Every "how to spot a scam email" article tells you to look for spelling mistakes, dodgy grammar, and Nigerian prince storylines. That advice is about ten years out of date.
The scam emails landing in inboxes right now are grammatically perfect. They use your company's real logo, reference actual projects you're working on, and come from domains that look right at a glance. In January 2024, a finance manager at Arup (a global engineering firm) joined a video call with what appeared to be the company's CFO and several colleagues — all deepfake recreations — and authorised transfers totalling $25 million.
If sophisticated scams can fool professionals on video calls, they can certainly fool you in an email. Here are the signs that actually matter.
1. The Reply-To Address Doesn't Match the From Address
This is the single most reliable tell, and most people never check it.
A scam email might show From: Sarah Chen in your inbox. Looks fine. But buried in the headers is a Reply-To: [email protected]. When you hit reply, your response goes to the attacker, not Sarah.
Why this works: Email clients display the From: field prominently but hide the Reply-To unless you actively look. Most people never do.
How to check: Before replying to any email that asks you to do something (transfer money, share credentials, change payment details), click Reply and look at the actual address in the To field before you type anything. In Gmail, you can also click the small dropdown arrow next to the sender's name to see the full header details.
A legitimate sender almost never has a mismatched Reply-To. When they do, it's usually an obvious mailing list or noreply address — not a freemail account that looks like someone's name.
2. The Request Bypasses Normal Process
This is the big one. The most expensive scams don't use malware or phishing links — they just ask you to do your job slightly differently.
Examples:
- "Can you process this payment directly? I'm travelling and can't go through the usual approval chain."
- "We've changed our bank details — please update your records and send the next payment to this account."
- "I need you to buy six Amazon gift cards for client gifts. Don't mention it to anyone, it's a surprise."
The attacker isn't hacking your systems. They're hacking your processes. Any email that asks you to skip a verification step, use a different channel, keep something confidential from colleagues, or change established payment details should trigger immediate suspicion — no matter who it appears to come from.
In 2019, Toyota Boshoku Corporation (a Toyota subsidiary) lost $37 million when a finance executive was persuaded by email to change wire transfer details for a payment to a supplier. The emails looked completely legitimate. No malware. No links. Just a convincing request to change a bank account number.
3. The Urgency Has a Specific, Tight Deadline
Generic urgency ("act now!") is easy to spot. Sophisticated scammers create plausible urgency with specific details:
- "The invoice is overdue and the supplier has threatened to halt deliveries by end of day Friday."
- "This acquisition is closing at 5pm today and we need the deposit transferred before then."
- "Your account will be locked in 2 hours unless you verify your identity."
The deadline serves two purposes. First, it creates time pressure that short-circuits critical thinking. Second, it discourages you from verifying through other channels — because who has time to call and check when there's a 2-hour window?
The tell: Legitimate urgent requests almost always come through multiple channels. If your CEO genuinely needed an emergency wire transfer, they'd call you, text you, walk to your desk — not rely solely on email. When urgency exists only in the email and nowhere else, that's your signal.
4. The Domain is Close — But Not Quite Right
This isn't about obvious fakes like paypa1.com. Modern attackers register domains that require careful reading to distinguish:
yourcompany.coinstead ofyourcompany.comyour-company.com(added hyphen)yourcompany.com.auwhen you normally deal with.comyourconpany.com(swapped letter)yourcompany-invoices.com(added word)
Attackers often register these domains weeks in advance, set up proper SPF/DKIM/DMARC records, and even create basic websites. The domain passes every technical authentication check because it is legitimately configured — it's just not the real company.
How to check properly: Don't glance at the name — read the actual email address character by character. On mobile, this is especially hard because clients truncate long addresses. If you're on your phone and the email involves money, wait until you're at a computer to verify.
In 2020, a study by Barracuda Networks found that attackers registered lookalike domains in 68% of business email compromise attacks. These aren't typos — they're deliberate, researched impersonations.
5. There's an Emotional Undercurrent You Can't Quite Place
The most effective scam emails make you feel something specific: anxiety, obligation, excitement, or guilt. Not in an obvious way — in a way that makes you act before thinking.
- Authority + secrecy: "I need you to handle this personally. Don't discuss with the team yet — I'll explain in the board meeting."
- Helpfulness exploitation: "I'm stuck in a meeting and desperately need someone to help with this. Can you take care of it?"
- Fear of consequences: "This needs to be resolved before the audit next week or we'll all have a problem."
- Flattery: "I'm reaching out to you specifically because I trust your judgement on financial matters."
These aren't just persuasion techniques — they're weapons-grade social engineering refined through thousands of attacks. The attacker knows that a mid-level employee receiving a direct request from the CEO feels a powerful compulsion to comply, especially when the request implies trust and confidentiality.
The test: Before acting on any email that stirred an emotional response, ask yourself: "If I ignore this email for 30 minutes and verify it through a different channel, what's the worst that happens?" If the honest answer is "nothing much," that tells you the urgency was artificial.
The Pattern Behind All Five Signs
Notice what these five signs have in common: none of them are about technical sophistication or poor production quality. Modern scam emails are beautifully crafted. They often reference real information scraped from LinkedIn, company websites, press releases, and even previous leaked email chains.
The tells are all about behaviour — requests that deviate from normal process, urgency that discourages verification, and emotional manipulation that overrides critical thinking. Training yourself to notice these patterns is more valuable than any spam filter.
That said, doing this for every single email is exhausting. Which is where technology should pick up the slack.
