How to identify and avoid email scams
Published by on April 13, 2017 in Information Security

Fraud road signs



People have been lying in order to con each other out of things since we first began to communicate. In days gone by, the con man had one chance to trick their mark and then had to hightail it out of the area to avoid being hunted down by a lynch mob once the nefarious plot was revealed. Con men had to travel far and wide to find new victims and to avoid being captured. These days, it’s much easier for these scammers. Most of the world has internet, and therefore email, which serves to provide a never-ending supply of targets that can be safely plucked from thousands of miles away.

Why are email scams so popular?

Any scam has to be worth it or it’s not worth doing. A scam that is worth trying has to have a few criteria going for it:

  1. A reasonable chance of success
  2. Some protection against being discovered and captured
  3. Practical in terms of cost and time

Email hits all of these in almost all cases.

A reasonable chance of success

The term ‘reasonable’ is a bit of a moving target. If a certain scam has a one percent chance of success, it is not reasonable for the scammer to travel from town to town and spend a few days at each in the hopes of hitting that one-in-100 mark. In those conditions, the scammer would want a much higher chance of success and so would likely discard any scam with such a poor chance of success.

However, when using email, the scammer has the ability to attempt the scam on literally thousands and possibly millions of targets in a short period of time. A one percent success rate in a pool of millions of targets makes almost any scam ‘reasonable’ to pursue.

Some protection against being discovered

Email provides an almost impenetrable veil to hide behind. Email scammers are not using their own email accounts to perpetrate the fraud. They are using disposable or stolen email accounts which cannot easily be traced back to them. In many cases, the scammers are also operating from countries with little or no internet laws or sophistication. Even if it were possible to identify them, the chances of getting local law enforcement to prosecute is slim.

Be practical in terms of cost and time

While the cost of internet use varies widely across the world, it’s not so expensive that it’s impractical to use for these types of scams. In first world countries almost every household has internet service. Even in less developed countries, wifi cafes are available to large chunks of the population. Many of these email cons are perpetrated by people who don’t even have internet in their house. They borrow wifi from other places, or use internet cafes in their towns. This brings overhead cost to a very low level, even free in some cases.

An added advantage is that it takes very little time to send large numbers of emails. If the message is already typed up and ready to go, it’s possible for a scammer to send an email blast off in a few seconds from an internet cafe and then be gone.

Identifying and avoiding the most common email scams

Email scams and phishing are two very similar, but technically different things. The goal of phishing is usually to gain access to information through tricking someone into divulging their credentials to some important site such as their email or a bank. There’s usually a long game at work with phishing because gaining access to someone’s account is usually not the end goal; rather, using that information to perpetrate fraud or blackmail is common. In contrast, email scams are a shorter game. The goal of an email scam is generally limited to trying to trick someone into sending money to the scammer.

Many scams will attempt to direct you to a fraudulent website at some point. Using a browser that supports Google Safe Browsing such as Google Chrome, Apple Safari or Mozilla Firefox can alert you if you are directed to a known scam site. Safe Browsing only deals with your web activity, though. It can’t alert you about the safety of any particular email you’ve received.

With that goal in mind, an email scam can take any possible form that has a chance of succeeding. Anything that fits the criteria I listed previously is likely to be tried by email scammers. However, email scams that have proven to have worked before satisfy the criteria better. Those scams are known to have a reasonable chance of success and the ones we’ve seen repeated over and over fall roughly into the following categories.

Advance fee

The framework of an advance fee scam is this: You are offered something out of the blue (money, a car, a boat, etc.) for some reason (won a lottery, dead relative, stale bank account, etc.). The scammer wants to arrange for this desirable thing to be delivered to you, but in order to do so you will have to pay some fee in advance. Fees are usually explained as things like shipping fees or legal fees. The scammer promises to send you the item as soon as the advanced fee is paid.

The most common scams that fall under advanced fraud are:

  • Lottery winnings

    The basic pitch is that a scammer informs you that you’ve won a lottery in some country, possibly your own. The winnings are substantial but can’t be paid to you until some fee is paid. The fee is usually described as a legal fee or money transfer and it must be paid in advance. The math is enticing: pay $5,000 in advance fees to get $1,000,000 in winnings. However, once the advance fee is paid, the winnings will never arrive.

  • Nigerian 419 beneficiary

    Email scams originating in Nigeria have reached such epic proportions that the Nigerian Prince has become a punchline of western pop culture. The term 419 refers to the section of the Nigerian penal code which covers fraud. 419 scams are identical in intent to the lottery winning scam in that you must pay some fee in order to release a larger amount of money. The first 419 scams usually involved the story that some rich and unknown relative had died and left money. Over time, however, the 419 scams have really strained the credulity of even the most naive people.

Avoidance

The transaction starts with a request from the scammer for you to send them money. In almost all cases, situations like this will be fraud to some degree. Your best defence is to simply not get involved at all and report the attempt to your law enforcement agency.

If there is some legitimate reason why you need to be involved with this, then do thorough research on the internet about the company and find other people who have dealt with them. Do not use any references supplied by the scammer because they will almost certainly be non-existent, or also be involved in the fraud and will confirm anything you ask in order to get you to send money. Offline references are helpful as well – it’s very easy to produce a website but it’s much harder to plant an entry in a phone book or government licensing listings. Do a thorough check using as many different resources as you can think of before sending any money.

Nigerian prince email scam

Overpayment

The main difference between the Overpayment scam and the Advanced Fee scam is that that the Overpayment scam doesn’t ask for money in advance. Rather, the scammer will send you money first and then ask you to refund some part of it. In most cases, scammers use classified ads and other sites to identify people who are selling items. The scammer then contacts the seller, makes an offer, and then sends too much money to the seller citing some unusual reason for the overpayment and giving directions on how to handle the surplus. The seller will be instructed to either refund the difference to the buyer, or send it to some third party for shipping. The scam occurs because the money that the scammer sent is not valid, perhaps a fraudulent cheque. The entire scam hinges on the seller dispensing the surplus funds before they discover that the original money sent is fraudulent.

Avoidance

Recall that the main characteristic of this type of fraud is to send you too much money and ask that some portion of it be refunded or sent to some third party for some reason. The scammer may introduce this idea during the initial contact when they indicate they want to purchase whatever you’re selling, or it may not become apparent until the payment arrives. In either case, there should be no legitimate reason for money to be funnelled through you to a third party.

It’s also useful to stop and think for a minute about overpayments. If the situation were reversed, and you were buying something from someone you’d never heard of before and had no reason to trust, does it make sense to send that person money in advance at all? Never mind too much money and then ask them to return or forward a portion of it? The world is not such a trustworthy place that a transaction like that should seem normal.

Disaster relief and pulling at heart strings

This class of scam involves pulling at the heart strings of people to trick them into sending money for some sort of disaster relief fund or to save a group of puppies who are in some mortal danger. The critical part of this scam is to create a sense of incredible urgency. If the mark doesn’t send this money right now, something dire will happen to the suffering people or puppies. The scam counts on the fact that once our emotions are fully engaged, our critical thinking abilities tend to dip and we are more susceptible to falling prey.

In many cases the scammer will craft emails and possibly a website that looks like a legitimate charitable organization. In other cases, the scammer will just make up a convincingly fake charity name.

Avoidance

If you would like to donate money to a relief effort it’s best to donate directly to a reputable organization than responding to an email. Contacting an organization such as the Red Cross or Salvation Army directly will ensure that your funds do not end up in a scammer’s hands. It’s also the only way to ensure that you will get a proper charitable receipt for your donation.

If the organization in the email is not known to you, then follow the golden rule: do extensive background checks. All charitable organizations will need to be registered with their respective government in order to be eligible to issue tax receipts. Check the listings of the applicable government that the charity purports to be from to see if it really exists.

Work from home fraud

Work from home fraud gets its own category because of the complexity of the scheme. Some advance fee fraud uses working from home as its mechanism; requiring potential employees to pay an advanced fee for materials before employment,. But that’s not quite the same thing as work from home fraud.

Some cultures deem working from home to be the ultimate goal. Being able to make a living from your own home without having to deal with the commute or unpleasant coworkers is a very popular idea. Therefore, many people are very susceptible to work from home claims that normally would not stand up to much scrutiny. However, there are some tell-tale signs that the work is probably non-existent, which I will cover in the next section.

Avoidance

There are a lot of tell-tale signs to work from home fraud:

  • Money is required up front to get to work. While it’s not uncommon to have to provide some pre-employment things such as a criminal record check which you may have to pay for, paying for anything directly related to doing the job itself is a warning sign.
  • The work pays much more than it appears to be worth. Adverts claiming you can make $2,000 per week stuffing envelopes are hard to believe. We live in the age of assembly lines and robots. If the job involves doing repetitive manual labour of some kind, a robot could do that much better than a human so it makes no sense to pay humans to do it.
  • The work indicates that you’ll be doing work that would normally require higher education in an office setting. Jobs regarding the transcription of medical records abound, but most medical offices use well-known services to do this type of work because there can be some very high stakes if something is transcribed incorrectly. While some medical transcript companies may use home workers, they will usually have to have undergone some language and competency assessment rather than just replying to an email.
  • The work requires you to purchase kits of some sort that you can re-sell, or use to construct items for re-sale. If the job involves straight re-selling, such as selling cosmetics to friends, it makes more sense for your friends to just take the same job and get the wholesale rate rather than buy from you at retail. If the job involves constructing items for sale, I remind you that things are made by robots and assembly lines these days much more efficiently than humans can.

To prevent becoming a victim of work from home fraud, look for those telltale signs. You should also do research about the company in question. If they have a history of scamming people it’s likely that there will complaints about that company on the internet. Conversely, if there is no trace of the company at all, that is also a warning sign. Virtually every business has some kind of web site or email address so a company with no visible presence on the internet is unusual. Especially if you consider that this company is using email to contact you.

CEO fraud

CEO fraud involves identifying the person or people within a company who are in charge of the money, and then attempting to get them to transfer money out by impersonating someone with authority to do so, ie – the CEO.

It is very easy for scammers to use services like LinkedIn to search for all the employees of a given company, and then look at job titles to determine who has control over the money and who has the authority to direct fund transfers. From there, the attempted fraud can range from very complex and hard to catch, to very basic. The basic scam is to send a request to the money person instructing them to transfer some money to some bank account. While this may seem very basic, many companies wire money as a matter of routine so a request like this would not seem out of place. The instructions usually state that the money is for an important deal closing very shortly. There’s always some urgency for the funds to be transferred immediately in order to prevent some bigger loss to the company. The scammers hope that the money person does not have the type of relationship with the requester to see that the request is unusual and will fulfill the request right away.

Avoidance

I recently saw an unsuccessful attempt at CEO fraud. It didn’t work because the money person in this company had a good enough relationship with the CEO to note that the CEO did not normally sign their emails in that way, among other small details. The money person simply picked up the phone and confirmed with the CEO that it was not a valid request and saved the company a large chunk of money.

The best defence against CEO fraud is to ensure that your company has a set procedure for funds transfers which includes double-checks to make sure the request is valid. Another factor that helps defeat this type of fraud is to foster good working relationships at all levels. If a workplace is supportive of questions then the money person is more likely to lean across their desk to their coworker and say does this look right to you? or pick up the phone and call the alleged requester directly.

Amazon phishing email

How to respond to and report email scams

The first rule is to not respond to something that you think is fraudulent. If it happens at work, report it to your security team and your supervisor and let the company figure out the best course of action.

If scam email comes in your personal email, the best course of action is to just delete it or mark it as spam if your email provider has that option. You can also report it to your law enforcement agencies as well. That can be a useful step because these agencies usually operate alert systems whereby they can reach a larger number of people to let them know this scam is happening now. It also helps these agencies gain an understanding of how deep and wide a scam is which can help track the people behind it.

Reporting in Canada

The Royal Canadian Mounted Police (RCMP) is Canada’s Federal police force. It outlines the police agencies to contact depending on the type of fraud. It also indicates that all types of fraud should be reported to the Canadian Anti-Fraud Centre which collects intelligence on mass fraud and identification theft in Canada.

Reporting in the United States

The Federal Bureau of Investigation (FBI) operates the Internet Crime Complaint Center (IC3) which is a central place for lodging complaints about internet fraud. The IC3 may share your complaint with the law enforcement agencies that have jurisdiction for a complaint.

Reporting in the United Kingdom

ActionFraud is the national reporting centre for fraud and email scams in the United Kingdom and works with the National Fraud Intelligence Bureau.

What are Internet Service Providers doing to help?

Internet Service Providers (ISP) and Email Service Provider (ESP) typically run extensive anti-spam software. This software analyzes incoming email messages and determines the likelihood of them being spam. Emails that are determined to be spam are usually placed in your Spam or Junk folder, while safe emails are put into your inbox.

Many of the factors used to analyze an email are done behind the scenes and we don’t even see them in action. Spam filters look for things like:

  • Did the email originate from an authorized mail server? Domain owners have the ability to designate which servers are allowed to send email on behalf of their domain by the use of Sender Protection Framework (SPF) DNS records.
  • Does the sending mail server have a reputation for sending email spam?
  • Is the content of the email likely to be spam?

Some of these checks require collaboration to perform. For example, your single email provider may not have enough information to know if the mail server that sent the email has a reputation for sending spam. Likewise, judging the content of an email to be spam can be tricky because some people really are looking for low-rate mortgages and prescription drugs. Those types of checks are done using shared lists such as Spamhaus blacklists. Spamhaus has a large database of characteristics associated with email spam, so if an email shares some of those characteristics, there is a fairly decent chance it actually is spam of some sort.

Having said that, spammers are creative and they are very motivated to get their email scam into your inbox by avoiding these spam filters. There’s no surefire way to be confident that every email in your inbox is safe. Your common sense and paranoia is the last line of defence.

Where to stay on top of new email scams

Email scams are very fluid and change rapidly. Some become widespread and hit mainstream media news shows and newspapers, and some are smaller and come and go without much fanfare. Due to this it’s very difficult for any organization to keep up with a list of current scams in action. It’s therefore important to recognize the hallmarks of a scam, instead of attempting to identify specific characteristics of any one scam.

The governments of many countries maintain some sort of fraud bureau and may publish known scams as alerts which you can monitor.

The Canadian Competition Bureau publishes The Little Black Book of Scams periodically. It’s not clear how often it is updated, so it may not be as good as a current alert list. However, it seems to be the only scam alert type of information that the Canadian government produces.

The United States Federal Trade Commission operates a Scam Alert page and the IC3 has an RSS feed of alerts here.

The United Kingdom Action Fraud website lists current scams here.

Fleeing Nigerian Prince Email” by Jamil Velji licensed under CC Attribution-Share Alike 3.0

Leave a Reply

Your email address will not be published. Required fields are marked *