How to protect yourself from email scams
Due to the pandemic, email scams are on the rise. Here's why, the truth about scams and phishing attempts, and how you can stay safe.
Email has increasingly become a target of opportunity for people looking to make money fast. Either directly through scams, or indirectly through trying to deceive you out of your login credentials (phishing). Over the course of 2020, the rate of scams, spam, and phishing has increased even more than normal.
The scams used to be easy to spot. Everyone now knows to ignore Nigerian princes and cut-price Viagra. While there are plenty of simple scams still about, fraud and extortion mails are getting more sophisticated and have increased significantly during the pandemic this year.
This post looks at why cybercrime is so popular over email, and why it's increased this year. We'll also bust some common misperceptions about scams and spam, and explain what we mean when we talk about email fraud. Most importantly, we'll tell you how to be alert and stay safe when these kinds of emails land in your Inbox.
Debunking 3 myths about online fraud
There's no money in it for scammers.
- In Australia, according to Scam Watch there was AU$12 million dollars (approximately US$8.5million) lost just to scams in July 2020.
- While in the US, California alone lost an average of US$48 million per month to cybercrime in 2019.
- When you consider that there are 4 billion users of email worldwide, 306 billion emails are sent every day and over 90% of users in the USA have email, that's a broad target market. You don't need to dupe many people for it to be worthwhile.
All the bad guys are overseas.
- When it comes to fraudulent emails, Russia is the largest source of it (20%), but the next highest source is the USA (10%).
- However, most scams (66%) originate in US, with 10% from UK, while Nigeria makes up only 7.5% (I guess there are fewer Nigerian princes than we thought).
I can spot a scam. I'd never fall for it.
- Half the people falling prey to scams are aged 30-50: it's not only 'gullible elderly citizens,' or 'naive youngsters.'
- In March 2020, 53% of all email traffic was spam.
- Stopping fake email reaching you is an ongoing race between email providers and an ever-adapting set of spammers. Their goal is to make their email be indistinguishable from a genuine piece of mail so that the automated prevention tools let it through. Email providers tend to err on the side of letting more spam through because it's much worse to quarantine real mail and have you miss an important message, than you having to delete a few extra nuisance emails.
Why the pandemic led to an increase in cybercrime
- Lots of companies abruptly shut down their offices or accelerated their adoption of remote-centric processes when the COVID-19 pandemic hit. Security practices take a while to be updated and people are away from their colleagues, so it's a lot harder to detect if an email is unusual, especially when the entire workplace ecosystem is nowhere near normal.
- In 2019, even before the pandemic, we weren't good at staying away from our email when we were away from the workplace. 75% of US adults checked their work emails out of hours, of which 10% checked it constantly. When your workplace IS your home, our tendency to read work emails out of hours just gets worse, not better.
- We are often checking our mail while on the go: nearly half (43%) of email accesses are from mobile devices.
- The most common malware attachment is .doc/.dot files (37% of all malware)— a document format that is a plausible work file, which is even more likely to be emailed around when people are working remotely and standard in-office file sharing is maybe not available.
- A survey of the kinds of phishing/scam words in successful fraud mails show a heavy bias towards business-related content, showing not only where we are most vulnerable to being tricked, and where there's profit in scams.
Types of fraudulent emails
This isn't an exhaustive list, but some of the more common ones.
- CEO scams are when someone impersonates the CEO of a company and asks someone in finance/admin to update their bank account information, transfer funds, or update account recovery details.
- Health scams are fake pandemic contact tracing mails. Health scams can also advertise health products that never deliver (such as sanitizer, face masks, or even just toilet paper).
- Finance scams are when a scammer impersonates a company and contacts one or more of that company's partners and asks them to send the billing details and future invoices to a different location.
- Blackmail threats are when a scammer threatens to expose a users' browsing habits unless they send them bitcoin.
- Impersonation is when a scammer pretends to be from a well-known company or bank and asks for a small payment for verification purposes, or for password verification.
- Romance scams are when a scammer asks to be sent a significant amount of money to escape their living conditions in a remote country and travel to join you.
- Phishing is when scammers pretend to be from a (household name) company and ask people to log in to unlock their account, prove their identity, win a prize, or view an important announcement.
- Subscription bombs are when scammers sign up an email address for lots of subscription services. Scammers do this to hide a password reset/account recovery at one of your actual accounts.
- Spam is unwanted mail. Spam ranges from mail sent to the wrong person to company's whose mailing list you subscribed to but can't get off.
How to spot an email scam
Who sent it?
- Check the sender's email address (don't just look at the name): is it at the right domain for the company? For example: "Fastmail support" <fastmail-support@fastmail-support—international.example.com> is fake
- Check the address closely: sometimes domains are just slight misspellings: fatsmail.com instead of fastmail.com.
- Sometimes the domains have letter substitutions: swapping a zero for the letter o, a number 1 for the letter l, or the letters r and n instead of the letter m. Depending on the font, these can all look very similar. fastmai1.com, or fastrnail.com.
What's the email about?
- If it seems too good to be true, it probably is! You can't win a prize if you didn't enter the competition.
- If it involves anything financial or has to do with your or someone else's identity, verify the email another way: contact the company or sender or visit their website (without clicking on a link in the email).
Know the warning signs
- Anything demanding immediate action or pleading urgency to get you to bypass standard security protocols is suspicious. With the number of people working out of the office and away from their colleagues, who could easily review an email with you, you can feel pressured to act without thinking.
- A scammer might try to make a personal connection in order to have you do them a favor out of a sense of obligation or shared experience.
- If it's an email supposedly from a company, bad grammar or poor spelling is a dead giveaway. If you're willing to overlook the bad grammar, perhaps you're also not wary enough to avoid the scam. It's a way scammers use to self-select their target audience. Most companies spend extra effort reviewing their official mail content to ensure it gives a professional appearance.
How do you know if an email is really from Fastmail?
"Imitation is the sincerest form of flattery", or so they say. Fastmail is not immune from phishers trying to trick you into giving them your password by impersonating us and getting you to click on a link in their email.
To verify that an email is really sent from us, log into our web interface to view it. All mail sent by our team comes with a green tick visible in the inbox and when viewing the message. Find more information about this and how to keep your account secure on our help pages.
What to do if you have identified a scam email
- Stay safe: don't click on any links in the email.
- Report it to your email provider. In Fastmail, you can use our 'report phishing' functionality, but all providers offer 'mark spam'. When enough people report an email as spam, the information makes its way back to the sender's email host who, if they don't take action to stop the flow of spam, will find that no other mail provider will receive the mail they send out.
- Delete it and move on with your day. If you write back, the mail could bounce, or it could reach the scammer who might engage with you and try to convince you. Either way, it's a waste of your time and energy.
What to do if you fall for an email scam
- If you're ever unsure, drop a message to our support team and our highly knowledgeable and friendly staff can help you check what's happened. At Fastmail, you are at the center of all that we do. Some companies make it nearly impossible to get hold of a human being to help you. That's an awful frustration to feel when you're concerned about scams.
- If you think your Fastmail account details have been stolen, change your password immediately. Use the web interface to check your login history and look for unusual logins. We recommend using using 2FA to prevent anyone from accessing your account even if they know your password. More details are on our help pages.
- If you think you have been scammed or had your login stolen for another service, contact that company to report the issue and they should be able to help you recover your account and reduce the impact of any problems caused by the attacker. You might like to contact an organization like Australia's Scam Watch or the US government's information about fraud.
Want to help your friends, family, and colleagues stay safe and not fall for these tricks? Use the icons below to share this guide.