FraudDecoder
Back to blogDetection

How to spot a fraudulent email: 15 risk signals that matter

Apr 2026 · 6 min read

Not every suspicious email is fraud. But every fraud starts with signals your team can learn to spot. The challenge isn’t awareness — it’s knowing which signals actually matter, and which combinations should trigger action.

Here are the 15 risk signals that FraudDecoder’s AI analyzes on every submission — grouped by category.

Sender & Domain

Lookalike domain

Domain that visually mimics a legitimate one — hyphens (acme-corp.com), homoglyphs (rn→m), or TLD swaps (.co vs .com).

Display name mismatch

The "From" display name says "John Smith, CFO" but the actual email address is a freemail or unknown domain.

Reply-to mismatch

The reply-to address differs from the sender address — a classic redirect tactic to capture responses.

SPF / DKIM failure

Email authentication checks fail, indicating the sender is not authorized to send on behalf of the claimed domain.

New or young domain

Sender domain was registered days or weeks ago — legitimate vendors don't operate from brand-new domains.

Language & Tone

Urgency language

"ASAP", "immediately", "end of day", "penalty fees" — designed to prevent the recipient from verifying.

Authority pressure

"I'm in a meeting", "direct order", "do not discuss" — leverages hierarchy to suppress questioning.

Secrecy requests

"Keep this between us", "confidential transaction" — isolates the target from colleagues who might catch the fraud.

Unusual tone

Writing style, formality level, or vocabulary that doesn't match the supposed sender's normal communication patterns.

Request & Content

Bank detail change

Any request to update vendor banking information should be treated as high-risk until verified out-of-band.

Wire transfer request

Especially when combined with urgency, authority, or a new recipient. Wire transfers are irreversible.

Gift card request

Legitimate business transactions never require gift cards. This is always fraud.

Bulk data request

Requests for W-2s, employee lists, PII, or financial records — especially from "executives" to HR or finance.

No prior relationship

First contact from an unknown entity requesting payment, deposit, or sensitive information.

Mismatched documentation

Invoice details that don't match purchase orders, contracts, or prior communications.

Signals are evidence. Not verdicts.

A single signal rarely confirms fraud. It’s the combination that matters. Urgency + bank detail change + young domain = very different risk than urgency alone.

FraudDecoder weighs these signals together, cross-references domain forensics, and produces a risk score with specific recommended actions — so your team doesn’t have to make the judgment call alone.

Ready to check a suspicious email? Start an analysis →