How to recognize scam emails and messages generated with AI

Quick answer

Stop looking for spelling mistakes: AI has wiped out the most-used signal for spotting scams. Focus on three things: what the message asks of you (money or data), how much urgency it uses, and where the link takes you. Never click a link you receive: reach the service through the channel you already use. If it matches a real alert, you'll find it there.

How to do it

A scam email or message generated with AI can be indistinguishable from a real one in form. They're unmasked by their substance, with checks that don't depend on the quality of the text.

Verify the sender's address, not the display name. The name may say "Example Bank," but the real address behind it often reveals a strange domain (substituted characters, suspicious subdomains, free services in place of the official one). On a PC, hover the cursor over the sender; on a smartphone, tap the name to expand it.
Don't click the link: check where it really points. On a computer, hover over the link without pressing and read the real address at the bottom. On a phone, press and hold to see the preview. If the address doesn't match the official site, it's a trap.
Weigh the urgency and the threat. "Confirm within 24 hours or lose access," "payment pending," "prize to be claimed immediately": pressure is the engine of almost every scam. A real alert leaves you the time to verify calmly.
Reach the service on your own. Instead of clicking, open the official app or type the site's address by hand. If there really is a problem with your account or an invoice, you'll see it from there. If there's nothing, the message was fake.

Check: if the message's alert finds no match when you log in yourself, through the official channel, to your account, it was a scam. Delete it and, if you can, report it as phishing.

A concrete example

Elena gets a text message: a parcel is being held, two euros of customs fees need to be paid, with a link. The message is written in correct Italian, names a real courier, and two euros seems an innocent amount. But Elena isn't expecting any parcel from abroad. She presses and holds the link: the preview shows an address that has nothing to do with the courier, full of random words. She doesn't click. She opens the official app of the courier she usually uses: no shipment pending. She deletes the text. The low amount was meant precisely to make her lower her guard and to capture her card details on the "payment" page.

When it does NOT work (and how to fix it)

If the message is personalized with real data about you

The most polished scams use AI to insert your name, your address, a recent purchase, to seem legitimate. Correct data doesn't make the message real: it often comes from past data breaches. The remedy doesn't change: no clicking, verify through the official channel. Personalization is a credibility trick, not proof.

If you can't tell whether the address is fake

Some scam domains are designed to look very much like the real ones (one letter changed, an extra hyphen). If you have a doubt, don't interpret: just don't click. Go to the service the way you always do, without going through the link. When in doubt, the link you received is never used.

If you've already clicked or entered data

Don't freeze out of embarrassment, speed is what counts. If you entered a password, change it immediately everywhere you used it and enable two-step verification. If you gave card details, call the bank to block it. Keep an eye on the account's transactions in the following days and report what happened. Keep the message as evidence.

A tip from someone who actually uses it

Treat every link and every number received in a message as "not to be used." No matter how credible the sender: to access an account, pay, or confirm an identity, always start from the channel you control (an app already installed, an address typed by hand, the number on your card). This single habit makes scammers' effort almost useless, because it takes away the link on which the whole deception rests.

Frequently asked questions

Can I forward a suspicious message to the AI to have it analyzed?

Yes, and it's a good reflex: paste the text (removing your sensitive data) and ask the AI to list the phishing signals. It recognizes urgency, unusual requests and disguised links well. Use it as a second opinion; the decisive verification remains accessing the service through the official channel.

If I report the email as spam, am I protected?

Reporting it helps filter that sender and protect other users, but it doesn't make you immune: more messages will arrive, from other addresses, increasingly polished. Protection isn't the "spam" button, it's the habit of never acting from a link you received. The filter helps; the rule of behavior defends.