Table of Contents
You have received a message that feels off. Maybe it is an email from your bank about suspicious activity. A text from a delivery service about a failed package. A phone call from someone claiming to be your company’s IT department. The message could be legitimate – or it could be a phishing attempt designed to steal your credentials, your money, or your personal information. This article is part of our Phishing & Social Engineering guide, and it gives you a systematic process for verifying any suspicious communication before you act on it.
The core principle is simple: never verify a message using information provided in that message. An attacker who sends you a fraudulent email also controls the phone number, links, and reply address in that email. Verification must happen through a channel the attacker does not control.
The Golden Rule: Out-of-Band Verification
Out-of-band verification means confirming something through a communication channel different from the one the suspicious message arrived on. If you received a suspicious email, verify by phone or in person. If you received a suspicious phone call, verify by email or text. The attacker controls one channel – you verify through another.
This principle defeats the vast majority of phishing attacks, regardless of how convincing the message is. AI-powered phishing can produce perfect grammar and contextually appropriate content. Deepfake voice cloning can replicate a person’s voice. But none of these technologies help the attacker if you refuse to respond within their controlled channel and instead verify independently.
Verifying Suspicious Emails
Step 1: Examine the Sender Address
Click on the sender name to reveal the full email address. Check whether the domain matches the organization the email claims to be from. Be alert to lookalike domains – “support@apple-inc.com” is not the same as “support@apple.com.” For more signals to look for, see our phishing email red flags guide.
Step 2: Hover Over Links (Do Not Click)
On a computer, hover your cursor over any link in the email to see the actual destination URL. On a phone, long-press the link. Check whether the URL leads to the domain you would expect. Watch for:
- Domains that are misspelled or slightly different from the real one.
- URLs that use the real domain as a subdomain of an unfamiliar domain (e.g., “apple.com.scam-site.xyz”).
- URL shorteners that hide the true destination.
Step 3: Contact the Organization Directly
If the email claims to be from your bank, go to your bank’s website by typing the URL directly into your browser (or using a bookmark you set previously). Log into your account through the official site or app. If there is truly an issue with your account, you will see it there.
If the email claims to be from a person – a colleague, your boss, a vendor – contact that person through a channel you already use. Call them, send them a Slack message, walk to their desk. Ask “Did you send me an email about [topic]?”
Step 4: Check Official Communication Channels
Most organizations communicate important account information through their official apps and portals, not just email. If your bank says there is suspicious activity, open your banking app. If a delivery service says your package cannot be delivered, check the tracking on their official site. If the alert only exists in the email and not in the official channel, it is almost certainly fraudulent.
Verifying Suspicious Text Messages (SMS)
Smishing – SMS phishing – exploits the trust people place in text messages and the limited context available on mobile screens. Text messages feel more personal and urgent than email, and mobile browsers make it harder to inspect URLs.
Step 1: Do Not Tap the Link
If a text message contains a link, do not tap it. The link may lead to a fake login page or trigger a malware download.
Step 2: Identify the Claimed Sender
Note who the message claims to be from – your bank, a delivery service, a government agency, a friend.
Step 3: Contact the Sender Through Their Official App or Website
Open the organization’s official app or navigate to their website directly. Check whether the claim in the text message (failed delivery, account alert, payment due) matches what you see in the official channel.
Step 4: Use Your Password Manager
If the text asks you to log into a website, open your password manager and navigate to the site through the saved entry. PanicVault, for example, stores the correct URL alongside your credentials. Tapping the entry takes you directly to the legitimate site, bypassing any fraudulent link in the text message.
Common Smishing Scenarios
- Delivery notifications: “Your package cannot be delivered. Click here to reschedule.” Check the tracking number on the carrier’s official site or app.
- Bank alerts: “Unusual activity on your account. Verify immediately.” Open your banking app to check your account directly.
- Government messages: “Your tax refund is ready. Click to claim.” The IRS does not initiate contact via text message.
- Toll payments: “Unpaid toll balance. Pay now to avoid fees.” Contact the toll authority through their official website.
Verifying Suspicious Phone Calls
Phone-based social engineering (vishing) has become significantly more dangerous with deepfake voice cloning. A caller may sound exactly like someone you know and trust.
Step 1: Note the Claim
What is the caller claiming? Who do they say they are? What do they want you to do? Take mental notes without committing to action.
Step 2: Do Not Provide Information
Do not confirm your name, account numbers, Social Security number, passwords, or any other sensitive information during the call. A legitimate organization already has your information on file and will not ask you to recite it to verify your identity – they will ask you to verify yourself through their own secure channels.
Step 3: Hang Up and Call Back
This is the most important step. Tell the caller you will call them back. If they object or insist you stay on the line, that is a red flag. Hang up and call the organization or person using a number you find independently:
- For a company: Use the number on their official website or on the back of your card.
- For a person: Use the number saved in your phone contacts.
- For a government agency: Look up their official phone number online.
Step 4: Ask for the Code Word
If the caller claims to be a family member, ask for your family code word. If they cannot provide it, hang up and contact the family member directly.
Red Flags During Phone Calls
- Urgency: “You must act now” or “Do not hang up.”
- Secrecy: “Do not tell anyone about this call.”
- Unusual payment methods: Requests for gift cards, wire transfers, or cryptocurrency.
- Emotional manipulation: Crying, panic, anger – designed to override your rational thinking.
- Refusing to let you call back: Legitimate callers have no problem with you calling them back through official channels.
Verifying Messages on Messaging Apps
WhatsApp, iMessage, Signal, Telegram, and other messaging platforms are increasingly used for phishing and social engineering.
Compromised Accounts
A message from a friend’s account does not guarantee it is from your friend. Their account may have been compromised. If a friend sends you an unexpected request – especially involving money, clicking a link, or sharing personal information – verify by calling them or contacting them through a different platform.
Fake Accounts
Attackers create accounts with stolen profile photos and similar usernames to impersonate people you know. Check the account details – phone number, username, profile information – against what you have for the real person.
Group Scams
Be cautious about links and requests shared in group chats, especially large groups where you do not know all members. A compromised account in a shared group can distribute malicious links to many people simultaneously.
Building a Verification Toolkit
Having verification methods ready before you need them saves time and reduces the temptation to skip verification:
Save Official Contact Numbers
Keep a list of important phone numbers that you have verified independently:
- Your bank’s customer service number (from the back of your card or their official website).
- Your insurance company.
- Your employer’s IT helpdesk.
- Government agencies you interact with regularly.
Bookmark Official Websites
Save bookmarks for websites you log into regularly – banking, email, social media. When you need to check whether an alert is legitimate, use the bookmark instead of searching or clicking a link from a message.
Use Your Password Manager as a Navigation Tool
A password manager stores the correct URL for every saved login. When you receive a suspicious message about one of your accounts, open PanicVault or your preferred password manager and navigate to the site from there. This ensures you land on the correct domain, not a phishing site.
Keep Communication Channels Diverse
Do not rely on a single way to reach important people. Have phone numbers, email addresses, and at least one messaging platform for family members and close contacts. If one channel is compromised, you can verify through another.
What to Do After You Have Verified
If the Message Is Legitimate
Take the appropriate action through the official channel you used for verification, not through the original message. If your bank really does need you to verify a transaction, do it through the banking app, not through a link in the email.
If the Message Is Fraudulent
- Do not respond to the attacker.
- Report the phishing attempt to the appropriate authorities.
- Block the sender if possible.
- Warn others who might receive similar messages.
- If you accidentally provided any information before verifying, take immediate action to secure affected accounts – change passwords using a strong, unique password, enable two-factor authentication, and monitor for unauthorized activity.
Verification Is a Habit, Not a Burden
The verification process described here takes 2-5 minutes. The consequences of not verifying – compromised accounts, stolen money, identity theft – can take months or years to recover from. Make verification automatic. When something feels off, your first instinct should be to verify through a separate channel, not to click, reply, or comply.
With 3.4 billion phishing emails sent daily and AI making them harder to spot, your ability to detect fraud by looking at a message alone is diminishing. Verification through an independent channel is the defense that works regardless of how sophisticated the attack becomes.
