Imagine this: you open your inbox and see an urgent message from your bank. They claim your account has been compromised and you need to verify your information immediately. Your heart races as you click the link, ready to protect your hard-earned money. But wait, have you just fallen for one of the oldest tricks in the book?
I’ve been looking into this recently, and I was surprised by how sophisticated scam emails have become! Gone are the days of easily spotted scams with poor spelling or obvious Nigerian prince schemes. Today’s fake email addresses can be nearly indistinguishable from real ones.
There are several ways to tell if an email is fake, but none of them are foolproof. You have to use a combination of techniques, and even then you can’t be 100% sure. But you can get pretty close. From dissecting email headers to understanding the psychology behind these phishing attacks, we’ll cover everything you need to know to keep your inbox – and your identity – safe.
The Basics: Examining the Sender’s Potentially Fake Email Address
To catch a scammer, you need to think like one. Most scammers start with a simple goal: to trick you into taking some action, whether it’s clicking a link, downloading an attachment, or sharing your personal and financial information. But how do they get you to that point? The answer lies in a combination of psychology and technical tricks.
Let’s start with the simplest technique: looking at the email address itself.
Spotting Domain Imitations
First, check the email domain. If you’re expecting an email from a reputable company, the domain should match the company’s official website. For example, an email from Amazon should come from @amazon.com, not @amaz0n.com.
Spammers use techniques like typosquatting, where they register domains that are very similar to legitimate ones. For example, they might register gooogle.com (with three o’s) and use it to send phishing emails that look like they’re from Google.
Subdomains: Don’t Be Fooled
Another common trick is to use subdomains to make a fake address look legitimate. For example, “paypal.secure-login.com” might look like it’s from PayPal at first glance, but “secure-login.com” is the actual domain here. Always look at the root domain (the part just before the .com, .org, etc.) to determine the true sender.
Look for Deceptive Display Names
Scammers can manipulate the display name in a phishing email to make it appear as if the email is from someone you know.
Example: An email might appear to come from “Amazon Customer Support,” but the actual email address is something like [email protected].
How to Check: Hover over or click on the display name to reveal the actual email address. This will often show the true source of the email and can quickly indicate if it’s legitimate or not.
The Unicode Trick
This clever trick involves using characters from non-Latin alphabets that look identical to standard letters. For example, the Cyrillic “а” (U+0430) looks exactly like the Latin “a”, but allows scammers to register a different domain.
Example: Legit email address: apple.com Spoofed scam email: аpple.com (notice the difference? There isn’t one visually!)
If you’re suspicious, you can copy and paste the address into a Unicode inspector tool to check for any non-standard characters. It will reveal any non-standard characters.
Random Characters in the Fake Email Address
Another thing to look for in the fake email address is random strings of numbers or letters. Real email addresses rarely have these, unless they’re automatically generated addresses for specific purposes. If you see an email from [email protected], it’s more likely to be fake than one from [email protected].
But again, this isn’t a hard and fast rule. Some people do use random numbers in their email addresses, especially if they have a common name and need to differentiate their address from others.
The Reply-To Field
The next thing to examine is the “reply-to” address. This tells your email client where to send replies.
Why It Matters
Legitimate emails typically have the reply-to address set to the same domain as the sender. If it’s different, especially if it’s a free email service, that’s a warning sign. Scammers often have to use a different reply-to address since they don’t actually control the domain they’re spoofing.
Example: An email might appear to come from [email protected], but the ‘Reply-To’ address might be set to [email protected].
How to Check It
In Gmail, you can see the reply-to address by clicking the dropdown arrow next to the sender’s name. Other email clients may require you to start composing a reply to see it. If the reply-to doesn’t match the sender, be cautious.
Sometimes, scammers don’t even bother changing the reply-to field. Instead, they’ll include text in the email body asking you to reply to a different address. This is equally suspicious.
Authentication Indicators: The Technical Checks
Now we’re getting into the more technical stuff. Don’t worry if this seems complicated at first, once you know what to look for, it’s not that hard.
What Are Authentication Indicators?
These are checks that verify an email actually came from the domain it claims to be from.
SPF, DKIM, and DMARC
The three main types of authentication indicators are:
- SPF (Sender Policy Framework): This helps verify that the sender’s IP address is authorized to send emails for that domain. If an email comes from a server that’s not on this list, it’s likely fake.
- DKIM (DomainKeys Identified Mail): DKIM is like a tamper-evident seal for emails. It adds a digital signature to your emails to prove that the email really came from you and hasn’t been changed on the way to the recipient.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC policy builds on SPF and DKIM, allowing domain owners to specify how to handle suspicious emails that fail these checks. It also provides a way for receivers to report back to senders about emails that pass or fail these checks.
How to Check Them
Unfortunately, most email clients don’t prominently display important authentication information, making it harder for users to quickly verify an email’s legitimacy.
Some, like Gmail, show ‘mailed-by’ and ‘signed-by’ information directly in the email view, giving you a quick indication of the email’s authenticity. For a more thorough check, you can access the full email headers.
In Gmail, click the three dots next to the reply button and select “Show original” to reveal detailed SPF and DKIM check results
What to Look For
For major reputable organizations like Google, Apple, Microsoft, etc., you should see all three of these (SPF, DKIM, DMARC) passing. For smaller companies, at least SPF and DKIM should pass.
Any failures here are very suspicious for supposed emails from large organizations. That said, passing these checks doesn’t guarantee an email is safe. It just means it truly came from the domain it claims. A scammer could set up a fake domain with proper authentication. So you still need to verify it’s the correct domain you expect.
But reading email headers isn’t easy. They’re full of technical information that most people don’t understand. And spammers know this, so they’ve gotten better at forging headers that look legitimate.
The “Via” Clue
When you get an email, you usually see the sender’s email address at the top. Sometimes, you might also see the word “via” followed by another domain name next to the sender’s address. This happens when the actual server sending the email isn’t the same as the email address shown.
Example: Let’s say you get an email that looks like this:
From: [email protected] via xyz.com
In this case, the email claims to be from PowerDMARC, but it’s actually being sent through xyz, which is an email marketing service.
There are legitimate reasons for this. Many companies use email services to send out newsletters or promotional emails. However, scammers can also use this trick to make their email accounts look more official.
Prevent Phishing Scams with PowerDMARC!
Content Red Flags: What the Email Actually Says
While technical checks are important, sometimes the content of the phishing email itself can be the biggest giveaway. Scammers are experts at manipulating emotions and creating scenarios that prompt immediate action. This tactic is known as “social engineering.” By creating a sense of urgency or appealing to your desire for financial gain, they hope to trick you into revealing personal information or clicking on malicious links.
Typical phishing scam emails might claim that:
- You’ve won a substantial sum of money.
- Your account has been compromised, and immediate action is required.
- A package delivery failed, and you need to reschedule.
- An urgent invoice or business request is pending.
These phishing emails are designed to look legitimate and may even use familiar logos, fonts, and layouts. The goal is to get you to react quickly without thinking critically about the authenticity of the email.
Urgency and Threats
Cybercriminals know that fear and urgency can prompt quick action. Fake emails might try to scare you and create a sense of urgency: “Your account will be closed if you don’t update your payment details immediately”; excite you, e.g. “Congratulations! You’ve won $100,000! Click here to claim your prize”; or create a sense of natural curiosity (“See who viewed your profile”). This kind of phishing attack is meant to bypass your rational thinking.
If you receive a phishing email like this, pause and think. Does it make sense for a legitimate company to threaten you over email? Most real organizations don’t use these tactics. Also, if you have not entered any contest or raffle, it’s unlikely that you would win one. Remember, legitimate organizations do not give away large sums of money via unsolicited emails.
If you receive such a phishing email, contact the company directly using a verified contact method to check if the email is legitimate.
Requests for Sensitive Information
Legitimate companies generally don’t ask for sensitive information via email. If an email asks you to reply with your personal details, account credentials, social security number, or credit card details, it’s almost certainly fake.
Unexpected Attachments
Many scammers often use malicious attachments to deliver malware or viruses, which can infect your computer and steal your personal information. If you receive an unexpected attachment, especially if it’s a .zip file or an unusual file type like .exe, .scr, or .vbs, be very cautious. Even seemingly harmless file types like PDFs or Word documents can carry harmful macros.
What to do with suspicious attachments:
- Do not open them: If you receive an unexpected attachment, do not open it unless you are sure it is from a trusted source.
- Use antivirus software: Ensure your antivirus software is up to date and use it to scan any attachments before opening them.
Grammar, Spelling Errors, and Inconsistencies
While not watertight (as some legitimate emails have errors too), poor grammar and multiple mistakes can be a red flag. Scammers might not always have a firm grasp of the language they’re writing in, or they may intentionally use broken grammar as a filter to weed out more discerning recipients (People who notice and are put off by grammatical errors are less likely to fall for the phishing attempt). That’s why one of the easiest ways to identify a fake email address is by checking for grammar, spelling, and grammatical errors.
Legitimate companies have dedicated teams to ensure their communications are professional and free of errors. They usually have consistent, professional-looking email templates. If an email claiming to be from a major company looks amateurish or has inconsistent formatting, it might be fake.
“Dear Customer” or “Hello User” might also be dead giveaways. Legitimate companies usually address you by your name, as they have your details on file. Fake emails often use generic greetings because they’re sent out en masse.
Mismatched Links
One of the most common tactics used by scammers is embedding malicious links in emails. These suspicious links often lead to fake unexpected websites designed to steal your login credentials or infect your device with malware.
Example: The text of a malicious link in an email might say “www.yourbank.com,” but when you hover over it, the actual URL is something entirely different, like “www.scamsite.com/login.” This is called a masked or hidden URL.
How to verify links
You can:
Hover over the link
Place your cursor over the link without clicking it. This will show the actual URL destination. If it looks suspicious or does not match the official website, do not click on it. Instead of clicking a link, type the company’s name into a search engine to find their official website. Be cautious though, Spammers can use URL shorteners or other techniques to hide the real destination of a link. And some email clients don’t let you hover over the embedded links to see where they go.
Look for HTTPS
Legitimate websites will usually have a URL that begins with `https://` and a padlock icon. However, this is not airtight, as scammers can also secure their malicious websites.
Phony Package Delivery Notices
With the increase in online shopping, scammers have turned to fake package delivery notices to trick people into clicking on malicious links.
Example: “Your package delivery attempt failed. Click here to reschedule.”
What to do:
- Check the sender’s email address: Verify that the email comes from the official domain of the shipping company (e.g., `@fedex.com` or `@ups.com`).
- Log into your account directly: Instead of clicking on links, go to the company’s website directly to track your package.
Examples of Phishing Scams
Let’s look at a few examples to see how these principles apply in practice.
The Classic PayPal Scam
From: [email protected] Subject: Your account has been limited! Body: Dear valued customer, We have noticed unusual activity on your account. Please click the link below to verify your information and restore full access to your account. [LINK]
Red Flags:
- Domain spoofing (paypal.com.secure-account.com)
- Urgent subject line
- Generic greeting
- Request to click a link and enter information
The Sophisticated CEO Fraud
From: [email protected] Subject: Urgent wire transfer needed Body: [Employee’s Name], I need you to process an urgent wire transfer for a new acquisition. This is time-sensitive and confidential. Please transfer $50,000 to the following account immediately: [ACCOUNT DETAILS]
Let me know once it’s done.
[CEO’s Name]
Red Flags:
- Urgent request for money
- Pressure for quick action
- Request for confidentiality
- Unusual request from a high-level executive
This type of scam, known as Business Email Compromise (BEC), has cost companies billions of dollars. It often involves compromising or spoofing an executive’s email account to request fraudulent transfers.
The Legitimate Email That Looks Fake
You receive an email from a small business you’ve dealt with before. The authentication checks don’t pass, and the email contains a few typos. Your first instinct might be to mark it as spam.
However, you notice that the sender’s address matches previous correspondence you’ve had with this business. The content of the email references specific details about your last interaction with them. In this case, despite the failed checks, the email might be legitimate – the small business may simply not have proper email authentication set up. This example illustrates why it’s important to consider multiple factors, including the context and your relationship with the sender, not just technical checks.
The Limits of These Checks
It’s worth noting that even if an email passes all these checks, it could theoretically still be malicious if the sender’s account was hacked. So always think critically about the content and whether it makes sense coming from that sender.
Also, remember that these checks mainly help you verify if an email is from who it claims to be from. They don’t necessarily tell you if the sender themselves is trustworthy. A scammer could set up a properly authenticated domain that passes all these checks but is still used for malicious purposes.
Proactive Steps to Protect Yourself from Fake Emails and Phishing Attacks
Being aware of the signs of fake addresses is only half the battle. Taking proactive steps to protect yourself and your organization is equally important.
Staying Informed About Current Scams
Fake email tactics evolve constantly. Staying informed about current phishing scams can help you spot new types of fake emails. Many organizations publish regular updates about new email scams. For example, the FBI’s Internet Crime Complaint Center (IC3), publishes alerts about current cyber threats and scams. Similarly, the Federal Trade Commission (FTC) offers valuable insights into the latest fraudulent activities. And if you want to get really deep into it, there’s the Anti-Phishing Working Group(APWG), which focuses specifically on phishing scams.
Also, watch out for AI-generated scams and voice phishing (vishing). Artificial Intelligence is making it easier for scammers to create convincing, personalized phishing messages at scale. Meanwhile, some scammers are combining these email tactics with voice and phone calls, often using AI to clone voices, creating a more complex and potentially believable scam. This technique, known as vishing, adds an auditory element to traditional phishing attacks, making it even more challenging for potential victims to discern the truth.
Using Email Filtering Solutions
Advanced spam filters can help detect and block fake emails before they reach your primary inbox. These solutions use machine learning and artificial intelligence to analyze email content, sender information, and other metadata to identify potentially malicious emails.
Data Breach Notification Service
Use legitimate services like Have I Been Pwned , Avast Hack Check to see if your email address has been involved in a data breach.
Implement Email Authentication Protocols
Using email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help protect your domain from being spoofed.
Unfortunately, email authentication isn’t as widespread as you might hope. According to some estimates, over 80% of domains have no SPF record at all. And of those that do, many don’t enforce strict policies. DMARC, which is considered the most comprehensive email authentication method, is used by even fewer domains. Even when these protections are in place, they’re not always configured correctly.
For businesses looking to implement robust email authentication, PowerDMARC offers a comprehensive solution. Their platform simplifies the process of setting up and managing DMARC, SPF, and DKIM records.
Key Features:
- DMARC Record Generator: Easily create and manage DMARC records.
- SPF Record Management: Optimize your SPF records to prevent email spoofing.
- DKIM Setup Assistance: Implement DKIM signing for your domain with the DKIM generator tool.
- Forensic Reporting: Get detailed insights into email authentication failures.
- Threat Intelligence: Identify potential threats to your company’s domain.
By using a service like PowerDMARC, organizations can significantly reduce the risk of their domain being used in phishing attacks, protecting both their brand reputation and their customers.
Stay Vigilant
Scammers are constantly evolving their techniques. But by carefully examining the sender address, reply-to field, and authentication results, you can catch most fake emails. Think of these methods as aids to amplify your natural skepticism, not replacements for it. They’re like the safety features in a car – they can help prevent accidents, but you still need to drive carefully. In the end, if an email seems at all suspicious, treat it as such. It’s better to occasionally ignore a real email than to fall for a phishing scam.
Remember, no one is immune to these phishing scams. Even tech-savvy individuals can be fooled by a clever enough fake.
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - December 13, 2024
- PowerDMARC Named G2 Leader in DMARC Software for the 4th Time in 2024 - December 6, 2024
- Data Breach and Email Phishing in Higher Education - November 29, 2024