clt_email_legitimacy_checklist
This is an old revision of the document!
Table of Contents
see last modified date at base of all pages
CLNT - EMAIL - SEC - How to check if an email is legit or phishing
Audience: End users and admins.
Purpose: Help you decide if an email is legitimate in under 60 seconds.
Updated: 2025
THINK … (before you click)
- Are you expecting anything right now?
- Are you expecting anything from these people/company?
- If the email mentions domains/hosting/billing: ask, *who is my real provider?* If it’s not the sender, it’s likely phishing.
- If it asks you to click, hover your mouse over the button/link—your mail app shows the actual URL.
- Want more certainty? In Outlook (desktop): File → Properties → Internet headers. Check the true From/Return-Path and authentication results (SPF/DKIM/DMARC). They must match the brand you expect.
- Geo note: Country/TLD is only a weak signal—attackers use any country and many generic TLDs. Treat geo as extra-scrutiny, not a blocker.
Quick Email Legitimacy Checklist (Updated)
Stop now if any are true: asks for passwords/2FA, urgent payment/bank-detail changes, gift cards/crypto, remote access, or you didn’t expect it.
1) Sender
- Name matches someone you know or a real department.
- Email address matches the real domain (no look-alikes like `rnicrosoft.com`).
- Reply-To is the same as From.
2) Context
- Am I expecting anything right now?
- Am I expecting anything from these people/company?
- You were expecting this email (invoice, file, delivery, password reset).
- You actually have an account/relationship with the company named.
3) Links
- Hover shows the same brand domain (e.g., `https://accounts.google.com/…`).
- No link shorteners (bit.ly, tinyurl) or random strings.
- No QR codes you’re being pushed to scan.
4) Attachments
- You expected an attachment from this sender.
- Avoid risky types: `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm`
- Office/PDF files do not ask to “Enable Content/Macros”.
5) Language & look
- Uses your correct name and specific details you recognise.
- No odd grammar, threats, or too-good-to-be-true offers.
- Branding looks right (logos not blurry; footer/legal normal).
6) Client warnings
- No “External sender” or “Failed authentication (SPF/DKIM/DMARC)” banners.
- Not flagged by your mail client as suspicious.
7) Verify safely (don’t use email links)
- Open the website/app yourself from a saved bookmark or by typing the address.
- Call/message the sender on a known number/channel to confirm.
- For payments/bank changes: do a voice check with your contact.
8) If suspicious
- Don’t click, don’t reply, don’t forward (except to IT/security).
- Use Report phishing in your mail app, then delete.
- If you clicked or entered details: change password, enable MFA, inform IT/bank, run a malware scan.
- Optional: forward to reportphishing@apwg.org.
Visual Example (hover reveals mismatched domain)
Country & ccTLD Reference (weak signal only)
| ISO | Country | ccTLD |
|---|---|---|
| AF | Afghanistan | .af |
| AL | Albania | .al |
| AM | Armenia | .am |
| AO | Angola | .ao |
| AZ | Azerbaijan | .az |
| BA | Bosnia and Herzegovina | .ba |
| BD | Bangladesh | .bd |
| BF | Burkina Faso | .bf |
| BG | Bulgaria | .bg |
| BH | Bahrain | .bh |
| BI | Burundi | .bi |
| BJ | Benin | .bj |
| BM | Bermuda | .bm |
| BN | Brunei | .bn |
| BO | Bolivia | .bo |
| BS | Bahamas | .bs |
| BT | Bhutan | .bt |
| BY | Belarus | .by |
| BZ | Belize | .bz |
| CD | Congo (Democratic Republic) | .cd |
| CF | Central African Republic | .cf |
| CG | Congo (Republic) | .cg |
| CI | Côte d’Ivoire | .ci |
| CL | Chile | .cl |
| CN | China | .cn |
| CO | Colombia | .co |
| CR | Costa Rica | .cr |
| CU | Cuba | .cu |
| CV | Cabo Verde | .cv |
| CY | Cyprus | .cy |
| CZ | Czechia | .cz |
| DJ | Djibouti | .dj |
| DM | Dominica | .dm |
| DO | Dominican Republic | .do |
| DZ | Algeria | .dz |
| EC | Ecuador | .ec |
| EE | Estonia | .ee |
| ER | Eritrea | .er |
| ET | Ethiopia | .et |
| GA | Gabon | .ga |
| GD | Grenada | .gd |
| GE | Georgia | .ge |
| GH | Ghana | .gh |
| GM | Gambia | .gm |
| GN | Guinea | .gn |
| GQ | Equatorial Guinea | .gq |
| GT | Guatemala | .gt |
| GW | Guinea-Bissau | .gw |
| GY | Guyana | .gy |
| HN | Honduras | .hn |
| HR | Croatia | .hr |
| HT | Haiti | .ht |
| HU | Hungary | .hu |
| IN | India | .in |
| IQ | Iraq | .iq |
| IR | Iran | .ir |
| JM | Jamaica | .jm |
| JO | Jordan | .jo |
| JP | Japan | .jp |
| KE | Kenya | .ke |
| KG | Kyrgyzstan | .kg |
| KH | Cambodia | .kh |
| KI | Kiribati | .ki |
| KM | Comoros | .km |
| KN | Saint Kitts and Nevis | .kn |
| KP | North Korea | .kp |
| KR | South Korea | .kr |
| KW | Kuwait | .kw |
| KZ | Kazakhstan | .kz |
| LA | Laos | .la |
| LB | Lebanon | .lb |
| LC | Saint Lucia | .lc |
| LK | Sri Lanka | .lk |
| LR | Liberia | .lr |
| LS | Lesotho | .ls |
| LT | Lithuania | .lt |
| LV | Latvia | .lv |
| LY | Libya | .ly |
| MD | Moldova | .md |
| MG | Madagascar | .mg |
| MK | North Macedonia | .mk |
| ML | Mali | .ml |
| MM | Myanmar | .mm |
| MN | Mongolia | .mn |
| MR | Mauritania | .mr |
| MT | Malta | .mt |
| MU | Mauritius | .mu |
| MW | Malawi | .mw |
| MX | Mexico | .mx |
| MY | Malaysia | .my |
| NE | Niger | .ne |
| NG | Nigeria | .ng |
| NI | Nicaragua | .ni |
| NP | Nepal | .np |
| OM | Oman | .om |
| PA | Panama | .pa |
| PE | Peru | .pe |
| PG | Papua New Guinea | .pg |
| PK | Pakistan | .pk |
| PL | Poland | .pl |
| PR | Puerto Rico | .pr |
| PS | Palestine | .ps |
| PW | Palau | .pw |
| PY | Paraguay | .py |
| QA | Qatar | .qa |
| RO | Romania | .ro |
| RS | Serbia | .rs |
| RU | Russia | .ru |
| RW | Rwanda | .rw |
| SA | Saudi Arabia | .sa |
| SB | Solomon Islands | .sb |
| SC | Seychelles | .sc |
| SD | Sudan | .sd |
| SG | Singapore | .sg |
| SI | Slovenia | .si |
| SK | Slovakia | .sk |
| SL | Sierra Leone | .sl |
| SM | San Marino | .sm |
| SN | Senegal | .sn |
| SO | Somalia | .so |
| SR | Suriname | .sr |
| SS | South Sudan | .ss |
| ST | São Tomé and Príncipe | .st |
| SV | El Salvador | .sv |
| SY | Syria | .sy |
| SZ | Eswatini | .sz |
| TJ | Tajikistan | .tj |
| TL | Timor-Leste | .tl |
| TM | Turkmenistan | .tm |
| TN | Tunisia | .tn |
| TO | Tonga | .to |
| TT | Trinidad and Tobago | .tt |
| TV | Tuvalu | .tv |
| TW | Taiwan | .tw |
| TZ | Tanzania | .tz |
| UA | Ukraine | .ua |
| UG | Uganda | .ug |
| UZ | Uzbekistan | .uz |
| VC | Saint Vincent and the Grenadines | .vc |
| VE | Venezuela | .ve |
| VG | Virgin Islands (British) | .vg |
| VI | Virgin Islands (U.S.) | .vi |
| VN | Vietnam | .vn |
| WS | Samoa | .ws |
| YE | Yemen | .ye |
| YU | Yugoslavia | .yu |
| ZA | South Africa | .za |
| ZM | Zambia | .zm |
| ZW | Zimbabwe | .zw |
| AX | Åland Islands | .ax |
| FO | Faroe Islands | .fo |
| GI | Gibraltar | .gi |
| GL | Greenland | .gl |
| GG | Guernsey | .gg |
| JE | Jersey | .je |
| MF | Saint Martin (French part) | .mf |
| MQ | Martinique | .mq |
| RE | Réunion | .re |
| SX | Sint Maarten (Dutch part) | .sx |
| SH | Saint Helena, Ascension and Tristan da Cunha | .sh |
| PM | Saint Pierre and Miquelon | .pm |
| TF | French Southern and Antarctic Lands | .tf |
| WF | Wallis and Futuna | .wf |
Notes:
*.yu* (Yugoslavia) = retired.
*.mf* (Saint Martin, FR) = reserved/not generally in operation.
Reminder: ccTLD/country is a weak indicator. Always prioritise SPF/DKIM/DMARC, link/attachment analysis, sender reputation, and business context.
clt_email_legitimacy_checklist.1760651908.txt.gz · Last modified: by thesaint