Have you noticed how increasingly frustrating it is to sift legitimate email from those who wish to part us from our money? No matter how vigilant you may be at identifying and separating scam and junk emails from your legitimate email, someone else in your organization may not be so savvy — which can lead to bigger problems.

email scam exampleThe example to the right is a typical scam email made to look like it was sent by Google about the status of our Google Adwords account. (Click on it to enlarge the image.) It seems legitimate enough at a glance. Reality is it is a typical “phishing” scam trying to entice the victim to click through to a fake page and attempt to login with their username/password. Within a busy organization it wouldn’t be far-fetched that recipients would forward to the appropriate media managers.

While you may be extremely vigilant, how aware are your colleagues?

I’m suspicious by nature. Here’s what I do to evaluate suspicious email:

  • Take my email account offline. That way I can open the message and reduce the chance of sending a tracking alert back to the sender that the email was opened.
  • I click on the sender information to look for obviously incorrect address, but that can be faked to look legitimate.
  • I’ll view more details of the header information to determine where it was sent from.
  • I’ll mouse-over (not click) the main call to action URL in the body of the email. Often that displays a URL that doesn’t match the URL displayed in the body text. I pick the main call-to-action URL because sometimes other URLs in the email are legitimate to make you think it’s a real email.
  • Bad grammar and misspellings are often a tell-tale sign.

If you’re spider-sense starts tingling, do not click through – no matter how tempting it may be.

Best Practices:

  • Don’t click links in emails that ask you to take an action, such as to login to change your account information.
  • Bookmark the real URLs of banks and companies you do business with and always use the bookmark to visit the website. That way you can’t mistype a URL and end up at a fake site designed to look like the real one.
  • Don’t click “unsubscribe” or reply back to the sender. That only verifies your email address and encourages the sender to mail more to you. You’re better off to just delete it.
  • Be a good netizen and forward fake emails to the companies you do business with. (e.g. phishing@google.com, spoof@paypal.com)
  • If it’s taking you longer than 20 seconds to figure out if the message is legitimate, just delete it. You have better things to do with your time.

Hope you find that useful. Be sure to teach your family and colleagues to be vigilant to such scams.
-Roland