Some time ago an email from "PayPal Support" landed in my inbox: the right logo, polite English, and a big urgent button begging to be clicked. It looked perfect. It was fake. Let's figure out together how to check who really sent an email like that, in about a minute and with no technical background at all.
Why does the sender name mean nothing?
Every email carries a display name, the friendly name your inbox shows in bold. Here is the uncomfortable part: it is free text. Whoever sends the email types anything they like into that field. "PayPal Support", "Your Bank", even the name of someone you know. Nothing verifies it. Nothing at all.
The part that is much harder to fake is the domain: everything after the @ in the real address. A domain has to be registered, which creates a public record and leaves traces. That's why every check below aims at the domain, not the name.
Where is the real address hiding?
In Gmail, open the message and click the small arrow (or "show details") under the sender's name. On a phone, tap the sender's name. You're looking for the full address, something like [email protected].
Ignore everything before the @. Words like security, billing and no-reply are free text too. The part after the @ is what you check.
The six-check routine
About a minute, end to end. Checks 1 and 2 use your eyes, 3 and 4 use a lookup tool, and 5 and 6 are simply decisions you make.
- Read the domain right to left. The registered part, the piece someone actually owns, sits at the end. Everything in front of it is a subdomain: extra words the owner bolts on freely, just like a display name. Take
paypal.com.account-check.example(an invented address) and read from the right: the owned domain isaccount-check.example, and thepaypal.comat the front is pure decoration. - Look for letter swaps and typos. Scammers register near-misses of a real name and count on you skimming. Some swaps are visible once you slow down:
Real
paypal.comthe brand's registered domainFakepaypa1.comthe second "l" is the number 1Also watch for doubled letters (Realamazon.comthe brand's registered domainFakeamaz0n.comthe "o" is a zeropaypall.com) and letter pairs posing as one letter: inarnazon.com, an "r" and an "n" sit together to imitate an "m". Unfortunately, some swaps are invisible. In most fonts a capital "I" is identical to a lowercase "l", sopaypaI.comlooks exactly like the real thing, and some fakes borrow letters from the Cyrillic alphabet that render just like Latin ones. You can't see those at all. Which is exactly the kind of thing you want a tool to check for you. - Check how old the domain is. Every registered domain has a public record, called WHOIS, that includes its creation date. Brand domains are usually many years old. Phishing domains (fake sites built to impersonate a brand and harvest your login) are commonly registered only days or weeks before use, because they get reported and thrown away fast. Young isn't guilty on its own; new businesses exist. But a "PayPal" domain registered last Tuesday has earned your suspicion.
- Check public blocklists and vendor flags. Google Safe Browsing is Google's public list of reported dangerous sites; VirusTotal pools verdicts from dozens of security companies. A domain flagged by either is a strong signal to walk away.
"Not flagged" is not the same as "safe". Blocklists work from reports, so a phishing site in its first hours or days often isn't on any list yet. A clean result narrows the odds; it doesn't clear the domain.
- Never use the email's own links or phone numbers. If the message claims a problem with your account, remember: the link and the phone number in it belong to whoever wrote the message. Type the company's address into your browser yourself, or open its official app, and look for the problem there.
- Still unsure? Do nothing. Doing nothing is a perfectly legitimate move. If the problem is real, it will still be visible when you log in the normal way an hour later.
Real companies survive you taking time to check. Manufactured urgency ("within 24 hours", "immediate suspension") is itself worth treating as a signal.
Can one paste cover checks 2, 3 and 4?
Yes, and this is what we built IP Tracker for. It's a free Chrome extension: paste the sender's address, or just the domain, into the popup, and it runs the lookups in one go. Paste [email protected] and it pulls out the domain by itself. 🤓
- It compares the domain against a bundled list of about 100 widely-impersonated brands (banks, payment services, e-commerce, big tech, shipping, government, crypto, streaming) and names the trick in plain English: Looks like
paypal.com, the second "l" is the number 1. Visible swaps, the capital-I trick and Cyrillic lookalikes are all in that scan. - It knows each brand's official regional domains (
paypal.deand friends), so a real sibling site doesn't get flagged. - It checks Google Safe Browsing, VirusTotal's vendor stats, community abuse reports and VPN, proxy and Tor signals in the same pass.
- It reads the WHOIS creation date. A domain under 90 days old adds a "Registered N days ago" line to the warning, as supporting evidence, never as a verdict by itself.
The free tier is 25 checks a day, no account, no tracking. The only thing that leaves your browser is the value you paste.
And now the honest limits, because they matter. A hundred brands is not every brand. Domains written in other alphabets travel the internet in an encoded form (it starts with xn--), and IP Tracker doesn't yet decode that form before scanning: the Cyrillic check works when the visible lookalike is what you paste, and decoding is in progress. Google's blocklist often lags days behind brand-new phishing sites. And a clean result is a second opinion, not a promise. IP Tracker flags, checks and names tricks. It can't click for you, and it won't tell you a site is safe.
Why am I writing all this?
Each post here dissects one known trick, written by the people who built the detector. The same tricks we test it against. Coming up: letter swaps, plain typos, fake subdomains, brand-new domains, invisible alphabet tricks, and what Google's blocklist does and doesn't catch. The goal is simple: when the next scary email lands, you recognize the trick by name.
To summarize:
- ✓ The bold sender name is free text. Check the domain after the
@. - ✓ Read the domain right to left; the owned part sits at the end.
- ✓ A young domain wearing a brand's name is the classic phishing pattern.
- ✓ "Not flagged" is not the same as "safe".
- ✓ When in doubt, do nothing and log in the normal way instead.
Happy checking, and don't let the red buttons rush you! 😉