address into your browser yourself.
3. Log in and check. A real issue will be waiting for you there; a fake one won't exist.

This single habit defeats nearly every phishing email, because the scam only works if you act inside their message instead of going to the real source.

Why "it looks legit" isn't proof anymore

The old advice — watch for typos and ugly formatting — is half-broken. Scammers use the same writing and design tools everyone else does, so plenty of phishing emails are clean, well-branded, and convincing. Some even copy a real email you've gotten before, almost pixel for pixel.

That's why the reliable signals are structural (sender, links, pressure), not cosmetic. Judge the plumbing, not the paint.

When you still can't tell, get it checked

Some emails are genuinely close calls — a convincing bank alert, an invoice that almost lines up with something you bought. Instead of guessing, you can hand it off. Forward it to FraudRoom at check@fraudroom.com and get back a plain-English risk level and the safest next step, usually within minutes. It's the fastest way to "is this real?" when the stakes are your money or your account.

FAQ

How can I tell if an email is from a real company?

Check the sender's full address against the company's real domain, hover links to confirm they point to that domain, and verify by logging in to the official site directly rather than clicking the email.

Is there a way to check if an email is a scam without clicking anything?

Yes — that's the safest approach. Read the sender address, hover links to preview where they go, and confirm any "issue" by opening the company's app or website yourself. You never need to click the email to verify it.

Is this email actually from my bank?

Banks don't ask you to confirm passwords, card numbers, or codes by email, and they don't send pressure deadlines. Don't use the email's links — call the number on the back of your card or open your banking app to check.

Is it dangerous to just open a scam email?

Opening an email to read it is almost always safe. The danger is what you do next — clicking links, downloading attachments, or entering information. Read it, judge it by the checks above, and delete it if it fails.

What should I do if I already clicked?

Don't enter anything else. Change any password you may have typed, turn on two-factor authentication, and if you shared card details, call your bank. See the full recovery guide linked below.

Key takeaways

• Judge an email by sender, links, and pressure — not by how polished it looks.
• No legitimate company asks for your password or a one-time code by email.
• Verify by opening the company's app or site yourself, never the email's links.
• When it's a close call, get a second opinion before you click.

Related reading

• What does a scam email look like? The red flags
• How to spot a PayPal phishing email (7 red flags)
• What to do if you clicked a phishing link