How to Check If an Email, Text, or Link Is a Scam
Almost every scam asks you to click, open, or hand over something. Here is a simple red-flag checklist for delivery scams, fake bank alerts, invoices, and urgent login messages.

Table of contents
Almost every scam, no matter how sophisticated, asks you to do one of three things: click a link, open an attachment, or hand over information. That means you do not need to be a security expert to protect yourself. You just need a short mental checklist you can run in ten seconds before you act. This guide gives you that checklist and shows how to apply it to the scams you are most likely to meet: fake deliveries, bank alerts, invoices, and urgent login messages.
The mindset that beats most scams
The UK's National Cyber Security Centre (NCSC) describes phishing simply: criminals "use scam emails, text messages or phone calls to trick their victims." Modern AI has made these messages cleaner and more personal, so the old tell of bad spelling is unreliable now. The new defence is about behaviour, not grammar: slow down, and verify through a channel you control rather than the one in the message.
The single most useful habit is this: a real organisation will never lose anything if you take five minutes to check. A scammer needs you to act now. So any pressure to hurry is itself a warning sign.
The red-flag checklist
Run these questions before clicking, opening, or replying.
- Was it unexpected? A message you did not ask for, about an account, parcel, or payment, deserves suspicion.
- Is it creating urgency or fear? "Your account will be closed," "final notice," "verify within 24 hours." Pressure is the scammer's favourite tool.
- Does the link match the sender? Hover or long-press to preview the real destination. A "bank" link pointing to a random domain is a scam.
- Is it asking for secrets? Legitimate organisations do not ask for passwords, full card numbers, or one-time codes by email or text.
- Does the address look almost right? Lookalike domains swap or add a character (a missing letter, an extra word, an odd country code).
- Is the greeting generic or oddly specific? Both can be signs; AI now lets scammers personalise messages using data from past breaches.
If even one answer is troubling, stop and verify.
How to verify safely
The golden rule: never use the contact details inside the suspicious message. Instead, reach the organisation through a route you already trust.
| Scam type | How to check it |
|---|---|
| Delivery scam ("pay a small fee to release your parcel") | Track the parcel in the courier's official app or website you find yourself |
| Bank alert ("suspicious login, confirm now") | Open your banking app directly or call the number on your card |
| Fake invoice | Contact the company using a number from a previous genuine document |
| Urgent login message | Go to the site by typing the address yourself, not via the link |
This works because it cuts the scammer out of the loop entirely. Whatever the message claims, you confirm it independently.
If you have already clicked or replied
Do not panic, but act promptly. If you entered a password, change it on that account and anywhere you reused it, then turn on multi-factor authentication. If you shared card details, contact your bank. The NCSC stresses that reporting is quick and worthwhile, noting that "reporting a scam is free and only takes a minute" and helps get the scam taken down for others. Forward suspicious emails and texts to your provider or national reporting service.
Bottom line
You do not need to identify every scam technique. You need a habit: pause on anything unexpected or urgent, check the link rather than the logo, never share passwords or codes, and verify through a channel you trust instead of the one in the message. That ten-second routine defeats the overwhelming majority of phishing, AI-polished or not.
Sources and further reading
Sources
- NCSC: Phishing attacks — dealing with suspicious emails, calls and messages ncsc.gov.uk


