How to Verify if an Email Is Legitimate or a Scam

Email remains one of the most common tools for fraud. In the Philippines, scam emails are used to steal money, passwords, banking details, one-time passwords, account access, and personal information. They are also used to trick businesses into making payments to the wrong account, signing fake documents, or downloading malicious files.

This article explains, in Philippine context, how to determine whether an email is legitimate or a scam, what laws may apply, what warning signs matter most, what evidence to preserve, and what steps individuals and businesses should take.

I. Why this matters in the Philippines

Email scams in the Philippines often exploit familiar local realities:

  • banks and e-wallets commonly send account advisories by email;
  • Filipinos regularly deal with online shopping, couriers, government portals, and digital payments;
  • many scams imitate well-known brands, banks, telecoms, logistics firms, government agencies, schools, law offices, and employers;
  • overseas work, remittances, and BPO-style communication make email-based fraud especially believable;
  • scammers often combine email with SMS, Viber, Messenger, WhatsApp, or phone calls.

A scam email may be the first move in a larger fraud. It can lead to identity theft, online banking compromise, unauthorized SIM or account activity, tax or government impersonation, ransomware, payroll diversion, or unauthorized disclosure of personal data.

II. The legal framework in the Philippines

A scam email is not merely a nuisance. Depending on what it does, several Philippine laws may apply.

1. Cybercrime Prevention Act of 2012

Republic Act No. 10175

This is the main cybercrime law. It covers computer-related offenses and may apply where an email is used for:

  • illegal access to accounts or systems,
  • phishing and credential theft,
  • computer-related fraud,
  • computer-related identity theft,
  • data interference,
  • system interference,
  • cyber-related forgery,
  • cyber-related extortion,
  • and related acts committed through computer systems.

If the email is part of a fraud scheme involving computer systems, this law is often relevant.

2. Revised Penal Code, as amended

Traditional crimes may still apply even if committed through email, such as:

  • Estafa (swindling),
  • falsification,
  • threats,
  • unjust vexation,
  • and other fraud-related offenses.

A scam does not stop being estafa just because it happened online.

3. Electronic Commerce Act

Republic Act No. 8792

This law recognizes electronic documents and electronic communications, and it also penalizes certain unlawful acts involving hacking or unauthorized interference. It matters when the email involves electronic transactions, fake digital communications, or misuse of electronic records.

4. Data Privacy Act of 2012

Republic Act No. 10173

If a scam email is used to collect, misuse, expose, or process personal data unlawfully, this law may become relevant. It also matters when organizations fail to adequately protect personal data and a breach leads to phishing or identity fraud.

5. Anti-Photo and Video Voyeurism, Safe Spaces, intellectual property, and other special laws

These may be relevant in particular cases, but ordinary email scam analysis usually centers on cybercrime, estafa, privacy, and electronic commerce rules.

6. BSP, SEC, DTI, NPC, NBI, and PNP roles

Depending on the subject matter, email scams may implicate:

  • Bangko Sentral ng Pilipinas (BSP) when banks, e-money issuers, or regulated financial institutions are involved;
  • Securities and Exchange Commission (SEC) when investment or corporate fraud is involved;
  • Department of Trade and Industry (DTI) in some consumer or deceptive transaction contexts;
  • National Privacy Commission (NPC) when personal data misuse or breach issues arise;
  • National Bureau of Investigation (NBI) and Philippine National Police Anti-Cybercrime Group (PNP-ACG) for criminal investigation and cyber complaints.

III. What makes an email “legitimate”

A legitimate email is not simply one that looks polished. In legal and practical terms, legitimacy means the email is genuinely from the sender it claims to be, the content is truthful, the request is authorized, and the message does not seek to induce unlawful disclosure, payment, or access.

A legitimate email usually has most of these features:

  • the sender domain matches the real organization;
  • the message fits an actual transaction, account activity, or relationship you have;
  • the language is consistent with the institution’s normal communications;
  • links point to the real official website;
  • attachments are expected and safe;
  • the email does not pressure you to reveal passwords, PINs, OTPs, card numbers, recovery codes, or full identity credentials;
  • the request can be independently verified through official channels.

A scam email usually fails one or more of those tests.

IV. The core rule: never trust appearance alone

The single biggest mistake is treating appearance as proof.

A scam email can have:

  • a real company logo,
  • flawless English,
  • legal disclaimers,
  • official-looking signatures,
  • copied website designs,
  • the name of a real executive,
  • a familiar branch name,
  • and even an email address that looks nearly correct.

None of that proves authenticity.

Verification must focus on source, domain, routing, links, attachments, context, and independent confirmation.

V. The practical legal test: seven questions to ask

1. Do I know this sender, and am I expecting this message?

Unexpected messages deserve extra suspicion, especially if they involve:

  • account suspension,
  • refunds,
  • tax issues,
  • customs releases,
  • deliveries,
  • job offers,
  • invoices,
  • money transfers,
  • legal threats,
  • KYC re-verification,
  • urgent payroll changes,
  • or prize claims.

A legitimate institution may contact you unexpectedly, but unexpected contact should never be trusted without verification.

2. Does the sender’s email address exactly match the real domain?

This is one of the most important checks.

Examples of warning signs:

  • extra letters: bdo-online.com instead of the true bank domain;
  • swapped letters: paymayaa.com, gcash-philippinessupport.com;
  • added words: security-bpi-login.com;
  • wrong top-level domain: .net instead of .com.ph or vice versa;
  • free email use: a supposed company using Gmail, Yahoo, Outlook, or Proton for routine customer notices.

Also check the part after the @. That is the true domain. The display name can be fake.

Example: Display name: “BPI Customer Support” Actual address: bpihelpdeskverify@outlook.com

That is a strong scam indicator.

3. Does the email create panic or urgency?

Scam emails commonly say:

  • “Your account will be suspended in 24 hours”
  • “Immediate action required”
  • “Your parcel will be destroyed unless you pay now”
  • “Final notice”
  • “You have a pending tax violation”
  • “Your payroll details must be updated today”
  • “Failure to comply will result in account closure”

Urgency is used to bypass judgment. Legitimate organizations may use deadlines, but they generally allow verification through their official website, app, branch, hotline, or known contact channels.

4. Is the email asking for sensitive information that should never be sent by email?

A strong rule in the Philippines and elsewhere: legitimate institutions generally do not ask you by email to send or confirm:

  • password,
  • OTP,
  • ATM PIN,
  • CVV,
  • full card number,
  • login recovery code,
  • authentication app codes,
  • e-wallet MPIN,
  • full government ID with selfie in reply to a suspicious email,
  • bank username and password,
  • private keys or seed phrases for crypto wallets.

An email asking for these is almost certainly fraudulent.

5. Do the links go where they claim to go?

Do not click first. Hover first.

Check whether:

  • the visible text says one site but the actual link goes elsewhere;
  • the link uses strange spelling;
  • the link is shortened or masked;
  • the link begins with an IP address instead of a real domain;
  • the page uses login forms not hosted on the organization’s real domain;
  • the page asks for too much information.

In high-risk cases, do not use the email link at all. Open the official app or type the official website address yourself.

6. Is there an attachment you were not expecting?

Unexpected attachments are dangerous, especially:

  • .exe, .scr, .bat, .cmd, .js, .jar
  • macro-enabled Office files,
  • password-protected archives,
  • files asking you to “enable content” or “enable editing”
  • invoices or receipts you never expected
  • supposed court notices or NBI notices in suspicious formats
  • fake HR forms, resumes, or procurement documents

Even PDF files can be used in social engineering. The issue is not only malware; it is also deception.

7. Can the message be independently verified without replying to it?

This is the decisive step.

Do not reply to the suspicious email to ask if it is real. Do not call the number listed only inside that email. Do not click the provided portal.

Instead, verify through:

  • the official website you already know,
  • the official mobile app,
  • the number at the back of your bank card,
  • the published customer service number,
  • your known account manager,
  • your HR department using a known internal contact,
  • a prior legitimate thread,
  • or in-person verification where appropriate.

VI. The most common scam email patterns in the Philippines

1. Bank and e-wallet phishing

The email claims to come from a bank, GCash, Maya, a remittance service, or another payment platform. It says your account is locked, compromised, under review, or due for verification.

Typical goals:

  • stealing login credentials,
  • capturing OTPs,
  • getting card details,
  • installing malware,
  • or tricking you into calling a fake hotline.

2. Delivery and parcel scams

The email claims you have a package on hold due to:

  • unpaid customs fee,
  • incomplete address,
  • re-delivery fee,
  • import tax,
  • warehouse charge,
  • or failed verification.

This works because many people regularly order online.

3. Government impersonation

The email pretends to be from:

  • BIR,
  • SSS,
  • PhilHealth,
  • Pag-IBIG,
  • LTO,
  • BI,
  • NBI,
  • DOJ,
  • local government offices,
  • or courts.

It may threaten penalties, legal action, account deactivation, tax enforcement, or license issues.

Government-themed scam emails are especially serious because they exploit fear of official sanctions.

4. Job offer and recruitment scams

The email offers:

  • overseas jobs,
  • remote admin work,
  • encoder jobs,
  • easy commissions,
  • embassy-related hiring,
  • or interviews that require payment, ID submission, or app download.

Some scams are used for identity theft. Others are used for advance-fee fraud.

5. Business email compromise

This often targets companies, accounting teams, and executives.

Examples:

  • a fake email from the CEO instructing an urgent fund transfer;
  • a supplier supposedly changing bank account details;
  • a lawyer or auditor requesting confidential documents;
  • payroll redirection requests from an employee whose account was “changed.”

These scams can cause major financial loss even without malware.

6. Fake invoice or procurement scams

The attacker sends a fake statement of account, notice of payment due, purchase order, or bid-related document. Businesses that move quickly may pay first and verify later.

7. Romance, inheritance, and advance-fee fraud

Classic scams continue through email, often mixed with social media. The email promises money, contracts, grants, humanitarian aid, crypto gains, or inheritances in exchange for fees or identity documents.

8. Legal threat scams

The email claims you are being sued, reported, blacklisted, or charged, and instructs you to click an attachment or settle immediately.

This can amount to intimidation, extortion, or fraud.

VII. Technical signs that an email may be fake

A user does not need to be an IT expert to spot many scam emails, but technical clues are useful.

1. Mismatch between display name and actual email address

Very common and easy to miss.

2. Domain spoofing or lookalike domains

The name is very close to the real one but not exact.

3. Strange reply-to address

Sometimes the visible sender looks normal, but replies go to a different suspicious address.

4. Suspicious headers

Advanced users or IT teams can inspect email headers for:

  • actual sending server,
  • return path,
  • SPF, DKIM, and DMARC results,
  • routing anomalies,
  • message ID inconsistencies.

Failure of authentication checks is a strong warning sign, though not every user will inspect this directly.

5. Generic greeting

“Dear customer,” “Dear user,” “Valued account holder,” instead of your real name. Not always fraudulent, but suspicious if paired with urgent action.

6. Odd grammar, formatting, or time stamps

Still relevant, though many modern scams now use polished language.

7. Image-only emails

Some scam emails place text inside images to evade filters.

8. Hidden malicious link buttons

A clean-looking “View Document” or “Verify Now” button may lead elsewhere.

9. Unusual sending time or pattern

For example, an internal company email supposedly sent by a local executive at an odd hour, with unusual wording and a high-pressure payment instruction.

VIII. High-risk legal scenarios

Certain kinds of emails require immediate caution because the legal and financial consequences are serious.

1. Emails involving money transfers

Never rely on email alone to change payment instructions. A change in bank details should always be confirmed through an independent channel.

2. Emails involving employee payroll or HR records

These may be used to steal salaries or personal data.

3. Emails involving personal data

If an email asks for IDs, tax numbers, account numbers, addresses, date of birth, biometrics, or sensitive personal information, stop and verify first.

4. Emails involving legal claims, subpoenas, warrants, tax cases, or court notices

False legal notices are common coercive tools. Real legal notices exist, but they should be confirmed through counsel, agency channels, or direct case verification.

5. Emails involving investments or securities

Promises of guaranteed returns, urgent placements, pre-IPO access, or insider opportunities should be treated with extreme caution.

IX. A step-by-step method to verify an email safely

Step 1: Pause

Do not click, reply, open attachments, or call the number inside the message.

Step 2: Check the full sender address

Expand the sender field and inspect the exact email.

Step 3: Inspect the domain carefully

Read every character. Scam domains rely on speed and inattention.

Step 4: Compare the message against your actual relationship

Did you open an account there? Did you transact recently? Are you expecting this invoice, parcel, notice, or HR message?

Step 5: Hover over links

On desktop, hover to preview the true destination. On mobile, long-press where possible, or avoid the link entirely.

Step 6: Look for pressure tactics or secrecy

Scammers often demand urgency and discourage verification.

Step 7: Verify independently

Use the official app, official website, known hotline, branch, or a previously verified contact.

Step 8: Ask the organization using a trusted channel

Not through the suspicious email thread.

Step 9: Preserve evidence

Take screenshots, save the email, keep headers if possible, and document any payment request or link.

Step 10: Report and contain

If malicious, report it internally and externally where appropriate.

X. What not to do

Do not:

  • click “unsubscribe” in a suspicious email;
  • reply to say “Is this legitimate?”;
  • open unexpected attachments;
  • send OTPs or passwords;
  • log in through emailed links for urgent account issues;
  • trust logos or signatures alone;
  • rely on a single email for payment changes;
  • assume that a message is safe because it reached your inbox rather than spam;
  • assume that mobile devices make you safer;
  • forward a suspicious email to coworkers without warning them that it may be malicious.

XI. What businesses in the Philippines should do

For companies, email verification is not just a security practice. It is also part of legal risk management, data protection, and corporate governance.

1. Establish verification protocols

Require out-of-band confirmation for:

  • supplier bank detail changes,
  • large payments,
  • payroll changes,
  • release of confidential data,
  • requests from senior officers,
  • legal document requests.

2. Train staff

Finance, HR, procurement, executive assistants, legal, and IT are common targets.

3. Use technical controls

Organizations should deploy:

  • spam and phishing filters,
  • email authentication controls,
  • secure domain practices,
  • endpoint protection,
  • multi-factor authentication,
  • anti-malware scanning,
  • access logging,
  • and prompt incident response procedures.

4. Create reporting channels

Employees should know exactly where to forward suspicious emails for internal review.

5. Address privacy obligations

If a scam email leads to unauthorized disclosure of personal data, the company may face Data Privacy Act issues in addition to criminal concerns.

6. Keep internal policies updated

Policies should cover:

  • acceptable verification methods,
  • remote work communications,
  • document release procedures,
  • and incident escalation.

XII. Email headers, SPF, DKIM, and DMARC — what they mean in plain language

These are email authentication mechanisms. A simplified explanation:

  • SPF helps indicate whether the sending server is allowed to send email for that domain.
  • DKIM adds a cryptographic signature to help confirm the message was authorized and not altered in transit.
  • DMARC tells receiving systems how to handle messages that fail authentication checks and helps align the visible sender with authenticated domains.

For ordinary users, these are usually checked by mail providers in the background. For businesses and IT teams, they are critical. A failed or suspicious result may indicate spoofing.

Important point: passing these checks is helpful, but not absolute proof of safety. An attacker can still use a newly registered lookalike domain that authenticates correctly.

So the question is not only whether the email passed authentication, but whether the domain itself is truly the correct one.

XIII. How scammers use social engineering

Most scam emails do not depend on advanced hacking. They depend on human behavior.

They exploit:

  • fear,
  • greed,
  • urgency,
  • obedience to authority,
  • embarrassment,
  • confusion,
  • curiosity,
  • and routine.

Examples:

  • “Your manager needs this wire transfer now.”
  • “Your account will be deleted.”
  • “This is confidential, do not call.”
  • “You have a refund waiting.”
  • “Open the attached complaint immediately.”
  • “Failure to act today will trigger penalties.”

The law punishes the fraud, but prevention depends heavily on discipline and procedure.

XIV. The role of personal data in email scams

In the Philippines, many scam emails are more convincing because scammers already know some of your information:

  • full name,
  • mobile number,
  • address,
  • employer,
  • recent purchase activity,
  • old passwords,
  • IDs,
  • or bank relationships.

This may come from breaches, scraping, leaks, oversharing, malware, or prior scams.

If an email contains true personal information, do not assume it is legitimate. Sometimes partial truth is exactly what gives the fraud credibility.

XV. How to evaluate specific categories of email

A. Bank emails

Treat as suspicious unless confirmed through the official banking app or official hotline. Never use the link in the message for urgent credential re-entry.

B. Government emails

Check the exact official domain and verify through the published government website or office contact. Be especially cautious with threats, fines, and attachments.

C. School or university emails

Verify through the school portal, registrar, or official office. Fake tuition or enrollment notices can be highly convincing.

D. Employer emails

Check the sender’s true address, the tone, the history of prior threads, and whether the request fits established workflow. Financial instructions should never rely on email alone.

E. Vendor and supplier emails

Confirm any change in invoice, banking, or delivery details through a known phone number or existing vendor contact.

F. Courier and shopping emails

Use the official app or site to check order and tracking status rather than the email link.

G. Lawyer or court-related emails

Verify the lawyer, firm, case reference, and service method carefully. A threatening PDF is not proof of a real case.

XVI. What evidence to preserve if the email is suspicious

For legal, reporting, and internal investigation purposes, preserve:

  • full screenshots of the email,
  • the sender address,
  • the subject line,
  • the date and time received,
  • the body of the message,
  • any link destinations,
  • attachments without opening them, if possible,
  • full headers if available,
  • records of any replies or calls,
  • proof of any payment or transfer,
  • account logs showing suspicious access,
  • and notes on what happened and when.

This can matter for criminal complaints, bank disputes, privacy incident handling, and internal forensics.

Do not alter the evidence unnecessarily.

XVII. What to do if you already clicked or responded

1. If you clicked a link but entered nothing

  • close the page;
  • run a device security scan;
  • clear suspicious downloads;
  • change passwords if the page seemed malicious and you may have been exposed;
  • monitor accounts.

2. If you entered your password

  • change the password immediately using the official site or app;
  • log out other sessions if available;
  • enable or reset multi-factor authentication;
  • check recovery email, phone number, and security settings.

3. If you gave bank or e-wallet details

  • contact the bank or platform immediately through official channels;
  • request account protection or temporary blocking if appropriate;
  • monitor unauthorized transactions.

4. If you gave an OTP or PIN

Act immediately. This is highly serious. Contact the financial institution at once.

5. If your business made a payment

  • notify the bank immediately;
  • escalate internally to finance, legal, IT, and management;
  • preserve the email chain and payment details;
  • act fast because recovery chances often depend on speed.

6. If personal data was disclosed

Consider data privacy implications, internal reporting, and protective measures against identity misuse.

XVIII. Where to report in the Philippines

The right reporting path depends on what happened.

1. The affected institution

If the email impersonates your bank, e-wallet, employer, school, or vendor, notify the real institution immediately.

2. Your email provider or company IT team

Report phishing through the email system and internal security channel.

3. Bank or e-wallet

If money or access is involved, contact them immediately through official hotlines or in-app support.

4. NBI Cybercrime Division or PNP Anti-Cybercrime Group

Appropriate for criminal complaints involving fraud, hacking, phishing, identity theft, and related cyber offenses.

5. National Privacy Commission

Relevant where personal data breaches or unlawful processing of personal data are involved.

6. Other regulators or agencies

Depending on the scam, complaints may also involve regulators with subject-matter jurisdiction.

When reporting, provide organized evidence and a clear timeline.

XIX. Can the sender be held liable under Philippine law?

Potentially yes, though practical recovery and enforcement depend on identification, evidence, jurisdiction, and the sophistication of the scheme.

Possible legal exposure may include:

  • criminal liability under cybercrime laws,
  • criminal liability for estafa or related fraud,
  • civil liability for damages,
  • administrative or regulatory exposure where institutions fail in certain duties,
  • data privacy liability where personal data misuse is involved.

But there is an important distinction:

  • The scammer’s liability is one issue.
  • Your ability to recover money or identify the perpetrator is another.

Scammers often use fake names, foreign infrastructure, mule accounts, compromised accounts, or layered identities. Prompt reporting improves the chance of tracing funds and preserving records.

XX. Are organizations automatically liable if you are fooled by a fake email?

Not automatically.

A bank, business, or platform is not automatically liable merely because someone impersonated it by email. Liability depends on the facts, such as:

  • whether the scammer actually breached the institution’s systems;
  • whether the institution failed to maintain reasonable safeguards;
  • whether its own channels were compromised;
  • whether misleading communications contributed to confusion;
  • whether there was negligence, privacy noncompliance, or security failure.

In some cases, a user is deceived by a purely external spoofing attack. In others, a broader system or data compromise may exist. The legal analysis turns on evidence.

XXI. Special note on “from a lawyer,” “from court,” or “from government” emails

In Philippine practice, these should be treated carefully, not casually.

A real legal email may contain:

  • formal references,
  • names of lawyers,
  • docket or case details,
  • service instructions,
  • PDF attachments,
  • or demands.

But those same features can be copied.

The safe approach is:

  • verify the law office independently,
  • search known contact details outside the message,
  • confirm case existence through proper channels where applicable,
  • and consult actual counsel before acting on threats, admissions, or payments.

Do not assume every legal-looking email is genuine. Do not ignore a real one without checking. Verify first.

XXII. How courts and investigators would likely view your evidence

In disputes involving scam emails, what matters is not your impression that it “looked fake” or “looked official,” but objective evidence such as:

  • email address and domain;
  • header information;
  • account logs;
  • device activity;
  • payment records;
  • screenshots and preserved content;
  • timelines;
  • witness explanations of internal procedures;
  • proof of the usual communication channel;
  • and whether verification steps were followed.

This is why preserving the original message and related records is important.

XXIII. Practical red-flag checklist

An email is highly suspicious if it has several of these at once:

  • you did not expect it;
  • it asks you to act urgently;
  • it requests secrecy;
  • it threatens penalty or closure;
  • it asks for passwords, OTPs, or financial details;
  • the sender domain is misspelled or unusual;
  • links do not match the real site;
  • attachments are unexpected;
  • it asks for payment to a new account;
  • the tone is unlike prior legitimate messages;
  • it comes from a free email account posing as an institution;
  • reply-to details are different from the sender;
  • there is pressure to bypass standard procedure.

The more of these present, the greater the risk.

XXIV. A simple household rule for families and small businesses

Before responding to an email that asks for money, identity information, login credentials, or urgent action, apply this rule:

Stop, inspect, verify, and confirm outside the email.

That single habit prevents many losses.

XXV. Best practices for ongoing protection

For individuals

  • use strong unique passwords;
  • enable multi-factor authentication;
  • keep devices updated;
  • use official apps rather than email links;
  • monitor bank and e-wallet activity;
  • be cautious with attachments;
  • do not overshare personal data online.

For professionals and businesses

  • enforce callback verification for payment changes;
  • train teams regularly;
  • implement email authentication and security controls;
  • segment approval authority;
  • protect executive accounts;
  • maintain incident response playbooks;
  • preserve logs and audit trails.

XXVI. Final legal and practical conclusion

To verify whether an email is legitimate or a scam in the Philippines, the correct approach is not guesswork and not visual trust. It is a structured verification process grounded in identity, domain accuracy, independent confirmation, and evidence preservation.

A legitimate email is one whose sender, content, request, and technical origin align with a real and authorized communication. A scam email typically reveals itself through one or more warning signs: a suspicious domain, urgency, a request for sensitive data, a misleading link, an unexpected attachment, or a demand that bypasses ordinary procedure.

In Philippine legal context, scam emails may trigger liability under the Cybercrime Prevention Act, the Revised Penal Code provisions on estafa and related offenses, the Electronic Commerce Act, the Data Privacy Act, and other applicable rules depending on the facts. But prevention remains the first line of defense. The safest rule is constant across all settings: never rely on the email itself as proof that the email is genuine.

The decisive step is always independent verification through trusted official channels.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login