How can I tell if an email is a scam?

Hover over (don't click) every link to inspect the real domain, check the sender's full email address — not just the display name — and treat any email that creates urgency or asks for credentials as guilty until proven innocent.

Are AI-written scam emails harder to spot?

Yes. The classic 'bad grammar' tell is gone. In 2026 you have to rely on technical signals: sender domain, link destinations, and whether the request itself makes sense given your actual relationship with the sender.

What should I do if I already clicked a link in a scam email?

Disconnect from Wi-Fi, run a malware scan, change passwords for any accounts whose credentials you may have entered, enable 2FA, and notify your bank if any financial details were touched.

How do I report a scam email?

Forward to your email provider's phishing-report address (Gmail: report-phishing@google.com; Outlook: junk@office365.microsoft.com), to your national cyber-reporting service, and to the brand being impersonated.

FREE REAL-TIME VERIFICATION · GLOBAL SEARCH · OFFICIAL OPEN DATA SOURCES

Is This a Scam Email?

How to tell, in under a minute, whether an email is a phishing attempt — even in 2026 when AI has killed the classic 'bad grammar' tell.

Key Takeaways

Always check the sender's full email address, not just the display name.
Hover over every link — never click — to see the real destination.
Treat urgency, threats, and unsolicited 'verify your account' requests as guilty until proven innocent.
AI-written scam emails are now grammatically perfect. Rely on technical signals, not language.

The 5-second sender check

Click the sender's name to expand the full address. Real organisations send from their own domain (e.g. @paypal.com), not from paypal-security@gmail.com or a look-alike like @payp4l.com. If you cannot verify the domain belongs to the brand, assume the email is fake.

Hover every link before clicking

On desktop, hover over a link and read the URL in the bottom-left corner of your browser. On mobile, long-press a link to preview the destination. The display text and the real link don't have to match — and in phishing emails, they almost never do.

Urgency is the scammer's main tool

"Your account will be closed in 24 hours." "Unusual login from Russia." "Final notice of unpaid invoice." Every one of these phrases is designed to bypass critical thinking. Real organisations give you days, not minutes, to act. When you feel rushed, stop.

If a URL is mentioned, run it through Scam AI

Don't click — copy the URL and paste it into Scam AI. We will check it against Google Safe Browsing, WHOIS, OpenSanctions and global fraud databases before you risk a single character of personal data.

What to do if you already clicked

Disconnect from Wi-Fi. Change the password for any account whose credentials you entered (and any other account using the same password). Enable 2FA. Run a malware scan. If banking details were touched, ring your bank's fraud line immediately.

Run a free check now

Scam AI cross-references regulator blacklists, business registries, WHOIS history and global fraud reports — in real time, free, no signup.

Verify a Website

Frequently Asked Questions

How can I tell if an email is a scam?: Hover over (don't click) every link to inspect the real domain, check the sender's full email address — not just the display name — and treat any email that creates urgency or asks for credentials as guilty until proven innocent.
Are AI-written scam emails harder to spot?: Yes. The classic 'bad grammar' tell is gone. In 2026 you have to rely on technical signals: sender domain, link destinations, and whether the request itself makes sense given your actual relationship with the sender.
What should I do if I already clicked a link in a scam email?: Disconnect from Wi-Fi, run a malware scan, change passwords for any accounts whose credentials you may have entered, enable 2FA, and notify your bank if any financial details were touched.
How do I report a scam email?: Forward to your email provider's phishing-report address (Gmail: report-phishing@google.com; Outlook: junk@office365.microsoft.com), to your national cyber-reporting service, and to the brand being impersonated.