Don’t Fall for Email Scams This Black Friday

The infrastructure that runs the Internet’s email hasn’t changed a whole lot in the past 30 years. Yes, we’ve layered a few things on top of it like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) but at its heart, the protocol remains the same. That’s the problem. Email was designed in a simpler time. A time when the Internet was a trusted resource and nobody gave a second thought to the fact that it’s easy to say fudge the headers on an email so that it looks like your boss is getting an email from the President of the United States commending you for all your excellent work. I’m not saying that has happened or that I was a part of it…but hypothetically, it is possible.

So, if email can’t be trusted, what can we do? Well first, these days email is a lot more trustworthy. It is much easier to detect emails sent from someone, but say they are from the President, thanks to things like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

Even with these new technologies though, email scams are still rampant. As we charge headlong into the holiday season, let’s stop for a moment and look at a few things you can do to make sure you don’t fall for the latest scam. (Which is not sending emails to unsuspecting bosses…)

Email Scams You Need to Be Aware Of

Let’s take a look at a few of the many ways that bad people try to do bad things to you via email. This first group of scams all fall into the category of Phishing scams. A Phishing scam is basically an email designed to fool you into thinking it is from someone it is not and convince you to click on a link embedded in the email.

The Fake ‘’Account verification’’ Requests

These can seem to come from your bank, Netflix, Twitter, or one of those sites that you don’t admit to having an account on. It doesn’t matter where they are coming from, they all have the same basic message. 

“Your account has been locked for a REASON. To unlock your account before we delete it totally, click on this link.

Here’s a hint, no trusted system out there sends these emails out randomly. If you get one and you are not currently interacting with this organization, then it is almost assuredly a phishing scam.

When in doubt, pull out the paperwork you have for this organization, find a phone number and call them. Ask if there is a problem with your account. When they say no, thank them, wish them a great day, hang up, mark the email as spam, and move on with your life.

The unexpected ‘’Billing error’’ notifications

Did you know that it is possible for bad people to figure things out about you without you telling them? It is relatively simple to find out where a website is hosted. When bad people find out information like this, they like to use it for their gain and your loss. Such is the “Billing Error” notice.  

For instance, if you are a SiteGround customer and you get an email from SiteGround notifying you that there has been a billing error and you now owe $XXXXX more, stop. Don’t click any links in the email. Instead, go to the SiteGround support page and start a chat session with one of their great support people. They can tell you if there’s an issue with your account or not. 

Here’s an example of a phishing email that requests from a SiteGround customer to update their billing details in order to be able to renew their domain:

Notice that this fake email does not contain the name of the recipient, and SiteGround original emails should include the name you’ve used for registering your account. 

Next, notice that this email has grammar and spelling mistakes. These are red flags for a scam email along with the poor formatting. 

Finally, the signature is not the one used by the SiteGround team. 

When you confirm that there is not actually a billing error and you won’t have to sell your car to pay your hosting bill this month, thank the nice support person, wish them a wonderful day, disconnect, mark the email as spam, and move on with your life.

The ‘’Order confirmation’’ requests

An oldie but a goodie – and one that pops up a lot these days because ecommerce has exploded – is the “Order Confirmation” email. These are most effective when they are from companies that you’ve never dealt with. They usually involve large sums of money as well. The idea here is to alarm you so much that you will obviously click the link to “Unconfirm” the order. 

If the email looks like it is from a company you don’t do business with, ignore it. Mark it as spam, and move on with your life.

If it looks like it is from a company you do or have done business with, contact them directly outside of the email. Talk with the sales or accounting department and see if someone has placed an order on your behalf… When you find that the answer is no…well, you know the drill by now.

The ‘’Click and collect’’ scam

Thanks to the recent pandemic, “Click and Collect” has become a common way to shop. You buy something online from a nearby retailer. You drive to their store and let them know you are there, they bring the item out to your car. Sometimes, they even put it in your trunk so you don’t have to even meet them face to face.

Nowhere in the Click and Collect workflow is there an email that says “Click here if you didn’t order this.” Treat these the same as Order Confirmation requests. If you don’t deal with the company, it’s a scam. If you deal with the company but haven’t placed an order, it’s a scam. If you are in doubt, contact the company directly, not by replying to the questionable email.

Sometimes, scammers are really REALLY good. They send you an email that looks exactly right.

Real Life Phishing Emails (Well, Screenshots)

What do good phishing emails look like? Here are a few examples of actual phishing scam emails sent to SiteGround customers.

Apart from all the red flags already covered above, the ‘from’ email address of these emails is not a valid SiteGround email. What is more, a proper SiteGround email would never mention the payment method used by you to pay for the service in question.

If you’re a SiteGround customer who comes to report such emails, SiteGround would ask you to send the whole email as an attachment, as they use it to train their own systems to block such emails (in case your email is hosted with SiteGround), so that they do not reach your inbox. In case your email is not hosted with SiteGround, you can mark it as spam in your email provider.

To learn more about how to stay safe from phishing email attacks, check out the blog post on this topic.

How Do You Stay Safe from Email Scams During the Holidays?

So how would you tell if this was a scam email? Well the easy answer is to “practice safe email”. Here are a few of the things I do before I click a link on an email, any email.

1. Check the ‘from’ address.
   We’ve already done this but so very many phishing emails come from implausible email addresses. Most scammers don’t bother to try and hide it because so few people pay attention. A recent phishing attempt sent to me purported to come from NetFlix. However, the email address was [email protected]. Yes, Yahoo has a Japan domain but they don’t send email for NetFlix from it! Not even to Japanese customers.

   A good rule of thumb is if you were not expecting an email from someone, even a family member or friend, treat it as suspicious until you know it was actually from them. If you don’t recognize the person it came from, then automatically assume it is malicious until you can prove otherwise. 

2. Check all links before clicking.
   Most email clients these days will let you hover over a link that says “Click Here” (or wherever) and see what the actual URL is. Read it VERY CAREFULLY. Pay attention to the domain name. https://goog.le is not the same as https://google.com. Read it carefully. If it looks suspicious, do not click it.

   Some email programs will show you the link in a popup when you click it and ask for verification before it actually opens a browser to that link. If your email program will do this, by all means turn this feature on. Yes, it adds an extra step before you can see that precious baby picture your friend sent you, but it allows you to make sure that you are actually going to see a baby picture and not install malware on your computer.

3. Do not automatically download attachments
   Your email program should be set to not automatically download attachments. This means that if you download something from an email, you will have to do it on purpose. If the email doesn’t seem right or fails any of the checks we’ve discussed here, don’t download anything. Even things like Microsoft Word documents which seem innocuous (click here to see the invoice for the service you didn’t order) can do malicious things if you open them. If you weren’t expecting someone to send you an email attachment, don’t open it!
4. Read The Headers
   Ok, this is for the hardcore email nerds out there but those of us who have been doing this a while can discover a lot by reading the headers that come with every email. These days email programs hide the headers from you but they are there if you want to read them. 
5. Listen to your gut
   My wife, The lovely and talented Kathy, got an email from our worship pastor one day with the subject line “I love you”. She was good friends with this man and while the subject line confused her, it also piqued her interest. She opened it only to find that there was a malicious script attached to the email. It deleted about ½ of the images we had stored on our home server before I could stop it. Thankfully, I had a backup so there was no loss, other than the hours it took to clean up the mess. Had she simply called him, opened a new email and written him at the address she had in her contacts list, or contacted him in any of a half-dozen other ways, she could have found out that it was not from him but was a scam. Instead of trusting her gut, she opened the email.