The more "sophisticated" criminals do use presentations that look like the genuine companies they are copying.
The first clue is the sender's address - name and domain. Do they look real even if the rest does?
Does close examination reveal oddities: spelling or grammatical, fractured English, wrong or unlikely terms or managers' titles, very subtle differences from original such as a single-letter or punctuation-mark change?
Another dead give-away is as you describe: it telling you you have done something you know perfectly well you did not; or that you use a service you do not. Supposed "prizes" in draws you have not entered and never heard of (they don't exist!), are a common example. Another trick is to pretend to be a bank, probably one you do not use, but most dangerously, asking for give-away details.
'''
The "preview thing".
I use BTinternet, and this has a tool via a "More" menu tab on the top tool-bar, called "View Source". Other systems, possibly including yours, may have equivalents so it is worth investigating.
Most of what View Source shows is comprehensible only to a programmer experienced in Internet software, such as command-lines, and anyway a huge chunk is programme code represented by ASCII characters (letters and digits). However, at the top it gives not only the sending address you see openly, but often, on criminal ones, a deeper address through which the message was relayed.
On mine it also shows the security-software's actions and verdicts, though I don't pretend to understand it in detail.
Note that although such tools show at least some of the path, they might not reveal the origin. The most adept IT-crime gangs use complicated routing to evade tracing.
'More' also offers block and delete functions by name and domain, and delete.
;;;
Also, do you have available any reporting services, e.g. your ISP, bank or governmental agency? Ones that allow you to forward the message to them for investigation.