How to Identify Scam and Phishing Emails

Phishing remains the most common attack vector for credential theft, ransomware deployment, and financial fraud. According to the Anti-Phishing Working Group, phishing attacks consistently exceed one million incidents per quarter. Knowing how to check email for scammer activity is no longer optional -- it is a core skill for anyone who manages an inbox.

This guide covers the technical and visual indicators that separate legitimate messages from fraudulent ones, and shows you how to use free tools to verify suspicious emails before they cause damage.

Red Flags in Email Headers

The message body is what most recipients focus on, but the email headers contain the real forensic evidence. Headers record every server that handled the message, along with authentication results, timestamps, and originating IP addresses.

Key things to look for:

• Received headers that don't match the claimed sender domain. If the From: address says [email protected] but the earliest Received: header shows an IP in a residential block in a different country, that is a strong indicator of spoofing.
• Mismatched Return-Path and From fields. Legitimate senders almost always align these. A Return-Path pointing to a throwaway domain while From claims to be a major brand is a classic phishing pattern.
• Missing or failed authentication headers. Look for Authentication-Results lines that show spf=fail, dkim=fail, or dmarc=fail.

Use our Header Analyzer to parse raw headers automatically and surface these discrepancies without manual inspection.

SPF, DKIM, and DMARC Failures as Scam Indicators

Email authentication protocols exist specifically to prevent sender impersonation. When they fail, treat it as a warning.

SPF (Sender Policy Framework) verifies that the sending server's IP address is authorized by the domain's DNS records. A spf=fail result means the message came from a server not listed in the domain's SPF record -- a hallmark of spoofed email. Run a quick check with our SPF Check tool.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to the message. If dkim=fail appears in the headers, either the message was tampered with in transit or the signature was forged. Verify DKIM signatures using our DKIM Verify tool.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a domain-level policy. A dmarc=fail result means the message failed both alignment checks. Organizations with a p=reject DMARC policy instruct receiving servers to discard such messages entirely, but not all domains have strict policies in place. You can check any domain's DMARC configuration with our DMARC Analyze tool.

If all three protocols fail for a message that claims to come from a well-known brand, you are almost certainly looking at a scam.

Display Name Spoofing

One of the simplest and most effective phishing techniques does not require any technical sophistication. Display name spoofing sets the friendly name in the From field to something like "PayPal Security" while the actual email address is something entirely unrelated, such as [email protected].

Most mobile email clients show only the display name by default, making this attack particularly effective on phones. Always expand the sender details to view the full email address before acting on any message that requests sensitive information or urgent action.

URL Inspection

Phishing emails almost always contain links designed to harvest credentials or deliver malware. Before clicking any link:

• Hover over the link (desktop) or long-press (mobile) to reveal the actual destination URL.
• Check the domain carefully. Attackers use lookalike domains such as paypa1.com (with a numeral) or security-apple.com.attacker.example.
• Look for HTTPS. While HTTPS alone does not guarantee legitimacy, its absence on a login page is a definitive red flag.
• Be wary of URL shorteners. Legitimate transactional emails from major providers rarely use shortened URLs.

Gmail and Outlook Phishing Warnings

Modern email clients provide built-in scam detection:

Gmail displays a prominent red banner reading "This message seems dangerous" or "Be careful with this message" when its filters detect phishing characteristics. Gmail also shows a question mark next to the sender's avatar when it cannot authenticate the message. Messages that fail DMARC with a p=quarantine or p=reject policy may be sent directly to spam or rejected entirely.

Outlook flags suspicious messages with a safety tip bar at the top of the message. The yellow bar indicates the message could not be verified; the red bar indicates a known phishing pattern. Outlook also blocks automatic image loading by default, which prevents tracking pixel execution in scam emails.

Yahoo Mail similarly warns users about unverified senders and provides a "Report phishing" option directly in the message actions menu.

What to Do When You Spot a Scam

1. Do not click any links or download attachments.
2. Report the message using your email client's built-in reporting feature. This improves filters for everyone.
3. Run the headers through analysis. Paste the full message headers into our Header Analyzer to confirm authentication failures and trace the message origin.
4. Verify independently. If the message claims to be from a company you use, navigate to their website directly (not through any link in the email) and check your account.
5. Delete the message after reporting.

A consistent scammer email check routine -- inspecting headers, verifying authentication, and scrutinizing links -- dramatically reduces your exposure to phishing attacks. Build the habit of verifying before trusting, and use the right tools to back up your instincts with data.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.