The subject line said “Package delivery failed — reschedule now.” I had ordered something. I couldn’t remember what. The timing was plausible. The sender was “USPS-Notifications.” The logo looked right. I clicked.
That click took me to a page asking for my credit card to “verify identity for redelivery.” I almost entered it. Then I noticed the URL: usps-delivery-reschedule.com. Not usps.com. The extra words, the hyphen, the desperation in the design. I closed the tab. Reported it. And sat there for a minute, shaken, because I am careful about these things. And I had almost fallen for it anyway.
That was 2023. Since then, I’ve learned to read emails the way I read people — looking for the small tells that reveal the truth beneath the surface. Here are the tells I watch for now.
The Urgency Tell
Scammers want you to act before you think. Every email that demands immediate action is suspect. Not all urgent emails are scams — your bank might genuinely flag a transaction — but the scam version has a specific flavor of urgency. It’s manufactured. It feels like a pushy salesperson, not a concerned institution.
Real urgency from legitimate companies gives you options. “Please review this transaction within 24 hours.” Scam urgency gives you no time at all. “Your account will be suspended in 1 hour.” “Act now or lose access forever.” The clock is always ticking down, and the only way to stop it is to click immediately.
I have a rule now. Any email that makes my heart race gets a 10-minute wait. I set a timer. If it’s still important after 10 minutes, I handle it through the company’s official website, not the email link. The scam loses its power when the urgency expires.
“Your account has been compromised. Click here immediately to secure it.”
I got this from “PayPal-Security” in 2024. The logo was perfect. The grammar was perfect. The threat felt real. I logged into PayPal directly — not through the email — and found nothing wrong. The email was a near-perfect forgery. The only flaw was the sender domain: paypal-security-center.com. PayPal owns paypal.com. Nothing else. I reported it and now I check every sender domain by clicking the name, not just reading the display name.
The Sender Tell
Display names are meaningless. “Amazon Customer Service” can be typed by anyone. The real sender is in the email address, and even that can be spoofed. But most scammers are lazy. They rely on you not looking.
Click the sender name in your email client. The full address appears. Look at the domain — the part after the @. Does it match the company’s real domain exactly? Amazon uses amazon.com. Not amazon-support.com. Not amazon-orders.net. Not amaz0n.com with a zero.
Some scammers use subdomains to trick you. support@amazon.com is legitimate. support@amazon.com.scam-site.com is not. The real domain is the last part — scam-site.com. Everything before that is decoration.
Also watch for lookalike characters. A Cyrillic “а” instead of Latin “a”. An “rn” that looks like “m” at small font sizes. These are rare but sophisticated. When in doubt, type the company’s URL manually rather than clicking any link.
The Link Tell
Hover over links without clicking. The real destination appears in the corner of your browser or at the bottom of your email window. This is where scams often reveal themselves.
A link that says “Verify your account” might lead to verify-your-account-now.com. Or to a shortened URL like bit.ly/3xScamLink. Shortened links hide the destination. I never click them in emails unless I know the sender personally and expected the link.
Legitimate companies rarely use URL shorteners in security emails. They have no reason to hide their domain. If you see bit.ly, tinyurl, or t.co in a security alert, be suspicious. The exception is marketing emails, where tracking links are common. But security alerts should be direct and transparent.
“Click here to download your invoice.”
A supplier sent me this. I hovered. The link went to a Dropbox file. I checked — the supplier’s real invoices come as PDF attachments, not Dropbox links. I called them. They hadn’t sent it. The file was malware. The scammer had researched our business relationship and timed the fake invoice to match our billing cycle. This was targeted, not random. The hover saved me.
The Language Tell
Scam emails have gotten better at grammar. AI translation tools have improved. But language still reveals intent. Watch for:
Generic greetings. “Dear Customer” instead of your name. “Valued User” instead of anything specific. Legitimate companies usually have your name in their database. Scammers often don’t, or they’re sending to thousands and can’t personalize.
Vague threats. “Unusual activity detected on your account.” Which account? What activity? When? Real security alerts are specific. “A login attempt from IP 203.0.113.45 in São Paulo at 3:14 AM EST.” Scam alerts are vague because specifics require access to real data.
Awkward phrasing. “We are writing to inform you of a matter requiring your urgent attention regarding your account status.” This is not how humans write. It is how templates write. It is how someone who learned English formally but doesn’t use it daily writes. It is a distance signal. The writer is not close to the company they claim to represent.
The Attachment Tell
Unexpected attachments are dangerous. PDFs, Word documents, Excel files, ZIP archives — all can contain malware. Even images can be exploited in some cases.
I treat every unexpected attachment as guilty until proven innocent. The proof is not the file extension. It is context. Did I request this invoice? Am I expecting this contract? Do I know this sender? Is the file name specific and relevant, or generic and suspicious?
Generic names are red flags. “Invoice.pdf” not “Invoice-2026-06-AcmeCorp-4451.pdf.” “Document.zip” not “Q2-Report-Draft.zip.” Scammers reuse file names across campaigns. Specific names suggest human creation. Generic names suggest mass production.
Even expected attachments get opened with caution. I scan everything with my antivirus before opening. I enable “protected view” in Office documents, which prevents macros from running. I extract ZIP files to a sandbox folder before examining contents. These habits add 30 seconds. They have prevented infections I would not have noticed until too late.
The Voice Memo Scam
Someone I know received an email with a “voice memo” attachment. The name was their first name. “Hey [Name], listen to this.” Curiosity is powerful. They opened it. It was malware that encrypted their files and demanded ransom. The sender was spoofed — a known contact whose account had been compromised. The attachment was the trap. The curiosity was the trigger. Now I never open unexpected audio files. I text the sender first: “Did you send me a voice memo?” If they say no, I know. If they say yes, I ask what it’s about. The 30-second verification is free. The ransomware is not.
The Request Tell
What does the email want? Legitimate emails want you to know something. Scam emails want you to do something specific — click, enter credentials, download, call a number, send money. The action is the point.
I ask myself: is this request normal? My bank has never emailed me asking me to click a link and enter my password. They ask me to log in through their app or website directly. My employer has never sent me a PDF asking me to “enable editing to view content.” These are scam patterns dressed in familiar clothing.
Wire transfer requests are especially dangerous. “The CEO needs this transfer completed urgently.” “The vendor changed their banking details.” These are common business email compromise scams. The email appears to come from a colleague or executive. The request is plausible. The money disappears to a foreign account. Verification is simple: call the person using a known number, not the one in the email. Confirm verbally. The 2-minute call prevents the $50,000 loss.
The Gut Tell
After all the technical checks, the final filter is instinct. Something feels off. The tone is wrong. The timing is weird. The request doesn’t match the sender’s usual behavior. These are not paranoia. They are pattern recognition. Your brain has processed thousands of legitimate emails. The scam is a subtle mismatch. Trust the mismatch.
I have a friend who ignored her gut because the email looked official. She lost $2,400. I have another friend who trusted her gut over a perfectly formatted email and avoided a $15,000 wire fraud. The gut is data. It is the accumulation of small signals your conscious mind has not yet named. Do not override it with logic that says “this looks legitimate.” Looking legitimate is the scam’s job. Feeling wrong is your defense.
The Verification Habit
My personal rule: if an email asks me to do anything involving money, passwords, or downloads, I verify through a second channel. Text, call, or visit the website directly. Never use contact information from the suspicious email. The 2-minute verification has become automatic. I do not feel rude doing it. I feel responsible. The sender, if legitimate, will appreciate the caution. The scammer, if fake, has lost their opportunity. Either way, I win.
Conclusion
Scam emails are not going away. They are getting better. AI writes them now. They mimic tone, reference real events, and personalize based on leaked data. The technical tells — bad grammar, obvious fake domains — are fading. The human tells — urgency, vague threats, requests for action — persist.
The defense is not perfect detection. It is slowing down. Every scam relies on speed. The victim clicks before thinking, enters data before verifying, sends money before confirming. Slowing down by two minutes — hovering, checking, calling, waiting — destroys the scam’s business model. They need volume. They need fast victims. Be slow. Be suspicious. Be the person who takes an extra step.
The email that almost got me in 2023 would not get me today. Not because I am smarter. Because I am slower. Because I have habits. Because I treat my inbox as a neighborhood with some dangerous streets, and I look both ways before crossing.
Related Articles
- Safe Online Shopping Checklist to Avoid Fraud and Scams — Email scams often lead to fake shopping sites. This checklist protects you at the checkout stage.
- Fixing Weak Password Habits for Better Security — If a scam email does trick you into entering a password, strong unique passwords limit the damage.
- Setting Up Two-Factor Authentication for All Your Accounts — Even if a scammer gets your password, 2FA stops them. This guide shows you how to set it up.
- A Simple Cyber Safety Routine for Everyday Protection — The habits in this article are part of a broader daily security practice. Here’s how they connect.
- How to Audit Your Digital Footprint in Under 30 Minutes — Scammers use your exposed data to personalize emails. This audit reduces what they can find.
Sources and References
<
- Federal Trade Commission. “How to Recognize and Avoid Phishing Scams.” consumer.ftc.gov
- Anti-Phishing Working Group. “Phishing Activity Trends Report, 2025.” apwg.org
- CISA. “Avoiding Social Engineering and Phishing Attacks.” cisa.gov
- Google Safety Center. “How to avoid phishing attacks.” safety.google.com
- Microsoft Security Blog. “Phishing trends and detection techniques.” microsoft.com
This article was written because the author almost fell for a delivery scam in 2023 and has since developed verification habits that have prevented three similar attempts. The goal is not to make you fearful of email. It is to make you slow enough that scams cannot use your speed against you.
Daniel Kareem is a digital productivity and technology writer focused on simplifying everyday tech use. He creates practical guides on online safety, device optimization, and efficient workflows. His approach centers on clear, step-by-step advice that helps users stay organized, secure, and productive. Through straightforward and realistic content, he aims to make technology easier to understand and more useful in daily life.