Scams & Phishing

How to Check If an Email, Text, or Link Is a Scam

Almost every scam asks you to click, open, or hand over something. Here is a simple red-flag checklist for delivery scams, fake bank alerts, invoices, and urgent login messages.

Cybersecurity for Beginners · Jul 2, 2026 · updated Jun 16, 2026
How to Check If an Email, Text, or Link Is a Scam
Table of contents
  1. The mindset that beats most scams
  2. The red-flag checklist
  3. How to verify safely
  4. If you have already clicked or replied
  5. Bottom line
  6. Sources and further reading

Almost every scam, no matter how sophisticated, asks you to do one of three things: click a link, open an attachment, or hand over information. That means you do not need to be a security expert to protect yourself. You just need a short mental checklist you can run in ten seconds before you act. This guide gives you that checklist and shows how to apply it to the scams you are most likely to meet: fake deliveries, bank alerts, invoices, and urgent login messages.

The mindset that beats most scams

The UK's National Cyber Security Centre (NCSC) describes phishing simply: criminals "use scam emails, text messages or phone calls to trick their victims." Modern AI has made these messages cleaner and more personal, so the old tell of bad spelling is unreliable now. The new defence is about behaviour, not grammar: slow down, and verify through a channel you control rather than the one in the message.

The single most useful habit is this: a real organisation will never lose anything if you take five minutes to check. A scammer needs you to act now. So any pressure to hurry is itself a warning sign.

The red-flag checklist

Run these questions before clicking, opening, or replying.

  • Was it unexpected? A message you did not ask for, about an account, parcel, or payment, deserves suspicion.
  • Is it creating urgency or fear? "Your account will be closed," "final notice," "verify within 24 hours." Pressure is the scammer's favourite tool.
  • Does the link match the sender? Hover or long-press to preview the real destination. A "bank" link pointing to a random domain is a scam.
  • Is it asking for secrets? Legitimate organisations do not ask for passwords, full card numbers, or one-time codes by email or text.
  • Does the address look almost right? Lookalike domains swap or add a character (a missing letter, an extra word, an odd country code).
  • Is the greeting generic or oddly specific? Both can be signs; AI now lets scammers personalise messages using data from past breaches.

If even one answer is troubling, stop and verify.

How to verify safely

The golden rule: never use the contact details inside the suspicious message. Instead, reach the organisation through a route you already trust.

Scam type How to check it
Delivery scam ("pay a small fee to release your parcel") Track the parcel in the courier's official app or website you find yourself
Bank alert ("suspicious login, confirm now") Open your banking app directly or call the number on your card
Fake invoice Contact the company using a number from a previous genuine document
Urgent login message Go to the site by typing the address yourself, not via the link

This works because it cuts the scammer out of the loop entirely. Whatever the message claims, you confirm it independently.

If you have already clicked or replied

Do not panic, but act promptly. If you entered a password, change it on that account and anywhere you reused it, then turn on multi-factor authentication. If you shared card details, contact your bank. The NCSC stresses that reporting is quick and worthwhile, noting that "reporting a scam is free and only takes a minute" and helps get the scam taken down for others. Forward suspicious emails and texts to your provider or national reporting service.

Bottom line

You do not need to identify every scam technique. You need a habit: pause on anything unexpected or urgent, check the link rather than the logo, never share passwords or codes, and verify through a channel you trust instead of the one in the message. That ten-second routine defeats the overwhelming majority of phishing, AI-polished or not.

Sources and further reading

Sources

  • NCSC: Phishing attacks — dealing with suspicious emails, calls and messages ncsc.gov.uk