Helpdesk Challenge – how to spot a phishing scam email?
Phishing scams try to trick you into passing on username and password details by reply or by leading you to a site that looks like the official site of a bank or other online service.
While early examples were crude and easy to spot, the scammers now post messages or links to sites that are hard to tell apart from the official pages of trusted companies.
Computer users with Twitter, Amazon, Facebook and other accounts are used to receiving updates and notifications from those sites. With so many arriving, it’s easy to click through a malicious link without thinking.
One way to avoid these scams is to install a decent security program – read our Which? reviews of the best security software for recommendations – but a little knowledge and a keen eye can help too, as we’re about to explain.
Anatomy of a scam - how to spot a phishing scam email
Below is a screen capture of an email I received last month. I realised it was a scam quickly enough, but it was sufficiently convincing to make me do a double-take.
Dig a little deeper, however, and the warning signs are all there:
There’s plenty there to lure in the unsuspecting. This looks very similar to a typical Paypal receipt email, right down to the logo of Paypal itself.
The transaction amount, £39, is just high enough to catch your attention, but not so high to be dismissed outright as a scam (I’m looking at you, Nigerian emails with promises of millions).
But let’s look at the red flags:
- The email is listed as from Paypal, but the email address is shown in brackets as skypepayment@skypepayment.co.uk
- Further down the email, the merchant is listed as sales@skype.com – that’s an inconsistency between the domain names of the two listed email addresses
- It asks you to log into your Paypal account, but says it may take a few moments for the transaction to appear. That’s time that could be spent skimming your account details.
- There’s no mention of shipping address, which should be your home address, something a scam email is unlikely to figure out. Though as it’s a digital transaction (allegedly), you may well look past this.
- The biggest flag of all, when you hover your cursor over the link which promises a refund, you see the true URL in the grey box at the bottom. This quickly reveals itself to having nothing to do with Paypal.
Verdict? Scam. And I’ll admit, a good one.
If I’d followed that link to something that looked convincingly like a Paypal page and logged in, I’d have given away my account details to goodness knows who.
Scam emails are becoming more sophisticated than ever, so be on your guard and watch out for similar warning signs to the ones above.
- How to spot an online scam – avoid the pitfalls with our handy guide
- Best Buy anti-virus security software – we round up the best security suites
- Dealing with scam calls – top tips for slamming the phone on scams
Post a Comment
Your email is never published nor shared. Required fields are marked
Terry
To ensure I don’t respond to a scam I will always open my direct link to the company concerned. I do NOT respond or go through the email connection.
Always use your direct link and NEVER the email link.
rakzdiu
If spam email is claiming to be email from a Brand/Company, check spam email ID against original or previous email you received in your inbox. If any suspect, Never click any links or open any attachment. Delete it.
Use Filter in-build feature to stop receiving spam email (most email provider does offer filtration features)
john mccolgan
If in doubt, bin it. If it’s important a real business will get in touch by post or other means
Jackie Starkie
Genuine suppliers or companies you already do business with, like banks, Amazon, Paypal, Which, etc would show your full email address in the “to” section of the email, (not a “blank” or empty box, as in this example spam email). Plus the email would usually open its message with a personal salutation like “Hello John” or “Hello Mr Brown” whatever name you instructed that company to use when contacting you.
Additionally, with banks or similar institutions, they usually include another element known only to them and to you, such as an extract of your account, maybe four consecutive digits of the account number, or something like that. All or any of those features were missing from this spam email. In other words, you should see on the first page of a genuine message, at least two different elements of your personal contact information that you have with that business, if they are not there, you should immediately suspect the message and either just bin the email immediately, or if you prefer, separately contact the company to verify or deny the email. But to do that you should use your normal contact procedure NOT the link provided in the suspect message.
These tips are in addition to the comments already mentioned by Which and other postings.