The simple answer is you should delete it. When in doubt, throw it out. If the request is legitimate and important, the sender will attempt another way to reach you; however, that answer doesn't help us identify these emails any better. Let's look at these types of emails closer to help us see what makes them invalid.

This type of email is known as Phishing. It is a type of online scam where criminals send an email that appears to be from a legitimate company and/or person that asks you to provide sensitive information. If the phishing email is pretending to be a company this is usually done by including a link that will appear to take you to the company’s website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam. If the phishing email is pretending to be a person this is usually done by using the name of someone you know (probably a superior) and asking you to do something for them. When you reply to the email requesting more information the response will direct you a website that appears legitimate - but it will also steal your information and send it to the criminals behind the scam.

The term ’phishing’ is a spin on the word fishing, because criminals are dangling a fake ’lure’ (the email that looks legitimate, as well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames, and more.

Let's look at an email sent from a scammer pretending to be someone's boss. We've highlighted the areas the crooks made obvious mistakes to help us identify the scam.


 1. The email arrives with the name of our boss, but the return email address is not a business address. This is not standard business practice.

2. The email is marked as [EXTERNAL] meaning it arrived from outside of our business. Standard business practice is to use business email for all business transactions. Also, our name is not used in the email. Our boss would always use our name when requesting something from us. The scammer can't because they don't know our name.

3. Unavailable. The body of the email stipulates our boss is unavailable by phone to validate the request. Of course the thief doesn't want us to verify the request directly so they discourage calling. Not something our boss would do.

4. No signature. Our boss has not used the standard signature provided by our business. In fact, the scammer can't sign it because they don't know who our boss is.

 

An example of how clever these phishing scams can be is seen here in a fake PayPal notice. The following image highlights clues that will tip us off that this is indeed fraudulent. 

1. The return email address is not a legitimate address. It should be [email protected] and NOT [email protected]. The scammer has used paypal in their return address to try to fool us, but we are not so easily duped.

2. This email is not addressed directly to the recipient. PayPal knows your name if they do business with you. In this example the thieves do not know your name and, therefore, cannot use it

3. The links displayed in the email are not recognizable addresses. If the links were hidden (as they sometimes are) you can hover over them with your mouse for a few seconds to see the links actual destination. In this example the scammer used paypal.com before the websites true name to look legitimate and it's anything but that.

4. Grammatical errors: while we sometimes have grammatical errors in the emails we send, businesses tend to have copy editors to find these issues before an official company email is sent. This email is full of grammatical errors and they repeat.

5. And the email ends with another fake website pretending to be an actual PayPal website.

How can you better arm yourself against these types of scams? By knowing what to look for in valid business emails. If the email does not appear to be the way the sender would normally handle a business transaction then the email is most likely a scam. If you feel you've been duped and are the victim of a scam notify us and change your passwords. If you have any questions about an email or email in general feel free to contact us as well.