You're staring at an email that almost looks right. It has a familiar logo, it mentions your bank or your Apple account or a package you don't remember ordering, and there's a link sitting right there asking you to confirm something. Something about it feels off, and you're not sure whether to click.
That hesitation is exactly the right instinct. Scam emails are designed to look genuine and to rush you, and the single biggest mistake is clicking before you've checked. This guide walks through the warning signs in the order you're most likely to notice them, then shows you the exact steps to verify and report on Gmail, Outlook, Yahoo, and Apple.
You don't need to be technical. You just need to know what to look at, and what to do instead of clicking.
Check the Sender's Address First
The fastest tell is the sender's actual email address, not the display name. A message may claim to be from a reputable company while being sent from an unrelated domain like a free Gmail address or something like "microsoftsupport.ru".
Apple describes the same red flag: the sender's email or phone doesn't match the name of the company, or is different from the one you originally gave that company. If the brand and the address don't line up, treat it as suspect.
Read the Domain Character by Character
Scammers register look-alike domains with subtle misspellings. A classic example is "micros0ft.com", where the second "o" is replaced with a zero. These swaps are easy to miss at a glance.
Yahoo notes that fake addresses may be missing letters, misspelled, replace letters with look-alike numbers (like O and 0), or simply come from free email services. Read the domain slowly, letter by letter, before you trust it.
Watch for Urgency and Threats
Be suspicious of any message that pressures you to act immediately. Scams say you must click, call, or open an attachment right now, claim an account will be canceled, warn that a penalty or fine is due, or threaten other negative consequences.
This urgency tell is often paired with threats and with fear. Legitimate organizations rarely demand instant action under threat. The pressure itself is the warning sign.
Notice Generic Greetings and Bad Grammar
An organization that actually works with you usually knows your name. Opening with "Dear sir or madam" is a warning sign of a mass scam.
Obvious spelling and grammar errors are another giveaway. Legitimate companies have editorial staff, so awkward translation or clumsy mistakes suggest a scam rather than a real notice.
Be Wary of Requests for Personal or Financial Information
Apple, Google, Yahoo, and Microsoft all state plainly that they will never ask you for passwords or personal and financial information by email. That includes your account password, PIN, Social Security number, credit card number, birthday, or account numbers.
If an email asks for any of this directly, it is a scam. No exceptions from these providers.
Hover Over Links Before You Trust Them
A link can look correct while pointing somewhere else. Apple's red flag is a link that looks right but whose URL doesn't match the company's website.
To check on a computer, hover your mouse over the link without clicking and read the address that pops up. If it doesn't match the real site, don't click. Remember that phishing pages are built to look genuine and are designed to trick you into entering your information.
Treat Unexpected Attachments and Offers as Suspect
Unsolicited messages that arrive with an attachment are a known signal, and attachments or links may install malware. Don't open them.
Be equally skeptical of offers that are too good to be true, such as "You unlocked one free year of Netflix!" that then asks for your bank or credit card details. Limited-supply or prize lures exploit your fear of missing out. So do messages that look significantly different from other emails you've received from that company.
Recognize Impersonation and Emotional Manipulation
Criminals pose as trusted authorities and people. Microsoft lists impersonation of banks, government, Netflix, Spotify, Microsoft, Amazon, Apple, your boss, or a family member. Yahoo adds the relative or friend who suddenly needs an urgent favor.
The tactics lean on emotion: threatening language, false offers of support, or teasing you to "find out more." Scams also ride current events and seasonal moments like tax reporting, so a topical hook is not proof of legitimacy.
Don't Trust Tech-Support Pop-Ups
Tech-support scams use scary pop-ups claiming a virus, messages that block access to your machine, alarming sounds or voices, and a phone number to call. Microsoft is explicit: real error messages from Microsoft never include a phone number, Microsoft will never cold-call you, and it will never ask for your Social Security number.
Verify Out of Band Instead of Clicking
When something feels wrong, the safe move is to verify independently rather than trusting the email itself.
- 1.Do not click links or open attachments in the suspicious message.
- 2.Hover over any link (without clicking) and confirm the address matches the real site.
- 3.Open a new browser tab and go to the organization's website from your own saved favorite or a web search.
- 4.Contact the company using official phone numbers or emails listed on that site, not anything in the email.
- 5.If an unexpected request seems off, presume it's a scam and reach the company directly.
- 6.Never enter your password into a page you reached by clicking a link in a message.
Report Phishing in Gmail on a Computer
- 1.Open the message in Gmail.
- 2.Next to Reply, click More (the three-dot icon).
- 3.Click "Report phishing".
To reverse a wrong classification, use the same menu and choose "Report not phishing". Reporting sends Google a full copy of the email and its attachments for analysis; that's expected behavior, not a leak.
Report Phishing in Outlook
On Outlook on the web and Outlook.com, select the suspicious message in the list, then above the reading pane choose Report > Report phishing. This works in both the Classic and Simplified Ribbon. In the new Outlook for Windows, select the message and choose Report > Report phishing from the ribbon (or Report > Report junk for spam).
On the Outlook mobile app for iOS and Android, open the email, tap the three-dot menu at the top right, select "Report Junk", then choose Junk, Phishing, or Block Sender. Note that marking a message as phishing reports the sender but does not block them; add them to your blocked senders list separately if you want that. Microsoft's older Report Message and Report Phishing add-ins are being retired, so use the built-in Report button.
Report Phishing in Yahoo Mail
- 1.Do not respond to or click links in the suspicious message.
- 2.Select the email and click the Spam button to move it out of your inbox, which also improves Yahoo's filters.
- 3.Alternatively, use "Report" or "Remove sender".
- 4.If you're unsure, contact the company's customer service directly to verify.
Within Yahoo Mail, a message that claims to be from a reputable brand but lacks a purple check mark is itself a tell.
Handle Emails Impersonating Apple
Forward suspicious phishing emails to reportphishing@apple.com. For suspicious FaceTime calls use reportfacetimefraud@apple.com, and for iCloud abuse use abuse@icloud.com.
Never enter account info through an email link. Update your account details only in Settings on your iPhone, iPad, or iPod touch, in iTunes or the App Store on a Mac, or in iTunes on a PC, and change your password only at account.apple.com. To check a purchase, review your real purchase history rather than any link, since genuine receipts include your current billing address (which scammers are unlikely to have). Apple will never ask you to log in to a website, tap Accept in a two-factor dialog, or hand over your password, passcode, or 2FA code.
Lock Down an Account You Think Is Compromised
If you've already entered details on a scam page, act fast.
- 1.Change the affected account's password immediately.
- 2.Turn on two-factor or two-step verification.
- 3.For Google accounts, check for unsafe saved passwords at passwords.google.com and enable Safe Browsing Enhanced Protection in Chrome.
- 4.For Apple, change your password at account.apple.com and confirm two-factor authentication is on.
Frequently Asked Questions
Will a real company ever ask for my password by email?
No. Gmail, Yahoo, Apple, and Microsoft all state they will never ask for your password or personal and financial information by email. Any message that does is a scam.
The email passed authentication, so it's safe, right?
Not necessarily. Outlook's "via" tag means the sending domain is authenticated, not that the message is harmless; a domain can be authenticated and still be a spoof where the From address differs from the real sending domain. A "?" in the sender image only means Outlook couldn't verify the sender, so treat unauthenticated mail from unknown senders with caution.
If I report a message in Outlook, does that also block the sender?
No. Marking a message as phishing reports the sender but does not stop them from emailing you again. You have to add them to your blocked senders list separately.
How can I tell a real Apple receipt from a fake one?
A genuine receipt includes your current billing address, which scammers usually don't have, and you can confirm any charge against your real purchase history. Legitimate Apple emails never ask for your Social Security number, mother's maiden name, full credit card number, or the card's security code.
Where do I report phishing to authorities in the US and UK?
In the US, forward a phishing email to reportphishing@apwg.org, forward a phishing text to SPAM (7726), and report the attempt at ReportFraud.ftc.gov. In the UK, forward the email to report@phishing.gov.uk; you don't need to forward messages already sitting in your spam folder, and if you've lost money you can report it at reportfraud.police.uk or call 0300 123 2040.
Is it safe if a pop-up says I have a virus and gives a phone number to call?
No. Real Microsoft error messages never include a phone number, and Microsoft never cold-calls you. Those pop-ups, alarming sounds, and blocked screens are tech-support scams.
