How to Check if an Email Is Phishing: A Step-by-Step Guide

Phishing emails cost businesses and individuals over $4.7 billion in 2025. These fraudulent messages impersonate trusted brands, banks, and government agencies to trick you into handing over passwords, credit card numbers, and personal data. The good news? You can learn to spot them with a systematic approach.

This guide walks you through exactly how to check if an email is phishing, step by step.

Step 1: Inspect the Sender's Email Address

The "From" name might say "PayPal" or "Apple Support," but the actual email address tells the real story. Here's how to check:

• On desktop: Hover over or click the sender name to reveal the full email address
• On mobile: Tap the sender name to expand the address details

Red flags in email addresses:

• The domain doesn't match the company (e.g., support@paypa1-secure.com instead of @paypal.com)
• Extra words or hyphens in the domain (e.g., @amazon-support-team.com)
• Free email providers like Gmail or Yahoo for "official" company emails
• Random strings of characters in the address

Real company emails come from their official domain. If it's not @company.com, proceed with extreme caution.

Step 2: Analyze the Subject Line and Greeting

Phishing emails use specific psychological triggers in subject lines:

• Fear: "Your account has been compromised"
• Urgency: "Action required within 24 hours"
• Curiosity: "You have a new document to review"
• Greed: "Your refund of $487.00 is ready"

Then check the greeting. Legitimate services that have your account usually greet you by name. Phishing emails tend to use generic greetings like "Dear Customer," "Dear User," or "Hello" with no name at all.

Step 3: Hover Over Links (Don't Click!)

This is the most important step. Before clicking any link in the email:

1. Hover your mouse over the link (don't click)
2. Look at the URL that appears in the bottom-left corner of your browser or in a tooltip
3. Check if the domain matches the company the email claims to be from

Common phishing link tricks:

• http://microsoft-login.suspicious-domain.com — the real domain is suspicious-domain.com, not Microsoft
• https://login.bankofamerica.com.fake-site.net — the real domain is fake-site.net
• Shortened URLs that hide the true destination
• Slight misspellings like goggle.com or arnazon.com

The real domain is always the last part before the first single slash. Everything before it (subdomains) can be faked.

Step 4: Check for Spelling and Grammar Errors

Professional organizations have editorial standards. While no company is perfect, phishing emails frequently contain:

• Awkward phrasing or unnatural sentence structures
• Misspelled words, especially in headers or buttons
• Inconsistent formatting (mixed fonts, odd spacing)
• Incorrect company names or product references

One or two minor errors might be an oversight. Multiple errors throughout the email are a strong phishing indicator.

Step 5: Evaluate the Request

Ask yourself: What is this email asking me to do? Phishing emails typically request one of these actions:

• Click a link to "verify" or "update" account information
• Download an attachment (invoice, receipt, document)
• Reply with personal information
• Call a phone number to resolve an "issue"
• Send a payment or purchase gift cards

Legitimate companies will never ask you to verify sensitive data via email. If your bank needs to verify your identity, they'll ask you to log in through their official app or website — not through an email link.

Step 6: Look for Mismatched Branding

Phishing emails often get the visual details wrong:

• Logos that are blurry, outdated, or slightly different from the real brand
• Color schemes that don't match the company's actual branding
• Footers with incorrect or missing contact information
• No unsubscribe link (required by law for legitimate marketing emails)
• Legal text or privacy policy links that lead to dead ends

Step 7: Check the Email Headers (Advanced)

For those who want to be thorough, email headers reveal the true origin:

1. Open the email's full headers (in Gmail: three dots > "Show original")
2. Look at the Return-Path — it should match the sender's domain
3. Check Received: headers to see where the email actually originated
4. Look for SPF, DKIM, and DMARC results — "FAIL" on any of these is a red flag

What to Do if You Identify a Phishing Email

1. Don't click anything — no links, no attachments
2. Report it to your email provider (most have a "Report phishing" button)
3. Forward it to the Anti-Phishing Working Group at reportphishing@apwg.org
4. Alert the impersonated company through their official abuse reporting channel
5. Delete the email from your inbox and trash

What if You Already Clicked?

If you already interacted with a phishing email:

1. Change your passwords immediately for any accounts that may be affected
2. Enable two-factor authentication on all important accounts
3. Run a malware scan on your device
4. Monitor your bank statements for unauthorized transactions
5. Consider a credit freeze if you shared financial information

Use a Phishing Email Checker

Not sure if an email is legitimate? ScamSecurityCheck's scanner can analyze suspicious email content in seconds. Paste the email text into our AI-powered tool, and it will identify phishing patterns, suspicious URLs, impersonation tactics, and urgency manipulation — then give you a clear risk rating.

Don't gamble with your personal information. Check before you click. Try ScamSecurityCheck free.