A suspicious email may use a familiar display name like Payroll, Microsoft, your bank, or a coworker. That name is only the surface.
Reading the sender address helps you slow down and check whether the message is coming from a source that makes sense.
1. Separate the display name from the real address
The display name is the friendly label you see first. The real address is the full email address behind it, such as name@example.com.
Example: an email may show Microsoft Support as the sender, but the address might be microsoft-alerts@gmail.com. That mismatch is a warning sign.
2. Read the domain from right to left
The most important part is the real domain near the end of the address. In security@example.microsoft.com, the domain belongs to microsoft.com. In security@microsoft.example.com, it belongs to example.com.
Attackers often add trusted words near the front because many people stop reading too early.
3. Watch for lookalikes and extra words
Small spelling changes, extra hyphens, odd endings, and unfamiliar domains can make a fake address look close to a real one.
Example: support@paypaI.com with a capital I instead of an l, or billing@company-secure-login.com, should make you pause before clicking anything.
Sender address checklist
- Open or expand the sender details before trusting the message.
- Check the full address, not just the display name.
- Look for misspellings, extra words, and unusual domain endings.
- Be careful when trusted brand names appear before the real domain.
- Compare the address with previous legitimate messages when possible.
- Use a trusted website or contact method if the email asks you to act.
Final Takeaway
The display name is not proof.
A sender name can look familiar while the real address tells a different story. When the message feels important, check the full address before you trust it.