How to Verify That an Email Sender Is Legitimate

The Core Rule

If an email asks you to take action (click a link, log in somewhere, call a number, transfer money, change a password), never act on the email itself. Verify out-of-band: open a fresh browser tab and type the company's URL by hand, or call the number on the back of your credit card. The email might be legitimate; the cost of verifying is 30 seconds. The cost of acting on a phishing email can be your savings account.

Step 1: Check the Visible Sender Carefully

• Hover over (don't click) the sender name to reveal the actual email address
• Compare it to legitimate sender addresses from past emails from the same company. Banks usually send from [email protected]; phishers use lookalikes like [email protected] or [email protected] or [email protected]
• Beware homoglyphs: bnak.com (n/a swapped), bankk.com (extra letter), bаnk.com (Cyrillic 'a' that looks identical to Latin 'a')

Step 2: Check the Email Headers

If the sender domain looks correct but you're suspicious, view the email source and check the Authentication-Results: line. spf=pass dkim=pass dmarc=pass with the correct domain in the d= field means the email cryptographically came from that domain. Failures or domain mismatches are forgery signals.

See our guide on reading email headers for the full walkthrough.

Step 3: Inspect Every Link

• Hover over each link to reveal the actual URL. Banks don't use random URL shorteners
• The visible link text and the actual URL should match. <a href="https://evil.com">https://bank.com</a> is a classic forgery technique
• Look for the domain just before the first single-slash — https://bank.com.evil.example.com/login has the real domain as evil.example.com, NOT bank.com
• If a link is in a button, right-click to copy the URL and paste it into a text editor to read it carefully

Step 4: Be Wary of Attachments

Real businesses rarely send unsolicited attachments. If your bank sends a PDF 'statement' you didn't request, treat it as hostile. If a vendor sends an Excel file with macros 'to update your contact info', it's malware. Open all unexpected attachments in Google Drive's preview or another sandboxed viewer — never in your local Office install on first encounter.

Step 5: Check the Tone and Urgency

• Real businesses don't use ALL CAPS, threats of immediate account closure, or 'verify your account in 24 hours or lose access' framing
• Real businesses address you by name, not 'Dear Customer'
• Real businesses don't ask you to confirm your password by email; they ask you to log in via the app
• Real businesses don't ask you to confirm your full SSN or full credit card number; they might ask you to confirm the last 4 digits over the phone

Step 6: Verify Out-of-Band

The single most effective verification: don't act on the email. Instead:

• Open your browser, type the company's URL by hand. Log in normally. If there's a real notification, it'll show up on your dashboard.
• Call the company on a phone number you already have (back of your credit card, official website you typed yourself, not the number in the email).
• Visit a branch / office in person if it's high-stakes.

Special Case: Internal Phishing

If the email appears to come from someone you know personally (your boss, your CEO asking you to buy gift cards, your colleague asking for files), verify via a separate channel before acting. Phone, Slack, Signal, in-person — any channel that isn't email. Business Email Compromise scams target this gap and cost organisations billions annually.

What If You Already Clicked

1. Don't enter any credentials
2. Close the tab
3. If you DID enter credentials, change the password for that account (and any account using the same password) from a different device immediately
4. Enable 2FA if it wasn't already enabled
5. Watch the account for unauthorised activity for 30 days
6. If financial, contact the bank's fraud line

Related Guides

See also: how to read email headers, how to spot a phishing email visual guide, and how to check if your email was breached.