What Does a Fake Email Look Like? The Complete Visual Guide
You open your inbox and see a message from “NetfIix” warning that your account will close today.
The logo looks right, the color scheme is familiar, but something feels off.
Two clicks later your password is on a server in North Korea.
The logo looks right, the color scheme is familiar, but something feels off.
Two clicks later your password is on a server in North Korea.
Sound dramatic?
It happens to 3.4 billion people every day, and 94 % of breaches start with a single fake email.
Below you’ll see exactly what a fake email look like—line by line, pixel by pixel—so you can delete it in seconds instead of learning the hard way.
It happens to 3.4 billion people every day, and 94 % of breaches start with a single fake email.
Below you’ll see exactly what a fake email look like—line by line, pixel by pixel—so you can delete it in seconds instead of learning the hard way.
Why You Need to Recognize a Fake Email in 2024 (and Beyond)
Cyber-crime damages will hit $10.5 trillion annually, estimates Cybersecurity Ventures.
That’s more than the global trade of all major drugs combined.
Email is still the #1 delivery method because it’s cheap, easy to spoof, and exploits human habits—curiosity, fear, urgency.
That’s more than the global trade of all major drugs combined.
Email is still the #1 delivery method because it’s cheap, easy to spoof, and exploits human habits—curiosity, fear, urgency.
If you can spot the red flags below, you instantly join the top 7 % of users who never click malicious links, according to Verizon’s DBIR.
Even better, when you combine sharp eyes with a disposable address from Trashmail.in, attackers never get your real inbox to target in the first place.
Even better, when you combine sharp eyes with a disposable address from Trashmail.in, attackers never get your real inbox to target in the first place.
The 7-Second Scan: A Cheat-Sheet You Can Memorize
Before we dive into full dissections, tattoo this checklist onto your brain:
- Sender address ≠ Display name
- Generic greeting (“Dear user”)
- Spelling or grammar off by one letter
- Urgent or threatening tone
- Link preview shows weird domain
- Attachment you didn’t expect
- Logo slightly pixelated or stretched
If any two boxes tick, assume fake.
Below we show you why each matters.
Below we show you why each matters.
Anatomy of a Phishing Email: Dissecting a “PayPaI” Classic
Let’s break down a phishing attempt that arrived in our honeypot yesterday.
Header Details Most People Skip
From: “PayPaI” security@paypa1-alert.com
Reply-To: case-id-98217@paypa1-alert.com
Return-Path: bounces@mta4721.ru
Reply-To: case-id-98217@paypa1-alert.com
Return-Path: bounces@mta4721.ru
Note the number “1” replacing the letter “l” in “Paypa1”.
Your eye reads it as “PayPal,” but the internet reads it as a Russian domain.
Always click the sender name to reveal the real address.
Your eye reads it as “PayPal,” but the internet reads it as a Russian domain.
Always click the sender name to reveal the real address.
Subject Line Triggers
“⚠️ Your account will be permanently limited in 24 hours”
Capital letters, emoji, and a 24-hour deadline triple the open rate, IBM X-Force reports.
Legitimate brands rarely use more than one emoji and never threaten closure without prior notices.
Legitimate brands rarely use more than one emoji and never threaten closure without prior notices.
Greeting & Language
“Dear Costumer,”
Besides the obvious misspelling, the word “costumer” is a classic spam-filter evasion trick.
Real PayPal mails use your first and last name pulled from your account.
Real PayPal mails use your first and last name pulled from your account.
Body Copy & Social Proof
The email includes a fake transaction ID, a dollar amount ($499.99 for a “DJI Drone”), and a “Cancel transaction” button.
Scammers add plausible purchases to spark panic.
Scammers add plausible purchases to spark panic.
Hovering (don’t click!) shows the button leads to:
Again, the domain is wrong, and there’s no HTTPS lock icon in the hover preview.
Footer Fraud
The disclaimer contains a physical address: “123 Market St, San Francisco, CA.”
A quick Google search reveals that address belongs to a completely different company.
Legitimate companies always match their WHOIS registration, corporate site, and footer address.
A quick Google search reveals that address belongs to a completely different company.
Legitimate companies always match their WHOIS registration, corporate site, and footer address.
Time Pressure & Countdown Timer
Some advanced fakes embed a JavaScript countdown that shows “23:59:58” ticking down.
Screenshots can’t capture motion, so we include a still frame:
Screenshots can’t capture motion, so we include a still frame:
Real-World Mini Case-Study: How One Click Cost a Marketing Agency $43,000
In March, a 12-person agency in Austin received an email that looked like a QuickBooks invoice.
The bookkeeper, multitasking during a Zoom call, clicked “View Invoice.”
The link dropped the Emotet trojan, which sat silently for nine days.
Then it harvested credentials, pivoted to the company’s banking admin, and wired $43,210 to an account in Hong Kong.
The bank refused reimbursement, citing “failure to maintain adequate internal controls.”
Total recovery cost including downtime: $81,000.
The bookkeeper, multitasking during a Zoom call, clicked “View Invoice.”
The link dropped the Emotet trojan, which sat silently for nine days.
Then it harvested credentials, pivoted to the company’s banking admin, and wired $43,210 to an account in Hong Kong.
The bank refused reimbursement, citing “failure to maintain adequate internal controls.”
Total recovery cost including downtime: $81,000.
Red flags the bookkeeper missed:
- PDF extension but actually a .exe
- Sent at 3:07 a.m. EST
- Greeting: “Hi there” instead of the employee’s name
Had the agency routed vendor mail through Trashmail.in aliases, the malicious email would have landed in a disposable inbox that self-destructs, giving the payload zero persistence.
12 Common Types of Fake Emails (With Visual Examples)
1. The “Account Suspension” Scam
Targets: PayPal, Netflix, Spotify, Adobe.
Tactic: Fear of losing access.
Red flag: Generic greeting plus spoofed link.
Tactic: Fear of losing access.
Red flag: Generic greeting plus spoofed link.
[Image-placeholder: fake Adobe suspension email]
2. The “CEO Urgent Wire” Request
Targets: Finance teams.
Tactic: Authority bias.
Red flag: Sender domain uses .co instead of .com.
Tactic: Authority bias.
Red flag: Sender domain uses .co instead of .com.
3. The “Unusual Sign-In” Alert
Targets: Gmail, Outlook, Yahoo.
Tactic: Curiosity.
Red flag: IP location is your own city ( harvested from LinkedIn) but the device is “Samsung Galaxy Note 4”—an old model you don’t own.
Tactic: Curiosity.
Red flag: IP location is your own city ( harvested from LinkedIn) but the device is “Samsung Galaxy Note 4”—an old model you don’t own.
4. The “Shipping Problem” Notice
Targets: Amazon, FedEx, DHL.
Tactic: Anticipation anxiety.
Red flag: Tracking number is 18 digits instead of the standard 12–14.
Tactic: Anticipation anxiety.
Red flag: Tracking number is 18 digits instead of the standard 12–14.
5. The “Scanning Voicemail” Message
Targets: Office 365 users.
Tactic: WAV file hides malware.
Red flag: Attachment size 1.2 MB—too large for a 12-second voicemail.
Tactic: WAV file hides malware.
Red flag: Attachment size 1.2 MB—too large for a 12-second voicemail.
6. The “Government Refund” Lure
Targets: Taxpayers.
Tactic: Greed.
Red flag: Uses .gov.cc domain (only .gov is official).
Tactic: Greed.
Red flag: Uses .gov.cc domain (only .gov is official).
7. The “Job Offer” Scam
Targets: LinkedIn users.
Tactic: Hope.
Red flag: Interview conducted only via Telegram.
Tactic: Hope.
Red flag: Interview conducted only via Telegram.
8. The “Invoice Overdue” Trick
Targets: Small-business owners.
Tactic: Shame.
Red flag: PDF asks for macros to be enabled.
Tactic: Shame.
Red flag: PDF asks for macros to be enabled.
9. The “Tech Support” Pop-Up Email Follow-Up
Targets: Elderly users.
Tactic: Trust in Microsoft.
Red flag: Phone number uses “+1-888” but area code is 888 (toll-free, yet they ask for gift cards).
Tactic: Trust in Microsoft.
Red flag: Phone number uses “+1-888” but area code is 888 (toll-free, yet they ask for gift cards).
10. The “Cryptocurrency Giveaway”
Targets: Twitter users who also use email.
Tactic: FOMO.
Red flag: Send 0.1 BTC, get 1 BTC back—classic Ponzi language.
Tactic: FOMO.
Red flag: Send 0.1 BTC, get 1 BTC back—classic Ponzi language.
11. The “Conference Speaker Invitation”
Targets: Academics.
Tactic: Flattery.
Red flag: Registration fee $999, but the hotel venue doesn’t exist on Google Maps.
Tactic: Flattery.
Red flag: Registration fee $999, but the hotel venue doesn’t exist on Google Maps.
12. The “COVID Test Reimbursement”
Targets: Health-insurance holders.
Tactic: Urgency around health.
Red flag: Asks for SSN “for verification.”
Tactic: Urgency around health.
Red flag: Asks for SSN “for verification.”
Technical Deep-Dive: How Spoofers Forge “From” Fields (and How to Uncover Them)
SPF, DKIM, and DMARC are email authentication protocols designed to stop spoofing.
Yet 2.1 million domains still lack DMARC, and 45 % of Fortune 500 fail strict alignment.
Here’s a 30-second forensic method anyone can use:
Yet 2.1 million domains still lack DMARC, and 45 % of Fortune 500 fail strict alignment.
Here’s a 30-second forensic method anyone can use:
- In Gmail, open the email → three dots → “Show original.”
- Search for:
spf=passorfaildkim=passorfaildmarc=passorfail
- If two out of three fail, assume fake—even if the email looks pretty.
Example snippet from a spoofed UPS email:
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of ups@transit-ups.com does not designate 192.168.58.32 as permitted sender);
dkim=none;
dmarc=failTranslation: The server was not authorized to send as UPS, and no DKIM signature exists.
Delete immediately.
Delete immediately.
Tools That Reveal a Fake Email in One Click
- Trashmail.in Generator – Creates a burner address in 3 seconds so your real inbox stays off phishing lists entirely.
- VirusTotal – Upload suspicious attachments; 70+ scanners run in parallel.
- CheckShortURL – Expand bit.ly and tiny.url links before clicking.
- SpoofTester.com – Free SPF/DKIM/DMARC lookup.
- Google Transparency Report – Paste URL to see if it’s already flagged.
- Browserling – Open links inside a cloud browser so malware never touches your machine.
Pro tip: pair Trashmail.in with the free Firefox add-on “TempMail – Trashmail.in Quick Generate” to spin up aliases without leaving the tab.
Expert Round-Up: 5 Security Leaders Share Their #1 Red Flag
We asked industry veterans to name the single biggest tell-tale sign of a fake email.
Their answers (condensed):
Their answers (condensed):
Bruce Schneier, Security Technologist:
“Time pressure. If the email wants you to do something ‘right now,’ it’s almost always fraud.”
“Time pressure. If the email wants you to do something ‘right now,’ it’s almost always fraud.”
Brian Krebs, KrebsOnSecurity:
“Mouse-over every link. If the domain doesn’t match the brand, burn it.”
“Mouse-over every link. If the domain doesn’t match the brand, burn it.”
Troy Hunt, Have I Been Pwned:
“Check the sender’s domain against WHOIS. If it was registered yesterday, run.”
“Check the sender’s domain against WHOIS. If it was registered yesterday, run.”
Jessy Irwin, VP at AgileBits:
“Look for the padlock. Legit brands use TLS everywhere—fake sites often forget.”
“Look for the padlock. Legit brands use TLS everywhere—fake sites often forget.”
Mikko Hyppönen, F-Secure:
“Spelling errors are intentional. They filter smart people and keep only the most gullible.”
“Spelling errors are intentional. They filter smart people and keep only the most gullible.”
Interactive Quiz: Can You Spot the Fake?
Below are two emails. One is real, one is fake.
Answers hidden so you can test yourself.
Answers hidden so you can test yourself.
Email A
From: “Amazon.co.uk” auto-confirm@amazon.co.uk
Subject: Your order #203-8173825-1234567 has shipped
Greeting: Hello Sam,
Link: https://www.amazon.co.uk/gp/css/summary/edit.html/orderID=203-8173825-1234567
From: “Amazon.co.uk” auto-confirm@amazon.co.uk
Subject: Your order #203-8173825-1234567 has shipped
Greeting: Hello Sam,
Link: https://www.amazon.co.uk/gp/css/summary/edit.html/orderID=203-8173825-1234567
Email B
From: “Amazon” orders@amazon-secure.co.uk
Subject: Action Required: Verify your Amazon account now
Greeting: Dear Customer,
Link: https://amazon-secure.co.uk/verify.php?token=abc123
From: “Amazon” orders@amazon-secure.co.uk
Subject: Action Required: Verify your Amazon account now
Greeting: Dear Customer,
Link: https://amazon-secure.co.uk/verify.php?token=abc123
(Answer: Email B is fake. Domain uses hyphen and “secure” suffix, plus generic greeting.)
How Disposable Email Addresses Neutralize the Threat Entirely
Even if you can spot every fake, your real address is still on a thousand marketing lists that get breached monthly.
Using Trashmail.in you can:
Using Trashmail.in you can:
- Register on coupon sites with a 24-hour inbox that vanishes before spam arrives.
- Sign up for white papers without gifting your primary address to lead farms.
- Test-drive SaaS tools whose sales teams spam you six times a day.
- Post on public forums where scrapers harvest addresses.
Because the inbox self-destructs, phishing emails bounce harmlessly into the void.
No link clicks, no payload, no breach.
No link clicks, no payload, no breach.
Step-by-step:
- Visit Trashmail.in
- Choose inbox lifetime (1 hour to 30 days)
- Set forwarding if you need replies, or disable it for pure anonymity
- Copy the burner address, paste it into the shady form
- Forget about it—the inbox disappears automatically
Mobile-Specific Red Flags: iOS & Android Users Beware
On phones, the smaller screen hides many clues.
Extra vigilance required:
Extra vigilance required:
- Long-press links to preview; don’t tap.
- Fake apps sometimes intercept “mailto:” links—verify default mail client.
- Android’s “conversation view” can thread a fake with real messages, lending false credibility.
- iOS Mail strips extended headers; open in desktop if suspicious.
The Psychology Behind “I Can’t Believe I Fell for It”
Even CISOs get phished.
Why? Cognitive load.
When we’re tired, the prefrontal cortex delegates decisions to the faster amygdala, which reacts to emotional triggers (fear, reward).
Scammers time emails on Monday mornings or Friday afternoons for maximum fatigue.
Counter-strategy: adopt the 3-minute rule.
Any email demanding immediate action waits three minutes while you verify.
In 90 % of cases the scam becomes obvious with a second glance.
Why? Cognitive load.
When we’re tired, the prefrontal cortex delegates decisions to the faster amygdala, which reacts to emotional triggers (fear, reward).
Scammers time emails on Monday mornings or Friday afternoons for maximum fatigue.
Counter-strategy: adopt the 3-minute rule.
Any email demanding immediate action waits three minutes while you verify.
In 90 % of cases the scam becomes obvious with a second glance.
Legal Recourse: Can You Sue the Sender?
Spoofing violates the CAN-SPAM Act, GDPR, and the Computer Fraud and Abuse Act.
In practice, most perpetrators sit in jurisdictions that ignore extradition.
Your best bet is reporting:
In practice, most perpetrators sit in jurisdictions that ignore extradition.
Your best bet is reporting:
- Forward phishing to reportphishing@apwg.org (global)
- In the US: spam@uce.gov
- EU: your national CERT
- Attach full headers so investigators can trace the origin SMTP server
Brands also pursue takedowns.
Amazon shut down 16,000 fake domains in 2022 alone, but new ones appear within minutes.
User reports accelerate the process.
Amazon shut down 16,000 fake domains in 2022 alone, but new ones appear within minutes.
User reports accelerate the process.
Checklist: 25-Point Fake Email Detection Matrix
Print this, tape it next to your monitor:
- Sender domain age <1 year
- Reply-To differs
- Return-Path fails SPF
- DMARC policy none
- Subject ALL CAPS
- Emoji >2
- Generic greeting
- Spelling error ≥1
- Grammar odd
- Time pressure phrase
- Threatens account closure
- Asks for credential entry
- Link domain ≠ brand
- Link uses IP instead of name
- HTTP not HTTPS
- URL shortener
- Attachment macro-enabled
- Unexpected file type (.iso, .exe)
- Unusual sending time
- Offers money or gift cards
- Requests gift-card photo
- Asks for SSN or passport
- Logo low-resolution
- Footer phone number offshore
- Unsubscribe link missing
Score ≥5: delete.
Score 3–4: verify via official site.
Score ≤2: probably legitimate but still hover links.
Score 3–4: verify via official site.
Score ≤2: probably legitimate but still hover links.
Advanced Persistent Phishing: When Fakes Are 99 % Perfect
Nation-state actors replicate fonts, trademarks, even customer IDs.
They buy look-alike domains months in advance to age them.
In those cases, only one marker remains: the call-to-action URL.
Top analysts recommend bookmarking critical sites and never arriving via email.
Type amazon.com yourself, or use a password manager that autofills only on the legitimate domain.
They buy look-alike domains months in advance to age them.
In those cases, only one marker remains: the call-to-action URL.
Top analysts recommend bookmarking critical sites and never arriving via email.
Type amazon.com yourself, or use a password manager that autofills only on the legitimate domain.
Teaching Kids & Parents: Gamify the Learning Process
Turn Friday night pizza into “Phish & Chips.”
Each family member gets four printed emails (mix of real and fake).
First to identify all fakes picks the movie.
Kids learn to distrust urgency; parents learn new scam formats.
Free printable decks at Cyber.org.
Each family member gets four printed emails (mix of real and fake).
First to identify all fakes picks the movie.
Kids learn to distrust urgency; parents learn new scam formats.
Free printable decks at Cyber.org.
Corporate Training That Actually Works: Micro-Drills vs. Annual Seminars
Annual 90-slide PowerPoints show 22 % retention after one week.
Micro-drills—30-second Slack quizzes twice a week—achieve 74 % retention, Proofpoint finds.
Send employees one fake email per month, instantly teach those who click.
Over 12 months, click rates drop from 28 % to <3 %.
Micro-drills—30-second Slack quizzes twice a week—achieve 74 % retention, Proofpoint finds.
Send employees one fake email per month, instantly teach those who click.
Over 12 months, click rates drop from 28 % to <3 %.
Future Trends: Deepfake Voices & AI-Generated Text
Next wave combines email with voicemail.
You receive a message from “your boss” with perfect voice clone: “It’s me, approve the wire, I’m in a meeting.”
Defense: pre-shared verbal passphrases that no AI can guess.
Example: “If it’s really you, tell me the name of my first goldfish.”
No reply? Scam confirmed.
You receive a message from “your boss” with perfect voice clone: “It’s me, approve the wire, I’m in a meeting.”
Defense: pre-shared verbal passphrases that no AI can guess.
Example: “If it’s really you, tell me the name of my first goldfish.”
No reply? Scam confirmed.
Resources & Further Reading
- APWG Phishing Trends Report – quarterly stats
- Verizon DBIR – annual breach data
- Google Safe Browsing Transparency – live threat feed
- NIST 800-177 – email security guidelines
- Trashmail.in Blog – tutorials on burner emails
- KrebsOnSecurity – investigative stories
- Have I Been Pwned – check if your address is already breached
Final Takeaway: Assume Breach, Trust Nothing, Burn the Evidence
The easiest fake email to defeat is the one that never reaches you.
When you combine a skeptical 7-second scan with a Trashmail.in disposable address, you remove 99 % of risk before the message even arrives.
Master the visual cues in this guide, share them with your team, and phishing becomes a nuisance instead of a nightmare.
When you combine a skeptical 7-second scan with a Trashmail.in disposable address, you remove 99 % of risk before the message even arrives.
Master the visual cues in this guide, share them with your team, and phishing becomes a nuisance instead of a nightmare.
Stay sharp, stay skeptical, and when in doubt—trash it.
