Is this email really from my bank?

Why bank emails are worth a second look

Banks are among the most impersonated organizations in phishing, because a convincing message can push you to log in or "verify" details on a fake page in seconds. The good news: most fakes share the same handful of tells, and you can check every one of them without clicking a thing.

1. Read the real sender address, not the display name

The display name ("RBC Online Banking") is trivial to fake. Tap or hover on the sender to reveal the actual email address. A real bank emails you from its own domain (for example @rbc.com), not from @rbc-secure-login.com, @rbcverify.net, or a free address like @gmail.com. A look-alike domain - extra words, a different ending, a 1 where an l should be - is a strong sign of a fake.

2. Be suspicious of urgency and threats

"Your account will be suspended." "Unusual activity detected." "Verify within 24 hours or lose access." Phishing leans on fear and time pressure so you act before you think. A real bank will not threaten to close your account over an email link.

3. Don't trust the link - check where it really goes

Hover over (or long-press) any button or link to see its true destination before tapping. Fakes use addresses that look almost right but aren't your bank's real site. When in doubt, don't use the email's link at all - open your banking app, or type your bank's address yourself.

4. Watch for requests no real bank makes

Your bank already has your information. It will never email asking you to confirm your full password, card number, PIN, or a one-time passcode. Anyone asking for those by email is not your bank.

5. Generic greetings and small "off" details

"Dear customer" instead of your name, minor grammar mistakes, a logo that's slightly wrong, or an attachment you didn't expect (especially a "statement" or "secure document" you have to open) all deserve a pause - though polished fakes exist, so a clean-looking email isn't automatically safe.

How to check safely

• Never use the email's links to "verify." Open your bank's app, or type the address into your browser yourself.
• Want a second opinion on the message itself? Paste the email into our Email Checker - it analyzes the sender, links, and wording for you.
• Curious whether a domain can even be spoofed? Check whether it uses SPF, DKIM, and DMARC - the email-authentication standards that make impersonation harder.
• If something already happened - you clicked, or entered details - call your bank using the number on the back of your card, and change your password.

The simplest rule: a real bank is happy for you to close the email and reach them yourself. A scammer needs you to use their link, right now.