Fraudulent Emails – How to spot them

by | Continuing Education, Tips and Tricks

You’ve probably seen one; an invoice from someone who would not normally send an invoice, notes from a meeting accessible from a file sharing and storage service, or maybe Apple claiming someone has accessed your iCloud account and you need to and change the password. These are examples of Spear Phishing scams.

These types of scams use a few key components to appear legitimate:

  • Names of people you know, or have been in contact with
  • Legitimate looking email addresses
  • Authentic looking logos, graphics, and websites
  • Links to websites that look or are real
  • Official looking fine print and or references to laws

The goal of any phishing or spear fishing scam is to entice you into revealing information you normally wouldn’t by clicking a link to a website where you can input it, or even just replying to the mail. Some are sophisticated enough to entice you to download a program, called a keylogger, that installs to your device and captures any data you transmit.

Signs of a Fake Email

Most scam emails appear legitimate at first glance, but quickly fall apart under scrutiny. Here are some tell-tale signs to identify scam emails:

  • Does the email have the same format the ‘sender’ typically uses? Is it the same font? Do they address you as they normally would? Does it use their signature, or the standard format for your organization?
  • Look at the From field on the email. Is the sender’s email correct? Be certain it is not just close, but exact.
  • Are they asking for payment in a way that is not normal? Maybe it is an online payment instead of a check, or using account numbers that are not the usual ones?
  • If there is an embedded link? When you hover over it does it go to a known legitimate site or has the site address been shortened?


If you are wondering how did they get my information and a known contact to send this type of scam, you are not alone. Rarely are these types of scams personal. It is simply a matter of odds. The scammers are making use of information that is readily available and turning it against people all over the world. Information, yours and everyone else’s, is freely shared every day in ways that it should not. Think about all the places your information exists:

  • On your company’s website or other online presences. A lot of information can be gathered with web searches and correlation through email domains, geographic locations or industries. The chances that you will know others in the same industry, geographic area, and same company is quite high.
  • As a contact or friend in mobile devices or Social Media. As apps are installed, often your friends list or contacts are requested. Many people do not read what they are sharing, they simply allow it. That’s a ready-made list for any spear phisher.
  • Email is insecure unless it is encrypted. Email traffic can be rerouted many different ways so a fraudster can read your mail, replicate it, and use your info or address for malicious activities.

Protecting Yourself

How do you protect yourself and your organization? If you’re reading this – you’re already on your way. Education is one of the best ways, along with common sense and procedures for dealing with online accounts to thwart scammers with ease. With any email you’ll want to:

  • Verify that the sender’s name and email match.
  • Look at any embedded link to be sure it is sending you to a legitimate site. The best option is always go to the known good site and login as you would normally, not using a link.
  • Verify any invoice against valid PO numbers.
  • Contact the sender if you are unsure if the email is legitimate.

A few other ways to keep your personal data safe:

  • Do not broadcast your email address to the world. Company websites, LinkedIn, or anywhere else your email address may be shown, hide it behind a form. You can still be contacted, but the address stays hidden.
  • Do not give apps on your phone or other mobile devices access to your contacts or friends lists, unless you know exactly for what the information is being used.
  • Use two factor authentication on EVERY account, it’s not just for banking.
  • Do not use the same password(s).

If you or your organization need better controls, or want to protect passwords or sensitive data from these types of attacks, give us a call. We can assist with solutions and training to help keep what you care about safe.