← All guides
June 2, 2026 · 6 min read

What Does a Scam Email Look Like? Red Flags to Watch For

Learn what a phishing email actually looks like — the red flags, the common phrases scammers use, and how to tell a fake email address from a real one, with clear examples.

A scam email is built to look as ordinary as possible — a shipping update, a bank alert, a password reset. The giveaways aren't always obvious, but once you know the pattern, you start spotting them in seconds.

This guide breaks down what a phishing email actually looks like: the red flags, the phrases scammers reuse, and how to read a sender address so a fake can't slip past you.

Quick version: A scam email pressures you to act fast, asks for something sensitive, and points to a link that isn't the real company's domain. Any one of those is enough to stop.

The red flags, in order of reliability

Not all signals are equal. These are roughly ordered from most to least dependable.

  • The sender domain is wrong. The most reliable tell. More on reading addresses below.
  • A link points off-domain. Hover any button; if it doesn't go to the real site, it's a trap.
  • Urgency or threats. "Act now," "final notice," "account will be closed in 24 hours."
  • A request for sensitive info. Passwords, full card numbers, SSNs, or one-time codes.
  • Generic greeting. "Dear Customer" from a company that knows your name.
  • Unexpected attachments. A PDF or HTML file you didn't ask for.
  • Spelling and grammar slips. Still a clue — but no longer reliable on its own, since many scams are now clean.

How to tell a fake email address from a real one

The display name is decoration. What matters is the address after the @. Scammers fake real-looking names while using a domain they actually control.

Common tricks to watch for:

  • Lookalike characters: paypa1.com (a "1" for the "l"), arnazon.com ("rn" for "m").
  • Added words: apple-support.net, chase-secure-alerts.com.
  • Wrong endings: microsoft-account.info instead of microsoft.com.
  • Subdomain games: paypal.com.login-verify.net — the real domain is the part right before the final .com/.net, here login-verify.net, not PayPal.

When in doubt, read the domain right-to-left: the true owner is the last name before the top-level ending.

The phrases scammers reuse

Phishing emails recycle the same emotional triggers. Treat these as prompts to slow down, not act:

  • "Your account has been limited / suspended / locked."
  • "Unusual activity / suspicious login detected."
  • "Confirm your information within 24 hours."
  • "Your payment failed — update your billing now."
  • "You have an unpaid [toll / invoice / fee]."
  • "Action required to avoid account closure."

None of these are proof on their own — real companies use some of this language too. The tell is the combination: urgent phrasing plus a link to a domain that isn't theirs.

What is email spoofing, in plain terms

Spoofing is when a scammer forges the "from" name or address so the email appears to come from someone you trust. Think of it like writing a fake return address on an envelope — the name on the outside doesn't prove who actually sent it.

That's exactly why you verify by going to the real site yourself instead of trusting what the email claims. The "from" line can lie; your bank's actual app can't.

How to read an email header for clues

You don't need to be technical. Most email apps let you tap the sender's name (or "View details" / "Show original") to reveal more than the display name:

  • The real "From" address — the part after the @, which the display name hides.
  • "Reply-To" — if replies are set to go to a different, unrelated address, be suspicious.
  • "Mailed-by" / "Signed-by" — legitimate mail from a big company is usually authenticated by its own domain; a mismatch here is a flag.

You won't always get a clean answer from the header, and that's fine. If anything looks inconsistent, fall back to the rule that never fails: don't click — verify on the official site yourself.

Newer tricks: QR codes and attachments

Scammers adapt as filters catch their old tactics. Two worth knowing:

  • QR codes in emails ("quishing"). A code in the message body sends you to a phishing site once you scan it with your phone — neatly side-stepping link-hover checks. Treat an unexpected QR code like an unexpected link: don't scan it.
  • Attachment bait. A surprise invoice, "delivery document," or HTML file is designed to be opened in a hurry. Real companies rarely send documents you didn't request. Don't open it.

A clean-looking email can still be a scam

The biggest modern mistake is assuming a polished, well-branded email must be real. Scammers copy logos, fonts, and layouts perfectly, and increasingly write flawless copy. Professional appearance is not evidence of legitimacy.

So when an email looks perfect but something feels off, don't argue yourself out of the doubt. Forward it to FraudRoom at check@fraudroom.com and get a plain-English read on whether it's safe — before you click anything.

FAQ

What is the most reliable sign of a phishing email?

A sender domain or link domain that isn't the company's real one. Appearance, branding, and even grammar can all be faked, but the underlying domain is much harder to disguise convincingly.

Can a scam email look exactly like a real one?

Yes. Scammers copy branding and layout precisely, and some clone real emails you've received. That's why you should verify through the official app or website rather than trusting how the email looks.

What's the difference between phishing and spoofing?

Spoofing is the technique of forging the sender so an email appears to come from a trusted source. Phishing is the goal — tricking you into giving up information or clicking a malicious link. Most phishing emails use spoofing.

How do I check an email sender's real address on my phone?

Tap the sender's name at the top of the message to expand it, or use "View details" / "Show original" depending on your app. Read the address after the @ and compare it to the company's real domain.

Because the visible text and the actual link are separate. Scammers label a link "paypal.com" while pointing it at their own site. Always hover or long-press to see the true destination before tapping.

Key takeaways

  • The sender and link domains are the most reliable red flags; appearance is the least.
  • Read domains right-to-left to find the real owner.
  • Scammers reuse a small set of urgent phrases — treat them as a cue to slow down.
  • Polished branding is not proof; verify on the official site, or get the email checked.

Not sure about a message?

Forward it to check@fraudroom.com and get a plain-English scam check in minutes.

Try it free — 5 checks, no card