Phishing Emails vs. Legitimate Emails — How to Tell
Phishing emails use look-alike domains, urgency, and generic greetings to steal money. Legitimate emails come from official domains, use your real name, never ask for OTP or passwords, and pass SPF, DKIM, and DMARC checks.
Most people think a phishing email is easy to spot because of bad grammar and random fonts. That used to be true. Today, financial fraud and scams have become polished, personal, and often arrive from a domain that looks almost identical to your real bank. Here is how to tell a fake from a legitimate message, every single time.
How phishing emails really work now
A phishing email pretends to be from a trusted brand, friend, or authority. The goal is to make you click a link, download an attachment, or send money. Modern phishing uses your name, your city, and even recent transaction details scraped from leaked databases.
Common red flags you should check:
- Sender domain tricks. The display name says HDFC Bank, but the address ends in hdfc-bank-alerts.com or support@hdfc.bankverify.in. Always read the full domain after the @ sign.
- Generic greetings. "Dear Customer" or "Valued User" when your real bank knows your name.
- Urgency. "Your account will be blocked in 24 hours." Panic is the scammer's oldest tool.
- Spelling and grammar. Sharper than before, but still has awkward phrasing like "Kindly do the needful immediately".
- Link hover mismatch. Hover over the link on desktop. If the preview URL does not match the text shown, walk away.
- Unexpected attachments. PDFs, Excel files, and HTML files that ask you to "verify KYC" are a classic payload.
Indian examples are everywhere. Fake UPI collect requests that look like refunds. SMS pretending to be from a postal courier asking for a redelivery fee. Emails claiming your PAN will be deactivated unless you click. All of these follow the same pattern.
How a legitimate email actually behaves
A legitimate email from your bank, broker, or a government body follows predictable patterns. Once you know them, spotting a fake gets easier.
- Matching sender domain. The address ends in the official domain, for example @hdfcbank.com or @sebi.gov.in. Indian banks rarely use new top-level domains.
- Personalised greeting. Uses your full name or account number as on record.
- No direct login links. Most real emails tell you to log in by typing the URL yourself or by opening the app.
- No password or OTP request. No legitimate institution will ever ask for your full password, PIN, CVV, or OTP over email.
- Proper signature. Includes a registered office address, a customer care number you can verify on the official website, and grievance details.
- Email authentication passes. Behind the scenes, SPF, DKIM, and DMARC checks confirm the email actually came from the claimed domain. Most modern inboxes show a small badge or tick when these pass, and a warning when they fail.
Some providers like Gmail show a verified sender tick next to emails from big brands that use BIMI (Brand Indicators for Message Identification). That blue tick is not foolproof, but it is one more signal.
Phishing vs legitimate emails at a glance
Keep this table handy. When any email surprises you, run it through these seven checks before clicking anything.
| Check | Phishing Email | Legitimate Email |
|---|---|---|
| Sender domain | Look-alike or random domain | Exact official domain |
| Greeting | Generic like "Dear Customer" | Uses your real name |
| Tone | Urgent, threatening, fear-based | Calm, informative |
| Links | Hover reveals mismatch URL | Matches brand domain |
| Attachments | Surprise PDFs, HTML files | Rare, and only expected ones |
| Credential ask | Asks for OTP, PIN, password | Never asks for these |
| SPF/DKIM/DMARC | Fails or missing | Passes silently |
| Spelling | Awkward phrasing, subtle typos | Clean, proofread |
| Reply path | Different from sender address | Matches sender address |
The verdict: your 60-second routine
Do not trust a single signal. Scammers can spoof one or two. Stack several checks together.
- Read the full sender address, not just the display name.
- Hover over every link before clicking.
- Ask: did I request this? Was I expecting a bill, a KYC update, or a refund?
- Never type passwords or OTPs after clicking a link in an email. Go to the app instead.
- If in doubt, call the number printed on the back of your debit card, not the number in the email.
If you have already clicked a link or shared a password, act fast. Change your banking password, block the card through your app, and report the fraud. You can report suspected financial fraud in India on the national cybercrime helpline 1930 or on sebi.gov.in for securities-related scams.
Treat every surprise email as guilty until proven innocent. That one habit, done daily, will save you more money than any antivirus ever could.
Frequently asked questions
Can a phishing email look exactly like my bank email?
Almost, but not exactly. Scammers can copy logos and layouts, but they cannot use the real sender domain, pass SPF and DKIM checks, or know your full account details. Those three gaps give them away every time.
What should I do if I already clicked a phishing link?
Disconnect from the internet, change passwords from another device, block your cards through the bank app, enable two-factor authentication everywhere, and report it to 1930 or cybercrime.gov.in. The sooner you act, the less damage is done.
Frequently Asked Questions
- Can a phishing email look exactly like my bank email?
- Almost, but not exactly. Scammers can copy logos and layouts, but cannot use the real sender domain, pass SPF and DKIM, or know your full account details.
- What should I do if I clicked a phishing link?
- Disconnect from the internet, change passwords from another device, block your cards through the app, enable two-factor authentication, and report it to 1930 or cybercrime.gov.in.
- Is the blue verified tick on Gmail always safe?
- It is a strong signal but not final proof. Scammers can still spoof display names. Always combine the tick check with sender domain and link hover checks.
- How do SPF, DKIM, and DMARC help?
- They are technical checks that confirm an email really came from the claimed domain. If any of them fail, most inboxes show a warning or move the email to spam.