Understanding & Avoiding Email Scams

Learn to identify deceptive emails, protect your personal information, and navigate your inbox safely. This guide covers common phishing tactics and how to defend against them.

What Are Email Scams?

Understanding the threat to protect yourself.

Email scams, particularly phishing, are fraudulent attempts to obtain sensitive information such as usernames, passwords, credit card details, or other personal data by disguising as a trustworthy entity in an electronic communication. These scams can lead to identity theft, financial loss, and unauthorized access to personal or corporate accounts. Recognizing the various forms these attacks take is the first step in defending against them.

Common Types of Email Scams

Familiarize yourself with these prevalent tactics.

Generic Phishing

Broad attacks impersonating well-known companies (banks, tech support, delivery services) with urgent requests, fake invoices, or security alerts to trick many users into revealing info or clicking malicious links.

Spear Phishing

Highly targeted attacks aimed at specific individuals or organizations. Scammers use personal information (names, job titles, recent activities) to make the email appear legitimate and from a trusted source.

Whaling / CEO Fraud

Targets high-level executives (the "whales") or impersonates them. These sophisticated emails often involve urgent requests for wire transfers, sensitive company data, or gift card purchases, leveraging authority.

Business Email Compromise (BEC)

Attackers gain access to a legitimate business email account or spoof it to request payments, change invoice details, or redirect funds, often targeting finance departments or vendors.

Clone Phishing

Duplicates a legitimate, previously delivered email and replaces a link or attachment with a malicious version. The email appears to be a resend or an update from a trusted source.

Email Spoofing

Forges the sender's address to make the email appear as if it came from someone else (e.g., a colleague, a known brand). The display name might be correct, but the underlying email address is fake.

How to Spot a Phishing Email: Red Flags

Train your eyes to detect these common warning signs.

  • Unexpected Sender or Content: Emails you weren't expecting, especially those asking for action.
  • Suspicious Sender Email Address: Mismatched display name and email, public domain addresses (e.g., @gmail.com for a bank), or subtle misspellings in the domain (e.g., `paypa1.com`).
  • Urgent or Threatening Language: Pressure to act immediately ("account will be closed," "suspicious activity detected," "immediate payment required").
  • Requests for Sensitive Information: Legitimate organizations rarely ask for passwords, PINs, or full Social Security numbers via email.
  • Generic Greetings: "Dear Customer" or "Valued User" instead of your name (though some spear phishing can be personalized).
  • Poor Grammar and Spelling: While scammers are improving, many phishing emails still contain noticeable errors.
  • Suspicious Links: Hover over links (don't click!) to see the actual destination URL. Look for mismatched URLs, use of URL shorteners for official business, or HTTP instead of HTTPS for login pages.
  • Unexpected Attachments: Especially if they are executable files (.exe, .bat, .scr), compressed files (.zip, .rar containing unexpected items), or office documents with macros.
  • "Too Good to Be True" Offers: Lottery wins, unexpected prizes, or investment opportunities that sound unbelievable.
  • Mismatched Logos or Design: Outdated logos, poor image quality, or website design that doesn't quite match the legitimate company's.

Practice: Mini Inbox

Classify each email as Safe or Phish. Immediate feedback appears below.

From: Payroll Update <payroll@company.com.security-update.net>
Subject: Action required: confirm your credentials
From: Bank Alerts <noreply@yourbank.com>
Subject: Your one-time MFA code
From: Google Drive <share@drive.google.com.file-share.co>
Subject: New document shared with you

Protecting Yourself: Best Practices

Adopt these habits to significantly reduce your risk.

  • Think Before You Click: Always be skeptical of unsolicited emails, especially those asking for personal information or immediate action.
  • Verify the Sender: If an email seems suspicious but claims to be from a known contact or organization, contact them directly through a trusted, separate channel (e.g., official website, phone number you have on file) – not by replying to the suspicious email or using contact info from it.
  • Use Strong, Unique Passwords & Multi-Factor Authentication (MFA): For all your online accounts. A password manager can help. MFA adds a critical layer of security.
  • Keep Software Updated: Ensure your operating system, browser, and antivirus software are up to date to protect against known vulnerabilities.
  • Never Share Sensitive Information Via Email: Treat your passwords, PINs, and financial details like keys to your kingdom.
  • Be Cautious with Attachments: Don't open attachments from unknown senders. Scan attachments with antivirus software before opening if you must.
  • Educate Yourself and Others: Stay informed about the latest phishing techniques. Share knowledge with family, friends, and colleagues.
  • Trust Your Gut: If an email feels off, it probably is. It's better to be overly cautious than to become a victim.

How to Report Phishing

Help stop scammers by reporting suspicious emails.

Reporting phishing attempts helps email providers and security organizations identify and block malicious senders and websites. Here's how you can report them:

  • In Your Email Client: Most email services (like Gmail, Outlook) have a "Report Phishing" or "Mark as Spam/Junk" option. Use it! This helps them improve their filters.
  • To the Impersonated Organization: If a scam email impersonates a specific company (e.g., your bank, a social media platform), forward the email to their official abuse or security reporting address (often found on their website).
  • To the Anti-Phishing Working Group (APWG): Forward suspicious emails to reportphishing@apwg.org.
  • To the Federal Trade Commission (FTC): For US-based users, report fraud at ReportFraud.ftc.gov.

When forwarding, include the full email headers if possible, as this provides valuable information for investigators.

Interactive Training: Identify Phishing

Complete the modules below. Your progress updates automatically.

Module 1: Spot the Red Flags

Review the sample email and select at least three red flags without selecting legitimate elements.

Module 3: Attachments and Best Action

You receive "invoice.pdf.exe" from an unknown sender. What should you do?

Knowledge Check: 5-Question Quiz

1. The best way to verify a suspicious email from your bank is to:

2. Which of the following is MOST suspicious?

3. A link that looks like "secure-paypal.com" but actually goes to "secure-paypa1.com" is:

4. Multi-factor authentication (MFA):

5. If you suspect an email is phishing, you should:

Score 4/5 or higher to complete the quiz step.

Certificate of Completion

Enter your information to generate your certificate.

0%

Have Questions or Ready to Start?

We're here to help. Click the button below to send us a message.