Is This Email Real? 7 Checks Before You Click | McDade
Is this email real? Seven checks before you click anything.
- By Dallas Downey, CLCS
Published July 2, 2026 - Business Insurance
Phishing was the most reported internet crime in America again last year, and the reason is simple. It works at the speed of a busy inbox. These are the seven checks we teach client teams, in the order to run them, each one taking seconds.

The answer
Real emails survive verification and scams do not, which is why every check below ends the same way. Verify through a channel you already control, never one the email provides. Run the seven checks in order, and the moment any one fails, stop clicking and start reporting.
Read the actual address, not the display name
The display name says your bank, your vendor, or your boss. The address underneath says otherwise. Criminals register lookalike domains one character off from the real thing, and investigators tracking the current campaigns against professional firms documented naming patterns built specifically to impersonate company help desks.
On a phone, tap the sender's name to expose the real address. The display name is a costume. The address is the person.
Expand the sender and read the domain letter by letter. Anything off by one character, or from a free consumer account claiming to be a company, fails the check.
Ask whether you were expecting it
An invoice you did not expect, a delivery you did not order, a document share from a project that does not exist. Unexpected is not proof of fraud, but it is the trigger for verification. Google's threat investigators documented a twist worth knowing, invoice emails with no link and no attachment at all, sent only to set up a follow-up phone call from a fake IT helpdesk.
A harmless looking message that arrives out of nowhere and asks for nothing is not automatically safe. Sometimes it is the setup.
Unexpected means verify before you touch it. Contact the supposed sender through a number or address you already have on file, never through the message itself.
Weigh the urgency against the ask
Act today. Your account will be suspended. The wire has to move before the deadline. Pressure is the mechanism, because pressure is what keeps busy people from making one verifying call. Real institutions almost never demand irreversible action inside an artificial deadline.
The bigger the consequence the email threatens, the more the verification matters, which is the exact opposite of what the email wants you to feel.
Treat urgency itself as a red flag. Any message pressing for immediate action on money, credentials, or access gets verified out-of-band before anything else happens.
Inspect the links without clicking them
The words on the screen and the destination underneath can be completely different. On a computer, hover the link and read the address that appears. On a phone, press and hold the link to preview it without opening it.
Look at the actual domain, the part just before the first single slash. Criminals bury real sounding names inside fake domains, hoping you read the beginning and skip the middle.
Hover or long-press every link and read the true destination. If the domain is not exactly the organization's real one, the check fails.
Never act on changed payment or login instructions
The most expensive phishing emails do not carry malware. They carry new wire instructions, an updated account number, or a login page that looks perfect. Business email compromise cost Americans over $3 billion in reported losses last year alone, most of it moved by employees acting in good faith on instructions that arrived by email.
Banking details do not change by email. Login pages do not arrive by email. Those two sentences alone defeat most of the losses in that number.
Any change to payment instructions gets confirmed by a callback to a number already in your file, and logins happen by typing the address yourself, never through an emailed link.
Notice when a known contact sounds wrong
Real accounts get compromised, which means the scam can arrive from a genuine address belonging to someone you trust. The tells are tone and pattern. A colleague suddenly formal, a vendor suddenly urgent, a reply that ignores the thread, an attachment from someone who never sends them.
This is the hardest version to catch, and it is why the defense targets the instruction rather than the address. A real sender survives a phone call.
When a known contact asks for something unusual, verify by voice on the number you have for them. The address being real does not make the request real.
When any check fails, report it, do not delete it
A deleted phishing email protects one inbox. A reported one protects every inbox in the company and gives whoever manages your systems the chance to block the sender and warn the team. Speed is the whole game, and the person who reports in five minutes is the defense working.
If you clicked before you doubted, that changes the job from prevention to response, and the response has an order of operations.
Forward the message to whoever handles your systems and flag it as suspected phishing. If you already clicked or entered anything, go straight to the first hours playbook.
The email cannot survive a phone call to a number it did not give you. That is the whole trick, and it is yours to use.
Dallas Downey, CLCS, Commercial Lines and Workers Compensation Specialist
Sources worth opening before you decide.
This article uses public source material from the FBI Internet Crime Complaint Center's 2025 annual report and Google Cloud's Mandiant threat intelligence report.
The purpose is recognition at inbox speed. The FBI's numbers describe how often this works and Google's investigators describe the current playbook. Whether your team runs these checks under pressure is a training question, and whether the policy holds when one slips through is a document question. The review covers both.
Keep reading, then read your policy.
Questions firm owners ask.
What is the difference between phishing and spear phishing?
Phishing is the mass version, the same lure sent to thousands of inboxes. Spear phishing is aimed, built from research on you or your company, using real names, real projects, and real relationships. The checks in this article work on both, because both die against out-of-band verification. The aimed version just makes the verification habit more important.
What should I do if I already clicked the link?
Move to response mode without shame and without delay. Disconnect the device from the network, change the password on any account you entered, revoke active sessions, and report it immediately. If it happened at work, tell whoever manages systems the same hour, and if funds or data may be involved, the carrier's breach hotline comes next. Fast reporting is the difference between an incident and a loss.
Do spam filters catch all of this?
No, and the current campaigns are built specifically to pass them. A plain text email with no link and no attachment carries nothing for a filter to flag, and a call from a fake IT helpdesk never touches the mail system at all. Filters are the floor. Human checks and a verification habit are the actual defense.
Does insurance cover losses from a phishing email an employee clicked?
A well structured cyber policy funds the response, the forensics, the breach counsel, and the notification duties, and a social engineering fraud endorsement responds when an employee is deceived into sending money. Sublimits and verification conditions decide how far each part reaches, which is a document review, not a guess. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.
What Houston clients say.
Seven checks. One habit. Every inbox.
Send us the policies you carry today. We will read the coverage against the current phishing campaigns, show you which verification habits your carrier rewards, and give your team the one page version of these checks in plain English.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.
By