Four classic email scam tactics
If you’ve ever fallen for an email scam, you know that it’s easy to see the mistake in hindsight. Recognising the scam before it gets you is the real challenge.
In this guide, I’ll show you the most common tricks that cyber criminals use to create email scams.
1. Exploiting brand trust
Cybercriminals hope we won’t think twice about clicking emails from the brands we know and trust. That’s why so many of these scam emails come dressed up as communications from your bank, telco or energy provider – even government departments.
In your rush to deal with these official looking emails, you might:
- Click on a link or open an attachment that downloads ransomware or spyware.
- Enter private credentials into a phishing page that mimics the real thing.
Check out these emails that mimic MYGOV and the ATO. See if you can identify some of the tell-tale errors that mark them out as fakes. I’ll make a list of answers at the end of this post.
Toying with your emotions
Scam emails often evoke emotions like curiosity, urgency and fear to short-circuit our conscious thoughts and trick us into acting rashly. This leads us to submit our confidential data through dodgy emails. Look out for:
- Emails offering a prize, money or other opportunities; or emails with very little information which appear to be innocuous. These are all designed to stir your curiosity.
- Urgent subject lines like ‘Action Required,’ or time-sensitive instructions designed to create a sense of urgency.
- Extortion threats or warnings of suspicious financial activity designed to induce fear.
The DHL email below is an example of one designed to make you curious enough to click on the attachment, which will contain some kind of malware; but there are several obvious giveaways, can you spot them?
The second, extortionate, email is one I commonly get panicked calls about. It tends to look legitimate because the scammer is able to correctly quote one of your own passwords to you. However, I can assure you that they have not been accessing your computer. They have found your credentials on a list of leaked information from a compromised data source. You can check which of your accounts is the culprit at haveibeenpwned.com.
It is safe to ignore this email unless the password is current for any of your logins – in which case you should change that password immediately.
3. Exploiting personal trust
A whaling attack (also known as Business Email Compromise or CEO fraud) takes advantage of the relationship between colleagues. By leveraging the power that a higher level executive has over a subordinate, the scammer makes demands for an urgent payment transfer or confidential information.
Scammers will either use publicly available information to ‘spoof’ the email account of a senior executive or, more worryingly, their actual hacked account.
You can see in the examples below that a hallmark of these sorts of emails is often an apparent unwillingness or inability to discuss the transaction in person. That’s because the simplest way to protect yourself from this scam is to pick up the phone and speak to your supervisor.
4. Banking on your distraction
It’s pretty simple psychology. If you’re going to try and trick someone, it’s best to do it when they’re busy or distracted.
There are specific seasons of the year when people are busiest, such as end of financial year and end of calendar year.
Sales and discounting events like Boxing Day, Black Friday and Cyber Monday also make you more vulnerable to online fraud as scammers use the time-sensitive nature of the sales deals to prompt you to click on scam email links without taking the usual precautions.
Cybercriminals often pose as fake retailers to trick consumers. But they also pose as other businesses involved in the supply chain, like parcel delivery, tracking notifications and banking or government services – even your managers and colleagues.
Spending a few minutes to go over an email before actioning it is a small inconvenience compared to the consequences of falling for a phishing or whaling scam. At Proactive IT we are always here for our clients; so if you are ever in doubt over an email, forward it to us and we will verify it for you!
Obvious flaws in some of the above scam emails:
- The sending address is not a “gov.au” account
- The logo is incorrect and there is no government coat of arms
- The final line, “We’ll be in touch soon with more info” is far too informal. Government departments do not communicate this way.
- The email appears to have been sent to numerous recipients at the same time using the BCC field
- The alleged confirmation numbers in the subject line and the email body do not match
- The ATO does not issue refunds to credit cards.
- There is no company logo or shipping information in the body of the email
- The excessive use of exclamation points and threat of 72 hour expiry are designed to prompt immediate action.
Header image designed by Dooder / Freepik.