How to Check If an Email Is Legitimate Before Replying

Email is the primary vector for phishing, business email compromise (BEC), and impersonation fraud. The FBI's Internet Crime Complaint Center consistently ranks BEC among the highest-cost cybercrime categories, with losses totaling billions annually. The attacks range from crude mass phishing to sophisticated targeted impersonation — emails that appear to come from your CEO, a trusted vendor, or a government agency, requesting urgent action.

The tactics have grown more sophisticated alongside awareness of basic red flags. Modern phishing emails are often grammatically flawless, sent from convincing lookalike domains, and arrive in the context of ongoing business conversations that have been infiltrated. Knowing how to quickly assess an email's legitimacy is a skill every professional needs.

This checklist takes two to three minutes per email and catches the vast majority of fraudulent messages, from crude spam to targeted business email compromise attempts.

The display name in an email can say anything — 'PayPal Support,' 'Your CEO,' 'IRS Notice.' What matters is the actual email address. In most email clients, you can see the actual address by hovering over or clicking on the display name in the From field. Compare the domain of the actual address to the legitimate domain of the organization it claims to represent.

Common tactics include: using a lookalike domain (paypa1.com instead of paypal.com, microsoftonline-support.com instead of microsoft.com), using a legitimate but wrong domain (someone@amazon.co instead of @amazon.com), and using a legitimate company's domain in the display name but sending from a completely unrelated address.

For emails from people you know, check whether the address exactly matches previous correspondence. Business email compromise often uses an address that is one character different from the real one — easy to miss without looking carefully. Some attacks compromise the actual account, so even a matching address is not a guarantee if the message is requesting unusual action.

Once you have the sender's domain, check its age and legitimacy. A WHOIS lookup (use whois.domaintools.com or icann.org/whois) shows when the domain was registered. A domain registered last month that is sending urgent financial requests from an apparent Fortune 500 company is a significant red flag.

Check whether the domain has valid SPF, DKIM, and DMARC records. These are email authentication mechanisms that legitimate organizations implement. Many email clients show authentication status in message headers. An email failing DMARC authentication from a domain claiming to be a major bank or government agency is almost certainly fraudulent.

Tools like Deep Checker Pro's email validation feature check MX records, domain age, and whether an email comes from a legitimate provider or a disposable/temporary email service. Running the sender's email through such a check takes seconds and provides an objective data point about the address's legitimacy.

Regardless of how convincing the sender appears, examine what the email is actually asking you to do. The following requests should always trigger heightened scrutiny, regardless of apparent source:

• Wire transfers or cryptocurrency payments, especially urgent ones
• Clicking a link to reset a password or verify account information
• Providing login credentials, API keys, or other authentication information
• Changing payment routing information (bank account numbers, ACH details)
• Downloading and running an attachment
• Calling a phone number to 'verify' your account

Legitimate organizations virtually never request credentials, payment routing changes, or large wire transfers exclusively via email. If a request seems unusual given your normal relationship with the apparent sender, verify it through a separate channel — call a phone number you already have on file, not one provided in the email.

Search the full email address in quotation marks in a search engine. Phishing addresses are often reported by previous victims on sites like ScamAdviser, PhishTank, Spamhaus, and community forums. If the address appears in fraud reports, that is definitive confirmation to delete the message immediately.

Search the domain alongside terms like 'phishing,' 'scam,' and 'fraud.' Search the phone number if one was provided. Scam operations often use the same infrastructure across multiple victims, meaning a search will often surface reports from others who received similar messages.

For high-stakes emails — requests from apparent executives, vendors, or financial institutions — verify by contacting the claimed sender through an independently sourced phone number or a direct in-person message. This out-of-band verification is the gold standard for confirming that an email requesting unusual action is genuine.

The defining feature of fraudulent emails is urgency. 'Act immediately or your account will be suspended.' 'This offer expires today.' 'The CEO needs this wire transferred before close of business.' Urgency is manufactured to prevent you from pausing to verify.

A genuine vendor, executive, or service provider will not be damaged if you take 30 minutes to verify a request before acting on it. A genuine payment instruction will survive a phone call to confirm. Any organization that threatens consequences for basic verification is either poorly run or fraudulent.

If you work in an organization, report suspicious emails to your security or IT team rather than just deleting them. Your report may protect colleagues from the same attack. If a phishing attempt impersonates a real organization (a bank, a government agency), many organizations have abuse reporting addresses (abuse@bank.com) or official reporting channels where you can forward the message.