eSafety 101
Published on
Start hereDigital safety basics · Part 9

How to Check Whether a Message Is Real

Quick read

For everyone

Main point

Main point: do not trust a message just because it looks professional, uses a familiar logo, or appears to come from someone you know.

A message may be fake if it asks you to act quickly, click a link, open an attachment, send money, share personal information, provide a code, sign in to an account, or follow payment instructions.

Before you act, ask:

  • Was I expecting this message?
  • Does the request make sense?
  • Is there pressure to act quickly?
  • Is it asking for money, personal information, passwords, or account access?
  • Does it include bank details or payment instructions?
  • Can I verify it another way?

Be especially careful with payments. If you are paying a house deposit, invoice, contractor, school fee, vehicle deposit, rent, or any large amount, confirm the bank details through a separate trusted contact method before sending money.

A safer habit: if the message matters, check it through a separate trusted channel before doing anything.

A little deeper

For curious readers

Context

So far in this series, we have focused on slowing down, recognising pressure, verifying separately, and being careful with links, attachments, QR codes, and personal information.

Now we are bringing those ideas together into a simple process you can use when a message arrives.

Messages can come by email, text message, phone call, social media, chat app, online marketplace, or even through a compromised account belonging to someone you know.

Some scam messages are obvious. Others are carefully written, well timed, and look very real.

The goal is not to instantly know whether every message is real or fake.

The goal is to notice when a message needs checking before you act.

Step 1: Look at what the message wants you to do

Many scam messages are designed to push you toward an action.

Be careful if the message asks you to:

  • Click a link.
  • Open an attachment.
  • Scan a QR code.
  • Send money.
  • Pay an invoice, deposit, or fee.
  • Use new or changed bank details.
  • Share personal information.
  • Enter a password.
  • Provide a security code.
  • Approve a sign-in.
  • Install software.
  • Call a number provided in the message.

If the action involves money, identity, passwords, codes, or account access, treat it as high-risk.

Step 2: Check the pressure

Scammers often try to make the message feel urgent, frightening, exciting, or too good to ignore.

Watch for messages that say things like:

  • Your account will be closed.
  • Your payment has failed.
  • Your parcel cannot be delivered.
  • You owe money immediately.
  • Your bank account is at risk.
  • You have won a prize.
  • You must act today.
  • Someone needs urgent help.

Pressure is not proof of a scam, but it is a reason to slow down.

Step 3: Check the sender carefully

A familiar name is not enough.

Email display names can be misleading. Phone numbers can be spoofed. Social media accounts can be copied or compromised. A message from a known contact may still be unsafe if their account has been taken over.

Look carefully, but do not rely only on what you see in the message.

Step 4: Avoid the path provided by the message

If the message gives you a link, phone number, attachment, or QR code, remember that the message may be trying to control your next step.

Instead:

  • Open the official app directly.
  • Type the website address yourself.
  • Use a saved bookmark.
  • Call a number from an official website, card, statement, or saved contact.
  • Contact the person through a different trusted method.

Step 5: Verify separately before acting

If a message is unexpected, verify it before trusting it.

If a message is expected but high-risk, verify the important details before acting on it.

This is especially important for payments, changed bank details, identity documents, passwords, security codes, and account access.

A simple rule:

If the message could cost you money, expose your personal information, or give someone access to an account, check it another way first.

Technical notes

For confident users

Technical

Message-based scams commonly use phishing, smishing, vishing, impersonation, business email compromise, payment redirection, and account takeover techniques.

A message should be assessed by looking at the requested action, the communication channel, the sender identity, the destination, the timing, and the consequences of being wrong.

Sender identity is not always reliable. Email display names can be forged or misleading. Domains may be lookalikes. Phone numbers may be spoofed. SMS messages can appear in existing threads. Social media and email accounts can be compromised and then used to contact trusted people.

Message context can also be manipulated. An attacker may time a message around a real event, such as a delivery, property purchase, invoice, subscription renewal, job application, or support request. This makes the message feel expected even when the details have been altered.

High-risk requests should trigger separate verification, especially when they involve:

  • Payments or refunds.
  • New or changed bank account details.
  • Login links.
  • Password resets.
  • Multi-factor authentication codes.
  • Sign-in approval prompts.
  • Identity documents.
  • Remote access software.
  • Attachments with invoices, forms, or instructions.
  • Requests to keep the conversation secret.

A useful model is to separate four things:

  • The claim: what the message says is happening.
  • The action: what the message wants you to do.
  • The path: the link, number, attachment, QR code, or reply method it provides.
  • The verification: how you independently check whether the request is legitimate.

The safest verification path should not come from the message being checked.

For important accounts, use a known-good path such as the official app, a typed website address, a saved bookmark, a trusted contact, or a verified phone number from a previous reliable source.

Good technical controls can help, including spam filters, browser warnings, password managers, multi-factor authentication, and endpoint protection. But these controls are not perfect.

The most reliable habit is to pause, identify the requested action, assess the risk, and verify separately before acting.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.