It’s happened again… one of my clients got scammed by an email they received. It can happened to even the most vigilant person. It can happen to you!

Have you noticed how increasingly frustrating it is to sort legitimate email from those who wish to part us from our money? No matter how careful you may be at identifying and separating scam and junk emails from your legitimate email, someone else in your organization may not be so savvy — which can lead to bigger problems!

Watch For Warning Signs

Before you even click to open a suspicious email, there are clear warning signs visible in your inbox. Mispelled from domain names and grammar mistakes are red flags warning you to treat carefully.

Email Scam - Fake Message From PayPal

email scam exampleThe example to the right is a typical scam email made to look like it was sent by Google about the status of our Google Adwords account. (Or it could be from your domain registrar, PayPal, your bank, your email service provider, etc.) It seems legitimate enough at a glance.

This is a typical “phishing” scam trying to get it’s victim to click through to a fake page and attempt to login, exposing the username/password to the scammer. If the victim is busy and the email has an alarming warning (e.g. “your service has been canceled”), the victim might react before thinking.

Can You Trust Your Employees?

Although you may be extremely vigilant, how savvy are your colleagues to catch a scam?

I’m suspicious by nature. Here’s what I do to evaluate suspicious email if my spam filter or other method doesn’t flag it:

  • I take my email account offline. That way I can open the message and reduce the chance of sending a tracking alert back to the sender that the email was opened.
  • I click on the sender information to look for obviously incorrect address, but that can be faked to look legitimate.
  • I’ll view more details of the header information to determine where it was sent from.
  • I’ll mouse-over (not click) the main call to action URL in the body of the email. Often that displays a URL that doesn’t match the URL displayed in the body text. I pick the main call-to-action URL because sometimes other URLs in the email are legitimate to make you think it’s a real email.
  • Bad grammar and misspellings are often a tell-tale sign.

Best Practices

If you’re spider-sense starts tingling, do not click through – no matter how tempting it may be.

  • Don’t click links in emails that ask you to take an action, such as to login to change your account information.
  • Bookmark the real URLs of banks and companies you do business with and always use the bookmark to visit the website. That way you can’t mistype a URL and end up at a fake site designed to look like the real one.
  • Don’t click “unsubscribe” or reply back to the sender. That only verifies your email address and encourages the sender to mail more to you. You’re better off to just delete it.
  • Be a good netizen and forward fake emails to the companies you do business with. (e.g. phishing@google.com, spoof@paypal.com)
  • If it’s taking you longer than 20 seconds to figure out if the message is legitimate, just delete it. You have better things to do with your time.

Hope you find that useful. Be sure to teach your colleagues and family to be vigilant to such scams.

-Roland