There may be clues. Or not.
While it can be helpful to identify fake email addresses — they’re a great clue as to whether the email you’re looking at is a scam, or worse — you might not be able to. A phony email address can easily be made to look like a valid one.
Sometimes there are clues, and I’ll review a few of those, but some of those clues also apply to legitimate email addresses.
Become a Patron of Ask Leo! and go ad-free!
Fake email address?
Determining if an email address is fake can be tricky and perhaps impossible. Be sure to pay attention to the actual email address, not the display name. Use whois tools to confirm the domain exists. Look for typos or misleading domains. Be cautious if the email content feels off. Scammers are clever; it’s hard to be 100% sure just based on the email address.
Two parts to what you see
When you get an email, you may see something that looks like this.
From: Ask Leo! <email@example.com>
The first part is the “display name”. It can be anything the sender configures. The second part (in angle brackets) is the actual email address.
Our first problem is that many email programs display this instead:
From: Ask Leo!
The email address is hidden. The only way to see it is to hover your mouse pointer over the display name.
Spammers know this and use it to mislead you. For example:
looks like it’s coming from firstname.lastname@example.org, but it is not. The display name, which can be anything, has been set to “email@example.com”. The actual email address is firstname.lastname@example.org. This mismatch is a great clue that something may be amiss, but again, you won’t see it unless you put your mouse pointer over it.
So if your email program doesn’t display both, make sure you’re looking at the email address and not the display name.
An email address has several parts. Using “email@example.com” as an example:
- leo – the email account
- @ – the separator that indicates that the email domain follows
- askleo.com – the domain name of the email server, which itself is comprised of three parts:
If the email address does not follow that syntax, it’s invalid. For example, “leo@firstname.lastname@example.org” is invalid.
Unfortunately, most spammers get this part correct.
Whois may not tell you much about the owner of the domain, but it will tell you if it’s registered by someone. If it’s not registered or it’s available to buy, then it’s likely a fake email address.
Whois may also tell you how recently the domain was registered. A recently registered domain (days or weeks old) might be suspect.
Typos and misleading domains
Look for typos in the email address. This is particularly true if the email address appears to be someone you recognize. For example, “email@example.com” might be an attempt to fool you.
Similarly, a look-alike domain, such as “firstname.lastname@example.org”, can be an attempt to mislead you.2
Perhaps more common are email addresses built on top of domains that have been compromised. “Leo@askleo.com.somerandomservice.com” could be a working email address, but it’s likely to be fake because it tries to trick you into thinking it’s related to askleo.com when it is not.
Character replacements can be difficult to detect, and they are more commonly used in links in emails you might get. However, they can be used in email addresses as well.
Consider these three email addresses:
If you’re not careful, you could confuse the first two, even though they are completely unrelated to one another.
Depending on the font used by your email program, you could also confuse the first and third, which tries to confuse you by using the digit 1 rather than a lowercase L.
Display name versus email mismatch
A display name should match the email address in some way. These two examples are likely to be valid.
Ask Leo <email@example.com>
Leo Notenboom <firstname.lastname@example.org>
Bill Gates <email@example.com>
is almost certainly bogus. This type of mismatch is common in spam.
The body of the email
While not technically a check on the email address itself, the content of the email message, particularly typos and grammar that seem off or flat-out wrong, is also a sign that the sender might be bogus.
Especially if the email claims to come from someone you correspond with regularly and it just feels wrong — perhaps it doesn’t sound like them, or it’s asking something that your correspondent would normally never ask — it’s definitely worth a careful look.
This is somewhat of an advanced check, but it can be helpful.
You may already be familiar with DNS, or the Domain Name System. It maps names (like somerandomservice.com) to IP addresses (such as 188.8.131.52).
Using what’s called an MX (for Mail eXchange) record, DNS is also used to determine which email servers handle email for which domains. Any domain that can receive email should have an MX record. While designed for technical folks configuring MX records, mxtoolbox.com is a good, quick resource to see if an MX record exists. Enter the domain portion of the email address you’re checking out.
If the tool doesn’t display an MX record, that may be a clue that all is not what it seems.
Everything could be valid
Spammers don’t need to resort to any of the tricks above to make a fake email address. Someone could easily use something like:
Ask Leo! <firstname.lastname@example.org>
That’s a perfectly valid email address for an account that doesn’t exist. It could even be someone else’s email address — including yours. The spammers want you to act on the body of the email, not the email address.
Since spammers rarely care about replies or bounces, and since it’s trivial for them to put anything in the From: line, this may be the most common approach of all.
Here’s the problem: every one of these clues can lead you wrong.
- It’s possible to craft an email address that seems to have bad syntax but is OK.
- It’s possible for a domain check to show ownership even if the domain is unused.
- Special characters (like ö) are valid and could be used by someone in a legitimate email address.
- Sometimes display names are intentionally different than the email address they’re paired with.
- Some people are poor at spelling and grammar.
- An MX record isn’t actually required, so the lack of one doesn’t necessarily prove anything.
This is part of what makes it so difficult to truly determine whether or not an email address is a sham meant to mislead you.
Be skeptical. Look for the clues I’ve outlined above. Chances are that if you think it’s fake, it’s fake. But understand that being 100% certain based solely on the email address you see in the From: line is almost impossible.
For more tips on staying safe, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.