You're staring at an email. Maybe it says your account is locked. Maybe there's an unpaid invoice, a parcel stuck in customs, or a bonus waiting for you. Something feels off — but it also looks just real enough to make you hesitate. That hesitation is exactly what scammers engineer for.
Here's the good news: you can usually tell a scam email from a real one in under two minutes, without any special tools. This guide walks through the red flags that give scammers away, how to read the sender's real address and headers, how to look up who's actually behind an email, and what to do if you've already clicked. No jargon you can't act on.
The Red Flags That Give Scam Emails Away
No single sign is proof on its own. Scammers are sloppy in clusters, though — and when two or three of these show up in the same message, you're almost certainly looking at a scam.
1. Urgency and threats
"Your account will be suspended in 24 hours." "Final notice." "Unauthorized login detected — act now." Real companies rarely give you a ticking clock to hand over a password. Manufactured panic is the scammer's favorite tool because rushed people skip the checks they'd normally do.
2. The greeting is generic
"Dear Customer," "Dear User," or "Hello [your email address]" instead of your actual name. A company you truly have an account with usually knows your name. Note the reverse is also true now: scammers buy leaked data, so a message that does use your real name isn't automatically safe.
3. The ask is the giveaway
Legitimate organizations do not email you to ask for your password, full card number, a one-time security code, or payment in gift cards, crypto, or wire transfer. Any of those requests is a hard stop. The gift-card and crypto asks in particular are near-universal scam tells.
4. Links and attachments that don't add up
Hover your cursor over any link (on mobile, press and hold) and read the address that pops up before tapping. If the text says "paypal.com" but the real destination is "paypa1-secure.ru" or some random string, it's a trap. Unexpected attachments — especially .zip, .html, .iso, or anything asking you to "enable macros" — are classic malware delivery.
5. Small mistakes and odd formatting
Misspellings, broken grammar, a logo that's slightly the wrong color, or a layout that looks copy-pasted. AI has made scam writing cleaner than it used to be, so don't rely on typos alone — but they still show up, and they're still a tell when they do.
Not sure who an address really belongs to?
Drop the sender's email into PrufAgent. We search 250+ public sources and live breach data to surface what's actually tied to it. Phone clue previews from $4.99, email scans from $9.99.
Check the Sender's Real Address, Not the Display Name
The single most useful move you can make is to stop reading the friendly display name and look at the actual address behind it.
Email lets the sender set any "From" name they want. "Apple Support," "Your Bank," "PayPal Service Team" — those are just labels, typed by whoever sent the message. The part that's harder to fake is the address after the @ sign.
- Tap or click the sender name to expand the full address. On Gmail, click the little down-arrow under the sender. On Apple Mail, tap the name. On Outlook, hover or open the message details.
- Read the domain — the part after the @. A real PayPal message comes from a paypal.com domain, not "paypal-billing.com," "paypal.secure-login.net," or "service@paypal.com.account-verify.ru." Scammers love to bury the real brand name as a subdomain in front of their own junk domain.
- Watch for look-alike characters. "rn" that reads as "m," a zero instead of an "o," or accented letters that mimic the real domain. When in doubt, type the address out and compare letter by letter.
If the display name claims a major company but the domain is a free mailbox (gmail.com, outlook.com, proton.me) or anything that isn't the company's own domain, treat it as a scam until proven otherwise.
Read the Headers When You Need Certainty
The visible "From" address can still be spoofed. When you want to go a level deeper, the email's headers — the hidden routing data attached to every message — reveal the server that actually sent it.
How to view them:
- Gmail: open the message → three-dot menu (top right) → "Show original."
- Outlook (web): open the message → three-dot menu → "View" → "View message source."
- Apple Mail: select the message → View menu → Message → All Headers (or Raw Source).
You don't need to decode every line. Look for three things:
- Return-Path / Reply-To: if these point to a different domain than the "From" address, that's suspicious. A legit sender's reply-to usually matches their visible domain.
- Authentication results — SPF, DKIM, and DMARC: these are the email world's anti-forgery checks. In "Show original," Gmail prints a small summary: you want to see PASS next to SPF, DKIM, and DMARC. A FAIL or "softfail," especially on DMARC, is a strong signal the message was spoofed or sent by someone not authorized for that domain.
- The originating server: the "Received:" lines trace the path. A mail claiming to be from a bank but routed through an unrelated server in a random country is a red flag.
Headers won't lie the way a display name will. SPF/DKIM/DMARC failures plus a mismatched return-path are about as close to a smoking gun as a regular person can get without a forensics lab.
See what's actually behind the email
PrufAgent runs the sender's email against 250+ public sources plus real breach and infostealer data, then tells you straight — including an honest "no strong matches" when the footprint is thin.
Check an email on /app →Email scans from $9.99 · results in about a minute · no subscription
Look Up Who's Actually Behind the Email
Headers tell you whether the message was authenticated. They don't tell you who the human is. For that, a reverse-email lookup is the next move — especially when the address is a personal one (a "buyer" on Marketplace, a "recruiter," a too-good-to-be-true landlord, a romance contact).
A reverse-email search takes the address and works backward to whatever is publicly tied to it: linked social or dating profiles, reused usernames, public posts, and whether the address shows up in known data breaches. It's the difference between "this email looks sketchy" and "this email belongs to an account created last week with zero history."
What useful results look like:
- A real person usually leaves a trail — a years-old account, consistent usernames, a profile photo that appears in more than one place.
- A scam or throwaway address often returns almost nothing, or a brand-new presence with no history. Thin footprints are themselves a signal worth weighing.
- Breach exposure tells you whether the address (or your own) is already circulating in leaked credential dumps — useful both for vetting a stranger and for protecting yourself.
PrufAgent is built for exactly this: it searches public profiles, usernames, and live breach/infostealer data tied to an email, and it tells you honestly when there's not much there rather than inventing a match. For a deeper walkthrough, see our guides on who owns this email address and how to run a reverse email lookup. To check whether your address has been caught in a leak, start with an email breach check.
What to Do With a Scam Email
Once you've decided a message is bad, handle it cleanly:
- Don't reply, don't click, don't unsubscribe. Even the "unsubscribe" link can confirm your address is live or load a malicious page. Just don't interact.
- Report it. In Gmail, use "Report phishing" (three-dot menu); in Outlook, "Report → Phishing." This trains your provider's filters and protects others.
- Mark as spam and delete. After reporting, get it out of your inbox.
- If it impersonates a company you use, verify through a channel you find yourself — type the company's real website into your browser or call the number on your card or statement. Never use the contact details inside the suspicious email.
- Forward phishing reports to your national reporting body if you want to help shut the operation down (for example, the Canadian Anti-Fraud Centre, or reportphishing@apwg.org internationally).
If you already clicked or entered something
- Stop and don't submit anything further on the page that opened.
- Change the password for any account you may have exposed — and any other account where you reused that password.
- Turn on two-factor authentication everywhere it's offered, so a stolen password alone isn't enough.
- Watch for follow-on scams. Once you bite once, your details get sold and resold. Expect more attempts and treat them with extra suspicion.
- Check your exposure. Run your email through a breach and infostealer check to see whether your credentials are already out there, then prioritize changing those first.
The Two-Minute Sniff Test
When a new email makes you pause, run it through this in order:
- Does it push urgency, fear, or a too-good reward? Slow down.
- Is the real domain after the @ exactly the company's own? Expand it and read it.
- Where do the links actually go? Hover before you click.
- Is it asking for a password, code, or payment? Legit senders don't.
- Need certainty? Open the headers and check SPF/DKIM/DMARC, or look the address up to see who's really behind it.
Most scams fall apart at step two or three. The ones that survive that far are exactly the ones worth checking the headers and running a lookup on. A scam wants you moving fast — your whole advantage is being willing to take two minutes.
Run the sender through PrufAgent
Email and phone scans search 250+ public sources plus live breach data and report what's really tied to a sender. Phone from $9.99, email scans from $9.99.