Blog
Article
Security · 8 min read

How to spot phishing in a disposable inbox

Disposable inboxes attract phishing. Learn the visual, textual, and behavioural cues that separate a real verification email from a clever fake.

If you generate a disposable inbox and immediately receive a "Welcome to your inbox!" email from someone who is definitely not the disposable provider, you have just met the modern temp-mail phishing economy. It is everywhere. It is sometimes very polished. And the cues that give it away are the same cues that work in any inbox — slightly more pressing here because temp-mail traffic is approximately 70% phishing or malware by volume.

This article teaches you to spot the fakes quickly. The patterns are stable. Once you see them, you'll see them everywhere.

Phishing in a temp inbox is different

On a personal inbox, the attacker's main job is reaching you at all — they have to bypass your spam filter and break through whatever email-reputation systems your provider runs. On a temp inbox, neither of those is in their way. Disposable mail, by design, is open to anyone who knows the address. The address gets harvested by spam tooling almost immediately after creation. The volume of garbage is therefore higher than your real inbox; the question is what to do about each message.

The fast triage

Run every message through this five-question filter, in order. Stop and delete the moment any answer is "no."

  1. Did I just sign up for the service this email claims to be from, in the last 60 seconds?
  2. Does the sender domain match the service I signed up for?
  3. Is the email content consistent with what I expected (e.g. a verification link, not a "winner" notice)?
  4. Are the URLs in the email pointing to the service's real domain?
  5. Is the call to action what the service would actually ask?

Most phishing in disposable inboxes fails the first question — the email arrived without you asking. Delete and move on.

Specific patterns

The "you have won" email

Free vacations, lottery wins, gift cards. The signature pattern is high emotion, low effort: usually a single big graphic, a "claim now" button, and a domain that has nothing to do with anyone you've ever heard of. Always fake. Delete.

The "verify your account" email — that you didn't ask for

"Your PayPal account has unusual activity" arriving in a fresh disposable inbox you've never used for PayPal: 100% phishing. The attacker is fishing in a known disposable-domain pool, hoping someone happens to use the same address for their real PayPal account. Don't click. (You wouldn't click on your real inbox either; the same applies here.)

The "package undelivered" email

Always around shopping holidays. "Your DHL package is held at customs; pay $5 to release." The link goes to a credential-harvesting clone of DHL's site. Same advice: did you actually order something with this email?

The "your free trial is expiring" email

Cleverer because you might actually be in a free trial. The tell: the link in the email goes to a domain that looks right but isn't quite. amazonn.com, amaz0n.com, amazon-billing.com — never the real amazon.com.

The "we're emailing you to confirm an unauthorised charge"

Bank-targeted variant. Asks you to "confirm" by clicking through to a login page. Banks don't email like this; they don't email at all about specific charges from a generic noreply address. If in doubt, log in directly via the bank's app.

Inspecting links without clicking

On desktop, hover the link. The browser shows the real destination at the bottom-left. On mobile, long-press. PocketInbox renders all links with target="_blank" rel="noopener noreferrer nofollow" and shows the destination on hover.

The link text and the link target can lie. https://www.paypal.com as the visible text means nothing if the underlying URL is https://random-attacker-server.com. Trust the underlying URL only.

Specifically check:

  • Domain. Is it the real registered domain? support.paypal.com is real; paypal-support.com is not.
  • Subdomain trickery. paypal.com.evil-host.tk is on evil-host.tk, not paypal. Read right-to-left.
  • HTTPS isn't enough. Phishing sites have HTTPS too. The lock icon means encrypted, not legitimate.
  • URL shorteners and redirectors. bit.ly/abc, t.co/..., linktr.ee/... conceal the real destination. Treat with caution.

Attachments

Don't open attachments in a disposable inbox. The threat model is wider than it might seem:

  • PDF documents can carry exploits in older readers.
  • Office documents (Word, Excel) can carry macros.
  • HTML attachments can host phishing pages that load locally and look real.
  • ZIP archives can hide executables.

If you genuinely need to read an attachment from a disposable inbox (rare; you signed up for something, they sent you a PDF), open it in a sandboxed viewer like Google Drive's preview rather than downloading.

Sender-side inspection

Modern email senders authenticate through SPF, DKIM, and DMARC. Mail.tm exposes the verification results in its message detail. If you ever need to know whether the apparent sender is the real sender:

  • SPF: pass means the IP that sent the email is authorised by the sender's domain.
  • DKIM: pass means the email was signed by the sender's private key.
  • DMARC: pass means SPF and/or DKIM aligned with the visible From: domain.

A "DMARC: fail" or "DKIM: none" on a high-stakes email is a strong signal of forgery. We don't show these by default in PocketInbox to keep the UI clean, but for power users we expose them in the message reader's "show headers" view.

OTP-stealing patterns

A relatively new variant: an attacker convinces a victim to type a verification code they just received into a chatbot or phone call. The code in the email is real (the attacker initiated a "forgot password" on the real service), and reading it aloud completes their takeover. Defence:

  • Never type or read aloud a code that arrived in any inbox in response to an action you didn't take.
  • If a "support agent" calls and asks for a code, hang up and call the company back via their published number.
  • Codes are inputs, not currency. Do not exchange them for any reason.

Provider-specific notes

Some providers attract more phishing than others — a function of how widely their domains are scraped by spam tooling. In our experience:

  • Maildrop (maildrop.cc) gets the most because it's catch-all. Random local-parts you choose are almost guaranteed to receive at least one phish on creation.
  • Guerrilla Mail's domains are well-known to spam tools; expect noise.
  • Mail.tm rotates domains and authenticates per-account; its inboxes tend to be quieter unless someone has the address.
  • Mail.gw is similarly quiet.

Reporting phishing you find

For especially nasty phish (impersonating a major brand, harvesting credentials), report to:

  • Anti-Phishing Working Group (reportphishing@apwg.org).
  • The targeted brand directly (spoof@paypal.com, phishing-report@us-cert.gov for US-based attacks).
  • Google Safe Browsing's reporting form for malicious URLs.

The mindset

Phishing is a numbers game. You don't need to "beat" attackers; you only need to be slightly harder than the next inbox. The triage habit — five questions, deleted in five seconds — handles 95% of the volume. The remaining 5% is what password managers, hardware keys, and "log in directly to the service rather than clicking the link" are for.

Disposable email and phishing-resistance complement each other. The first reduces what you give attackers; the second reduces the value of what they get when they try. Use both.

Generate an inbox, but read every message with the filter above.

Sponsored
Ad space (consent or AdSense ID required)

Continue reading

Back to PocketInbox

PocketInbox
Free disposable email inboxes. No signup. Receive verification codes instantly.
PocketInbox is an aggregator over public temp-mail providers (Mail.tm, Mail.gw, Guerrilla Mail, Maildrop, TempMail.lol and others). We are not affiliated with these services. Each provider's own terms and privacy policies apply concurrently.
© 2026 PocketInbox. All rights reserved.