Hallmarks of a Scam Email


Hallmarks of a Scam Email: a reader asks…

I received an email from Paypal saying I got charged a lot of money for some purchase. I neither made a purchase, nor even have a Paypal account. I called the number on the email and they sounded fishy, so I hung up fairly quickly. Should I do anything else?

Delete the email. Recognize that you’ll get more of these types of “phishing” emails where a scammer tries to impersonate a recognized business entity. Their goal is to get money from you, and they will use all the psychological tricks they can to get you to give it to them. Your best bet is to not engage.

There are three primary hallmarks that help you identify a scam email:

click to view larger
  1. Look at the email address showing in the From line. Whether the email looks like it comes from Paypal, Citibank, Verizon, UPS, or any other business entity, the From email should match the official domain of the business. Scammers often use Gmail or other free email services to send out their email. If the From address doesn’t match the business entity, the email is a scam and you should just delete it without doing anything further.
  2. Hover your cursor over any hyperlinks in the email but don’t click it/them. These links can include text links and/or image links. When you hover your cursor, a small box will appear (either by the cursor or sometimes the bottom of the window) that shows the website address where the link will take you. Scammers will give you a link that actually takes you someplace other than what you expect. For example, hover over this link: Google.com – clicking that would take you to my own website. Another example, hover over this link: PosiTek.net – clicking that would take you to Google. Emails are just as easy to craft with a link that says one thing but points someplace else.
  3. If the email has a phone number to call or a link to click to cancel, dispute or otherwise respond – do not call or click that link! Legitimate business almost never provide a phone number to call in their official emails. Most likely, the number would go to a scam call center where the person answering the phone will use psychology to get you to part with your money, give them remote access to your computer, or some other action that you wouldn’t ordinarily take. Don’t give them a chance to find your weak spot – they’re very good at this.
Click to view larger

Sometimes, the email address on the From line looks legit, and the hyperlinks inside all point to a valid business entity. But there’s a phone number to call to dispute the charge. In this case, the email is still bogus, and you should simply delete it. Never call a phone number listed on an invoice to dispute, obtain a refund or other action for something you aren’t 100% sure you instigated.

Other examples embed the so-called receipt in a file attachment. Don’t open any email file attachments unless you are 100% sure they are from an entity with whom you deal with, and the email is in response to a purchase or other communication you made with that entity.

There are still some legitimate businesses that use email to communicate with customers and those emails can contain phone numbers and hyperlinks. This is done for your convenience, and the scammers use the same tactics. If you receive a confirmation or delivery email for something you ordered or instigated, and the email is otherwise legitimate, then that third hallmark doesn’t apply. It’s primarily for emails that you didn’t expect.

click to view larger

Here’s a bit about email addresses and website URLs: the domain name is usually near the front of an address, the part just after the @ symbol on an email address, and the part of a URL that ends with a domain suffix – .com, .net, .org, etc. (before any slash other than the initial two after https:). You may see addresses that show a domain somewhat similar to a legitimate one, such as paypal.scamsales.com. In this example, the part that just preceeds the domain suffix (.com) is the actual domain – scamsales.com. Having “paypal.” before that doesn’t mean the domain is from paypal, it simply means that scamsales.com setup a sub-domain called paypal. Also watch that the domain name hasn’t got a different character – paypal.com is not the same as paypal*.com, nor poypal.com, nor p*ypal.com, etc.

These days there are hundreds of domain suffixes in use besides .com. If you’re interested, there’s a wiki here that lists most of them.

One other thing is that your email service may hide the actual From email address when displaying the email to you, just using a name that the scammer assigned to the email account. So someone with the email address: scammer @ xxxxx.xxxxx.com might show in your inbox as “Paypal”. You need to either hover over or click the From line entry to see the actual email address.

Scammers are constantly finding new methods to scam you out of money. Phishing is just one tactic. Your best defense is to not respond in any way. Especially around the holiday season, scammers are hard at work sending advertising emails, offers of discounts or free goods, etc. The foreign agent who wants to give you money continues to work around the internet, even the Nigerian Prince scam is still around as there are new victims constantly coming onto the internet. Don’t let that be you.

You may see other indicators, like common grammatical and spelling errors, you not being addressed by name, a blank To line (meaning you were sent this as a blind copy) or requests to update your info. These are all common tactics of scammers. It can be easy or hard to spot a fake email, so when in doubt, assume the email is a scam. Don’t try to take any action other than deleting the email. Don’t click the Unsubscribe link as all that does is confirm that the email address used is a live one, and more valuable to sell your email address to scam lists on the dark web. That just makes you more of a target. Don’t respond in any way to the scam email, as that also confirms your email address works.

The dark web includes a marketplace where identity information such as email addresses is bought and sold. Anytime you respond in any way to scam or junk email, you increase the value your email address brings to buyers of these lists. Some scammers are simply generating lists of good email addresses to sell on the dark web, and for others that’s a nice secondary way to generate income.


Scammers are going to keep sending you scam emails of all different types, from all different fake organizations, and varying the content of the email in many creative ways. Concentrate on the three common indicators above to determine if an email is legitimate or not. And one last note, you shouldn’t be clicking on any hyperlink in any email you receive. Instead, open your web browser and navigate to the organization if you want to shop or visit. Email is just too darn easy to fake, and should never be relied upon as a legitimate communication medium.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek (send to @PosiTek), Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net (send to Support@PosiTek.net), Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required) using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.