The different faces of email threats

Email scams come in all shapes and sizes. Some are so obvious they're laughable - no effort has gone in to disguise a scam.

But don’t think they’re all like that. Email scams only seem to get more conniving and creative. These are the kind that even the most computer-savvy gen-zer, who grew up sleeping on an iPad, would look twice at before realizing. Where, were they not so fiendish, you might even take a step back and admire the approach. We’re going show you how to recognize phishing, and other common email scams and guard against them.

A quick blast from the past

Many of us remember the very early days of email scams—halcyon days when we were both more naive, but also, less trusting of emails. When we received a scam, we read it with confused interest, trying to work out why the sender would think we were the right person to come to for help. 

Who remembers The Spanish Prisoner? An unfortunate soul of great wealth, who desperately needed us to help pay his ransom so he could be released from prison. Amusingly, this scam actually pre-dates email, originating in the early 19th century. A maverick Internet Surfer somewhere evidently decided to digitize it.

These days, email scams play much more to the strengths of their digital format. Unlike some of the OG scams, they utilize advantages that the Internet has come to offer over the years — like the ability to easily process payments online, an increased reliance on email for our most important communications, and the evolution of social media to name but a few.

Clues of a scam, right off the bat

Before we take a closer look at the different types of email scams, we’re going to share some general rules you can employ to help you identify an email scam/spam — because they all share common elements — a sender, a subject line, body text, and perhaps most importantly, the need to read and believed.

Company/sender name

Look out for:

1. Typos or the incorrect stylization — Paypal vs. PayPal. 
2. Something that feels overly descriptive or unlikely — AA Car Emergency vs. AA.
3. Companies you don’t shop/deal with — A note from Barclays when you bank with Lloyds.
4. Anything that seems strange — From symbols and bizarrely named companies, to strange spacing — sometimes there’s something that just feels wrong about the sender.

Sending email address

Look out for:

1. An incongruous email address — Something that is at odds with the company name.
2. Lookalikes — An address that’s designed to look like the real company. This could be the domain (@paypalcare.com) or the TLD (@paypal.club). 
3. Errors — Typos or other irregularities in the address.

Subject lines

Look out for:

1. Phrases designed to provoke urgency — ‘Warning: Final payment notice’.
2. Over-promising language — ‘Earn £1000 in five minutes’.
3. Language that provokes a strong emotional reaction — ‘You’re hired! Start tomorrow!’
4. Typos — Con artists aren’t known for their good grammar.
5. Excessive use of punctuation or emojis — Few real companies use these.
6. The presence of ‘Re’ — Might be used to suggest you have replied before when you haven’t.
7. Buttons and attachments —  Always refrain from clicking buttons or downloading attachments in suspicious emails.

Body text

Look out for:

1. Unbelievable promises — Similar to the subject line version, but there’s room for expansion in the body text which gives the opportunity to make lies more compelling.
2. Calls to action that seek personal information — Especially address or card details.
3. References to anything you don’t remember — From events to services you never received
4. Impersonation — Someone claiming to be a friend or relative, but they don’t sound like themselves.

Now that you have some background on how con artists can manipulate different parts of an email, let’s examine specific examples. 

Malware

For many, malware attacks are probably the first kind of rogue email we actually feared. Back then, we probably just referred to them as email viruses. Open it up, your screen goes black. Game over. That kind of thing.

In reality, malware covers a wide variety of malicious attacks — and some of them are, frankly, a fair bit scarier than swift computer death. 

Monitoring keystrokes? Draining your CPU without your knowledge? Spying on you? Forcing dodgy ads to pop up every five minutes? Yes, malware covers a wide variety of little programs that embed themselves in your computer without your knowledge, and their functions range from things associated with nefarious pranksters to full-blown criminals. They’re evasive, and often tricky to get rid of — that’s if you know they’re there.

How to detect malware

If you’re experiencing any of the symptoms listed above, there’s a good chance it’s malware. This may have come from an email — but not necessarily. There are other ways these programs can embed themselves in your computer too — downloads, dodgy websites, and even rogue hardware devices. If you ever find a USB stick in the street, don’t see what’s on it.

Protect yourself from malware

At the risk of stating the obvious, try malware detection software. But go for something reputable. 

If you Google how to prevent malware in the first place, the top advice is to install anti-virus software. Personally, I don’t know anyone who has done this since the late 2010s, but who am I to contradict the entirety of human knowledge and mass experience homogenized into a one-line answer from Gemini, served in a fraction of fraction of a second?

That being said, the threat protection offered by operating systems is generally better than it was in the early days, Windows especially updates to protect against threats, but more importantly, a lot of email software is doing the work for us, by filtering out suspicious emails before they reach us. 

It’s a good idea to find an email provider that promotes good protection against malware, and scans your emails before they reach you. This is particularly good when it comes to avoiding psychological attacks (and we’ll come onto those in a moment).

If we speak of protection, rather than prevention, it’s a good idea to keep regular backups, in case you are stung by one of these attacks. I personally recommend something like Mega Sync, which updates every time you hit save on a file.

Phishing

These days, you’re probably most likely to encounter an email phishing scam. Why? Because like a catchy melody, or the smell of springtime, we’re all susceptible to their charms. But how can you identify phishing?

Phishing attacks are effective because of their versatility. Sometimes it’s not hard to detect phishing. They can be anything: Literally anything that gets someone to input their personal data. Think of any reason you might feel compelled to share your personal data, or send someone money, and it has the potential to become a phishing email.

Here are just a few examples, and bear in mind, the key to phishing is that all of these emails look real, but are fake:

1. Password reset notification.
2. Fill out missing bank details.
3. Complete your postal address to enable delivery.
4. Renew your subscription.
5. You’re a competition winner!
6. A friend in need asking for help.
7. Tax refund notification.
8. Asking for charitable donations.

If you haven’t seen a phishing scam, are you even a phish? They’re so ubiquitous it's hard to imagine email without them. But there’s more than one way to phish…

Spear phishing and whaling

Spear phishing and whaling target specific individuals, often with more aggressive tactics.

Spear phishing uses personal knowledge, usually obtained from several sources, to craft more convincing emails. Because it’s written using personal information, it could reference real friends, situations, or even impersonate a bank (etc) more convincingly. If you think this feels unlikely to happen to you, do bear in mind that most people have more publicly accessible information online than they realize.

If someone posed as your friend, and referenced a very specific event that you both attended a decade ago, why wouldn’t you believe it? It might take a while to remember that you posted about it in detail on Facebook, and that the post is publicly viewable. When they ask you to borrow money, perhaps you’d lend a hand. 

We are all susceptible to spear phishing, which makes it more dangerous than the more obvious scams. One fortunate caveat is that the level of research required to pull off a spearphishing scam successfully is offputting to most scammers. It’s easier to hedge their bets on a mass email that fewer people will respond to. But is that where AI will come in in the future? We need to stay vigilant.

Whaling

So, what is whaling? Well, in a lot of ways, a whaling attack is pretty much the same as spear phishing, but is specific to targeting wealthy individuals, like CEOs. 

The sad reality is that their status both makes them better targets to invest time into, and other factors, (like their wealth, responsibility, lack of time, and large contact base), means there are several potential weaknesses to exploit. For example, perhaps they only need to convince a PA or secretary that they have the CEO seal of approval. So, it seems commercial whaling is always a bad thing.

How to protect against spear phishing and whaling 

Beyond what is listed in our general guide above, you should also set up strong spam filtration. The human factor is really where phishing emails shine. If malware is a simple trick, then on some level, phishing requires us to be complicit. After all, we must give our information away. As we’ve discussed, it does this by appealing to our emotional response.

So ensuring we never come in contact with it in the first place is the strongest way to combat it. Spam filters look for multiple elements when considering an email that we as humans can’t. They cross-reference blacklists, known behavioral patterns, and even a method known as Bayesian filtering. This compares an email’s content with known spam vs. legitimate emails to calculate the probability that it is spam. Also, good spam filters will take into account what other users mark as spam creating what’s known as a user feedback loop.

Compromised business email

Slightly different from everything we’ve looked at so far, this comes from the opposite angle — the idea that a legitimate email account has been compromised. It needn’t be a business account, but for the sake of this entry, there are some more interesting factors to talk about if we imagine it is.

If a scammer can illegally gain access to a business email account, they can pose as workers to request funds, or even access to other internal systems that may include sensitive data.

Compromising a business account also monopolizes on another social quirk inherent in many businesses, particularly larger ones: It’s unlikely every member of staff knows everyone else. This, combined with the fact people are expected to be polite within a work environment means these emails have extra bonuses compared with private accounts.

How to protect against this

Ensuring all employees use two-factor authentication (2FA), and choose strong passwords greatly diminishes the risk of stolen/hacked accounts. 2FA ensures that the account holder will always know if someone tries to break in, and a strong password makes brute-force attacks harder. 

You can also decrease the likelihood of future issues by immediately deactivating the accounts of employees who leave the company. A boneyard of disused accounts gathering dust is just an accident waiting to happen.

Fake invoices 

One of the themes you might be noticing is the exploitation of different emotional extremities. So far we've considered the fear or carelessness of a CEO and the supposed apathy of one employee towards another. Now let's try anger.

Someone claims you owe them money, and demands immediate repayment. They're angry, they say things that make you doubt your own recollection, or create a circumstance you can’t be sure isn’t real. The vitriol and anger ensues until it almost seems easier to pay them.

This may not feel as likely for many of us, but perhaps that's the worst thing about it: The chances are, ‘we’ aren't their targets. Their success will be the vulnerable. Those who perhaps really can't remember, or are more trusting of strangers. 

Prevention

If we assume that we won’t pay random invoices we get by email, it might be worth using this opportunity to suggest talking to those in your life who are less experienced online. Ask them if they need help identifying scams, and explain that just because someone is demanding money doesn’t make their claim legitimate. After all, we need to look after one another, and nobody wants to see someone walk right into an obvious scam. 

There are resources you can guide people to that can take them through it in a user-friendly way.

Job offer scams

Unlike some of the others, these can be tough for even the most seasoned of us to spot. One reason for this is that they don’t exist in the vacuum of email. If any of us received an email out of the blue saying we’d got a job, we’d know right away that it was spam. But what if that wasn’t how it happened?

What if the scam started as a real listing on a real job site? You applied for it alongside a bunch of other real jobs, and it seemed every bit as likely as all the others. Well, then this is an email you’re expecting — hoping for, even. And, similar to spear phishing, this creates a more elaborate opportunity for a scam. Because you are now a willing participant — at least, at first.

But in what?  These scams can take myriad forms, but essentially, like the ancient pyramid schemes of the past, they ask for money upfront under the guise of covering costs, purchasing equipment, or even training for the position — and none of it is real. Sometimes, there could even be others in the system who believe it is real as well and this can suggest legitimacy where there is none.

How to spot a job offer scam

There are certain clues you can look out for when you’re applying for jobs that could indicate the job isn’t legitimate:

1. Unrealistic salaries — If something’s too good to be true, it probably is.
2. Vague or improbable jobs — Would someone really need or want someone to perform this role?
3. No interviews needed — Or eagre job offer without due diligence.
4. Unprofessional communications — Asking for more data than should be required.
5. Lack of online presence of company — Or a company whose website looks a bit dodgy. Stock images, implausible reviews, no real content — that kind of thing.

Equally, you don’t want to eliminate legitimate jobs just because of a badly put-together listing. So the main thing to look out for is anyone asking for money before you start. There are almost no instances where a job should require you to pay for anything upfront, much less perform any duties for free.

How ever sure you are about the process up to that point, the moment talk turns to transferring money, rest assured — it’s a scam.

Romance scams

Arguably the strongest emotional manipulation of all: How we feel when we're in love. 

I have personal experience of someone on a dating app asking to borrow money (which is where this kind of scam is most likely to occur these days). It isn’t as uncommon as you might think — and in some cases, we might struggle to even think of it as a scam… 

Lines quickly get blurred when our hearts begin to rule our heads. Perhaps a part of us even thinks “maybe I am being taken for a fool, but what's ten quid when it comes to love?”. But that person could be spending all day on the dating app. If they get ten people a day to donate a tenner, then that’s actually not a bad wage. And it most certainly would be classed as a scam.

How to stop yourself falling in love for a romance scam

At the risk of turning into an agony aunt, don’t be led by your heart. If your head says it’s a scam, then it probably is. Never give money to someone you don’t know well, however much they claim to love you. It is a sad fact of life that people use extremities of emotion for manipulation. 

Prize scams

Most of us probably remember getting a flier in the post saying we’d won a lottery, and we had to call a number to claim our prize. I suppose it was inevitable this, too, would become an email. 

There’s not a great deal to say here that hasn’t been said in the other entries. Perhaps we can simply create a mantra for life. If an email says you won a prize, you didn’t win a prize*.

*Unless you won a prize. But you definitely didn’t win a prize. Stop thinking about the prize.

Prevention

Look, you really, really didn’t win a prize. Buy a lottery ticket if you must — but hit that spam button.

Protecting yourself and others

On a serious note, whether spam or scam, it’s really no laughing matter. People really get hurt, lose money, or feel stupid afterwards. 

We’ve suggested several ways to protect yourself, but it really boils down to three things:

• Enable as much security as you can

Whatever your provider offers, whether it’s 2FA, automatically generated passwords, or even encryption — you name it. Set these up. They just make your account a little bit more difficult to hijack. 

• Choose a security-minded provider

A provider with strong spam management software and frequent security updates is probably your best form of ongoing protection. Most of the scams we’ve outlined begin and end with spam management. If we never see them, they’re never an issue. 

• Keep your finger on the pulse

Phishing scams never stop evolving. They target you, not your inbox, so you are your own best defense.

Are there any practices you use to avoid falling for spam and scams? We’d love to hear them! Leave any thoughts or questions in the comments section below