Teaching Seniors to Spot Fake Emails in 5 Minutes

Why Email Is Still the #1 Attack Vector

Scammers continue to use email as their primary attack channel because it works. A well-crafted phishing email impersonating Amazon, PayPal, Social Security, or a bank can be almost indistinguishable from a real message. Billions of phishing emails are sent every day, and even people who consider themselves tech-savvy sometimes get fooled.

For seniors who may not have grown up with email culture, the cues that signal "this is suspicious" are not intuitive. They need to be explicitly taught. The five steps below can be delivered as a casual conversation, ideally while sitting together at a computer looking at real examples.

The 5-Minute Email Safety Lesson

Step 1: Show Them How to Check the Real Sender Address

This is the most important skill. Every email shows a display name — the name that appears in the inbox, like "Amazon Customer Service" or "Your Bank." But the display name can say anything. What matters is the actual email address behind it.

In Gmail and most email clients, you can see the real sender address by clicking or tapping the display name in the "From" field. The actual address will appear in angle brackets, like: Amazon Customer Service <support@amaz0n-help.net>

Teach your parent to check this every time an email asks them to click a link, provide information, or take any action. Amazon's real emails come from @amazon.com. PayPal's come from @paypal.com. A bank email from anything other than the bank's official domain is fraudulent, regardless of how official it looks.

Step 2: The Hover Trick on Links — Never Click What You Can't Verify

Show your parent how to hover their mouse cursor over any link in an email without clicking it. In the bottom left corner of the screen (in most browsers and email clients), the actual destination URL will appear.

The rule is simple: if the URL shown in the bottom corner does not match the company the email claims to be from, do not click it. An email from "Chase Bank" with a link that goes to "ch4sebank-secure.com" is a phishing attempt. The hover trick reveals this instantly without any risk.

For mobile users, a long press (tap and hold) on a link shows the destination URL without opening it.

Step 3: Urgency Always Means Danger

This is perhaps the simplest rule to remember and explain: legitimate companies do not use emergency language in emails.

Red phrases to recognize immediately:

• "Your account will be suspended in 24 hours"
• "Immediate action required"
• "Your package could not be delivered — click here NOW"
• "Unauthorized login detected — verify your identity immediately"
• "Final notice: your account has been compromised"

Real companies send routine notifications. They do not threaten account suspension in emails. They do not use countdown timers and all-caps urgency language. Whenever an email creates a sense of emergency, your parent should treat it as suspicious by default.

The rule is: urgency in email = slow down, not speed up. The more urgent an email sounds, the more carefully you should examine it before taking any action.

Step 4: Legitimate Companies Never Ask for Passwords by Email

This is an absolute rule with no exceptions. No bank, government agency, company, or service will ever ask you to reply to an email with your password, PIN, Social Security number, or full credit card number. Ever.

Any email asking for this information — regardless of how official it looks, what logos it displays, or how urgently it is worded — is fraudulent. Period. There is no legitimate scenario where replying to an email with a password or sensitive personal information is appropriate.

Teach this as a non-negotiable rule. If your parent forgets everything else from this lesson, this one rule alone will protect them from a significant proportion of phishing attempts.

Step 5: When in Doubt, Go Directly to the Website

If your parent receives an email that seems to be from their bank, Amazon, Social Security, or any other important institution, and the email says something needs their attention, teach them this approach: do not click any link in the email. Instead, open a new browser tab and type the company's website address directly into the address bar.

If there is actually a problem with their account, they will see it when they log in through the official website. If no problem appears on the official website, the email was fraudulent. This one habit — going directly to the source rather than clicking email links — eliminates the primary mechanism of nearly all email phishing attempts.

The Practice Session: Real vs. Fake Examples

After explaining the five steps, make the lesson concrete with examples. Search online for "phishing email examples" and show your parent a side-by-side comparison of a real bank email and a fake one. Point out the sender address difference, the urgency language, and the suspicious link URL. Seeing real examples makes the abstract rules click.

Create a Simple Cheat Sheet

Write out five bullet points on a piece of paper or an index card and put it somewhere visible near their computer:

1. Check the real sender address (click the display name)
2. Hover over links before clicking — does the URL match?
3. Urgent = suspicious — slow down
4. No one asks for passwords by email
5. When unsure, go directly to the website — don't click the link

For a deeper dive into email threats, read our full guide on phishing emails targeting seniors. And pair email security with two-factor authentication so that even if a password is compromised, accounts remain secure.