9 Spammy Signs That Email Isn’t Who You Think It’s From
Spot Scams with these Email Security Best Practices
Updated: July 30, 2020
Have you ever received an email from your boss that wasn’t actually from your boss?
Email scams affect everyone. You’re hit with them daily, at home, at work, even on vacation (the nerve!). Luckily, mainstream email platforms—Gmail, Outlook, even your old AOL account—automatically filter obvious spam into a designated “Spam” folder. While platforms like Gmail started moving borderline spam from your main inbox to second-rate “Promotions” and “Social” tabs, marketing spam is child’s play compared to the nasty tricks financial scammers are using lately.
Here, we break down some common tricks we’re seeing scammers use to move from your inbox to your bank account:
Fraud “From” line
As many have discovered first hand, just because you recognize the name, doesn’t mean you know the sender. Almost every part of an email can be manipulated to target you.
How do hackers know so much about you? Information about your schooling, work history, and relationships is likely public somewhere—on Facebook, LinkedIn, a job-finding website. A cursory glance at your online profiles is often enough to extract the names of your family members and coworkers. Mining and using such information maliciously is known in the information security world as “social engineering.”
Source: Department of Homeland Security
With a wealth of shared information at their fingertips, hackers socially engineer predatory email campaigns with the goal of getting money or valuable data. Often, these will go out to thousands of people, knowing that if even a small percentage of people respond, they will make out like bandits.
The good news: If you know what to look for, fraud emails are easier to spot. Again, you are just one in a sea of many unsuspecting victims. Hackers are all about quantity over quality. In their haste to hit more people, they often leave several clues behind. Always check these nine things before replying or following any actions requested in an email:
1. Unfamiliar sender
This one may seem obvious. If you don’t recognize the name, your stranger danger alert should go off. If you do know the name, that doesn’t alone authenticate the email. Remember, hackers can easily fake sender information to make it look like it’s from your boss, coworker, friend, family member, even your significant other.
2. Out of character
If the “From” line of the email indicates the email is from someone you know, ask, “does this seem like something they’d do?” Would my coworker be sending me an email at 3:23 AM? Would my boss really demand a money transfer without the necessary approvals?
3. Too generic
Just because a hacker knows your name, doesn’t mean they know you. Fraud emails tend to have generic subject lines and a bland, robotic tone of voice in the body. If the email doesn’t sound like the person you know, it’s probably not from them.
4. Overly formal
Look for out-of-place copyright lines and overly formal language. Real people rarely sound so rigid and formal over email. Also, copyrights are not typical for email. Chances are, the sender is overcompensating to look more legitimate.
5. Poor grammar
Again, quality is not a hacker’s number one concern. Oftentimes, hackers operate overseas, so their English may be broken or awkward. If the writing is poor, overly formal, lacking capital letters, or difficult to follow, it’s a red flag.
6. Multiple misspellings
Along with poor grammar, a fraud email may also include one or more misspelled words. It’s not uncommon to see basic words misspelled in spam email.
7. Unnecessary urgency
Rarely is a work task or errand as urgent as it will come across in a spam email. Hackers love to use scare tactics to get you to act quickly and irrationally. As represented in the fraud email example above, hackers often stress the urgency of their request in the subject line to get your attention.
8. Misleading Links
Hackers like to disguise malicious URLs by embedding hyperlinks in the email text. To check whether the link matches the text, hover your cursor over the link. The destination URL will appear. If the URLs don’t match, be wary. You should never click on a link or attachment from a suspicious email. TXT files (think Notepad) are the only document type that cannot execute a virus.
Another common trick hackers use involves a slight variation of a legitimate company URL. For instance, instead of Buick.com a hacker might use the number 1 followed by the number 3 to mimic the look of the letter “B”: 13uick. With the right font and kerning, an untrained eye would never know the difference.
9. Too good to be true
The best rule of thumb? If it sounds too good to be true, it probably isn’t. Play it safe. Scan every email for signs of fraud, call the sender to verify identity, and report any suspicious emails to your IT department right away. When in doubt, don’t click, respond, give passwords, or send money.