How to Spot and Beat Email Scams

Email scams are resilient. Take the Nigerian prince scam, it became popular in the 90s but is still highly effective today. Research by the ADT Security revealed the scam to have duped Americans out of $703,000 last year, an average loss of $2,133.

So, what can you do to protect yourself from email scams? And why should you be worried about them at all?

For starters, email users are low-hanging fruit for scammers due to how easy it is to send out a mass number of emails. Gmail in particular, with over 1.5 billion users, is a large enough group of easy prey that they are often the most likely targets.

What's more, Gmail's base isn't filled with just free email account users. Google Apps for Business makes it easy for companies to enjoy the same cloud-based features and convenience, but it also invites fraud in the form of Business Email Compromise (more on this later).

How to Identify Email Scams

Email scams tend to fall into one of five categories. While they have unique characteristics, the scammer's goal is always ultimately economic gain.

Here are the five categories and how to spot each kind of scam email:


Email spoofing takes place when a scammer creates an email message with a fake email address. The address often appears to look like one the recipient is familiar with (think colleagues, friends, or customers), but includes one small and easily missed detail.

Image: ProofPoint

Spoofing emails can also look like phishing emails, where cybercriminals ask for sensitive information or for the money to be transferred to an account urgently. For example, the email might look like it's from a friend in trouble and they need you to send them money to get them out of trouble as soon as possible.

Some of the most damaging spoofing emails include malware attachments. As soon as the attachment is clicked on, the malware goes to work.

One notable case took place in 2013. Cryptolocker, a form of ransomware, spread as an attachment. When opened, it immediately encrypted the victim's computer and displayed a ransom request of £500.

Image: BBC

The victim then had to pay this fee in order to get all of their data decrypted by the scammers, otherwise they'd lose it forever.

Phishing for Data

Phishing scams involve requests for sensitive data as a result of a threat to your personal security. They usually come from what appears to be a legitimate source (think banks, online stores or companies you have online accounts with).

For example, the Charles Schwab email below is actually a phishing email. It includes the following six tell-tale signs that it is not from a legitimate source:

  1. It's not addressed to the account holder by name in the recipient email address section.
  2. A generic "Dear Customer" greeting is used instead of the recipient's name
  3. The email was triggered by activity the account holder did not perform.
  4. A request to "reset the account" is made along with instructions to visit a link the scammer provides
  5. Reassurance is made with the opportunity to verify your account via a link provided
  6. Mousing over any URL in the phishing email shows the URL and not the legitimate website.
Image: WebRoot

Bogus Offers

Bogus offers are usually the most obvious to spot. They include an often unbelievable freebie that can be accessed by visiting a fake website. In many ways, these are a blend of phishing and spoofing emails.

In the example below, the recipient receives an email addressed to "Dear customer" (first red flag, Amazon always uses your name). The offer is a 90% coupon that's available as one of one million "lucky" customers selected as part of Amazon's 20th birthday celebration.

Bogus offers also include a sense of urgency (note the coupon link expiry in 24 hours).


Requests for Help

Request for help emails are also known as advance-fee scam emails. They commonly state that the recipient stands to receive a large amount of money, but first has to pay a small up-front fee to gain access to the funds.

The Nigerian Prince or 419 scam is one of the most common. It has, however, been replaced by a newer version dubbed the "Nigerian Astronaut Wants To Come Home."

Image: @WilliamTakor

These types of emails often come with long, dramatic backstories and a large fee that's available to you. In this case, the amount of $3,000,000 can be wired to your bank account after you pay 20% of the total ($60,000).

Business Email Compromise

Business email compromise (BEC) targets employees or departments with access to funds or the authorization to complete wire transfers or payments. Typically, personnel receive a request from either a vendor, customer, or colleague. Because the request appears legitimate, it could easily be processed.

And these types of scams can vary in value and the time it takes to execute them. Research shows that BEC cost businesses over $1.2 billion in losses in 2018.

BEC is one of the most sophisticated forms of email scams. In fact, Google and Facebook were scammed out of $100 million over a two-year period. The scam was perpetrated by a hacker who accessed both companies' systems and tracked payments they made to various suppliers. With this information, the hacker proceeded to send fake emails with invoices while pretending to be a vendor.

Spotting BEC is a little more complex than the other four types of email scams, but it is possible. Here are four tips on how to protect your firm:

  1. Commit to frequent but brief staff training on the latest BEC threats.
  2. Don't process any sudden request for funds transfers from executives. Often, BEC involves emergency requests from c-suite staff, requests that are often hard for subordinates to decline without fear of punitive action.
  3. Tighten-up your processes and consider shifting financial transfer responsibilities and the management of sensitive data transfer to outside parties. Most BEC cases occur as a result of internal threats or loopholes. Removing internal responsibility can prevent internal risks from causing BEC.
  4. Install effective anti-phishing software to prevent known threats from reappearing or compromising your systems.

Bonus Tip: Block Unwanted Email

Block Sender is a powerful and efficient Chrome Browser extension that integrates with Gmail. It helps you protect your inbox by blocking unwanted emails in by email address, domain name, domain extension, a phrase, subject line or IP address.

It also comes with smart bounce-back notifications to make spammers believe that they've tried an email address that does not exist.

While most email scams are often easy to spot, they all rely on human nature to be successful. As a Gmail user, protecting yourself from these five types of email is just as important as securing your home at night. Email scams will continue to evolve and become more sophisticated, but with a little know-how, you can train yourself to spot, get rid of and prevent threats quickly and easily.

Last Updated: December 18th, 2019
Was this article helpful?

Better email blocking for Gmail.

Sign up for free, no credit card required, upgrade or downgrade at any time.