Since the early days of email communication, email-based scams have existed. Today, scammers have adapted to the times and their techniques have become even more sophisticated.
In July 2023 over 3000 phishing emails were reported to the Australian Competition and Consumer Commission’s Scamwatch, with losses exceeding $100,000. Email scams continue to rise each year, and so do the consequences for victims.
Over 3 billion email scams are sent every day. With 90% of cyber-attacks succeeding due to human error, it has never been more important to level up your cybersecurity awareness and keep informed on how to stay safe against this threat.
In this blog, we’ll go over everything you need to know.
How Email Scams Work
Email scams are a form of phishing, an attack that operates through “social engineering” – meaning they manipulate human interactions and psychology to trick people into doing what they want.
Phishing emails are highly deceitful, often pretending to be from a trusted organisation like your bank, a work colleague, or a company such as Microsoft. Under the guise of this trusted organisation, scammers aim to make you click on a malicious link, download an infected attachment, or provide confidential information such as your login credentials.
Some phishing emails are more targeted than others. Some different methods used by scammers to target their potential victims include:
The most common type of phishing attack, where scammers send out malicious emails to any email address they can obtain. Phishing emails are often sent out in bulk to as many recipients as possible. These emails will be less personalised and often use generic greetings such as ‘Dear Valued Customer’ instead of using your first and last name.
Spear phishing is a more targeted and personalised attack on an individual, group or organisation. Spear phishing aims to exploit information gathered about the individual or group to customise the attack and make the email appear more authentic to the victim.
Whaling is a highly targeted attack against a specific individual, often a “big fish” like a business CEO, CFO, or celebrity. These individuals are chosen due to the potential for high payoff (such as access to valuable company resources) if the hackers were to be successful.
Quishing refers to ‘QR code phishing’ and is a devious scam on the rise. Quishing involves tricking victims into scanning fraudulent QR codes to lead them to malicious sites, install malware on their device or steal confidential information. Fraudulent QR codes are often used in phishing emails.
Smishing refers to ‘SMS phishing’ which is an attack sent via short message service (SMS). Hackers often send messages containing misleading information and malicious links to random mobile numbers. Some common examples include sending fake ‘parcel tracking’ links and the ‘Hi Mum’ scam where scammers pretend to be loved ones in need of money.
Vishing refers to ‘Voice call phishing’ and is a phishing attack conducted over a voice call or through voice mail. Vishing attacks usually come from fraudulent call centres and aim to manipulate the victim into providing their confidential information or trick them into installing malware on their device.
Email Scams Have Evolved
Email scams have evolved over time, becoming increasingly complex and sophisticated. Since the early days of email scams, including the infamous ‘Nigerian Prince’ scams, cybercriminals have adopted new techniques and tactics.
Today’s cybercriminals commonly use impersonation tactics to elevate the appearance of legitimacy in their attacks. Top brands such as Microsoft and Facebook are commonly impersonated in email phishing scams. Scammers often create fake social media pages or profiles using existing information that is publicly available.
Cybercriminals are also increasing the personalisation of their attacks, made possible by the large amount of information available on social media and business pages. Scammers can now create tailored messages using personal information found for specific individuals. For example, fake ‘job opportunity’ emails could be sent to an individual with the ‘open to work’ tag on LinkedIn, with a fully personalised message including their full name.
Cybercriminals now have a range of sophisticated tools at their disposal, including automation, artificial intelligence, deep fakes (used to create fake audio and video messages) and even QR codes. These tools are now being used in advanced phishing attacks.
How to Identify an Email Scam
The best way to protect against email threats is education and awareness. If you can identify a phishing email, you can stop the scam in its tracks before any harm is done.
Here’s what you should look out for:
- The email address looks unusual
If the email address of the sender looks unusual, has spelling errors, includes random special characters or has numbers appended at the end, the email may be fraudulent. Legitimate emails will always come from a verified domain. Some phishing emails even alter the sender’s display name, so that the sender appears authentic or may even appear to have come from your own account. To confirm the true email address of the sender, hover your mouse over the “from” display name. This will bring up a small window that will expose the true email address of the sender.
- The email is unexpected
Unexpected or unusual communications can indicate that an email may be malicious. For example, if you get an email claiming that there has been a security breach on your ANZ account, but you don’t bank with ANZ, this is an indication that the email is fraudulent.
- The email contains spelling or grammatical errors
Incorrect spelling and grammar can be an indication an email is fraudulent. Legitimate companies take care to ensure their emails are well written.
- The email demands urgent action
Phishing emails are often designed to cause panic and make the victim rush into action before they can notice any suspicious details. If an email is threatening some type of negative consequence if urgent action is not taken, it can be a sign that the email is a scam.
- The email contains suspicious links or attachments
Phishing emails usually contain sketchy links that lead to malicious sites or infected attachments which can install malware onto your device if downloaded. If you are unsure about the legitimacy of an email, do not click on any links or download any attachments. To confirm the true destination of a link, you can hover your mouse over it. This will preview the destination address, which appears in a small bar along the bottom of the browser. If this address looks suspicious or does not start with https:// then it is not safe.
- The email is requesting personal or sensitive information
An unprompted email from an unfamiliar sender requesting confidential information of any type is an indication it is a phishing email. Most companies will not request this type of information via email.
If you identify any of these characteristics or have any doubt about the legitimacy of an email, you should contact the company directly by calling them on the number found on their official website. They will be able to verify if the email is legitimate or not.
For even more tips on how to stay protected online, you can read our blog on How to Prevent Cybersecurity Incidents.
How Ever Nimble Can Help
When it comes to protecting against email threats, education and awareness are critical.
At Ever Nimble, our CAT (Cyber Awareness Training) platform provides just that. Our CAT platform provides essential cybersecurity training through video lessons, phishing simulations and more. In addition to this, the CAT platform delivers extensive cyber security risk reporting, dark-web scanning, and policy toolkits.
Ready to access expert cybersecurity support and level up your cyber protection? Contact us on +61 8 6381 6900 or get in touch with us here.