5 things to check to spot a scam email

The other day I received an email pretending to come from PayPal, saying a transaction has been made for nearly $500 and if I don’t reach out to their team within 24 hours, the money will be taken from my account. Normally I would be confused about an unauthorized charge like this but this email had all the signs of a typical scam email, so a quick two-second glance was enough to tell me it was a poor attempt to scam money from the recipient and the best thing to do is to do nothing.

It’s usually pretty easy to spot an email like this if you know what to look for, so I decided to put together a simple guide with a little checklist. Scammers intentionally blast out these emails to thousands of people because it’s a numbers game – most people will realize it’s not a legitimate email and they ignore it, but there’s always someone who simply doesn’t know any better and will fall for it.

Scam & Phishing Emails – How they work

These types of scams are often referred to as “phishing” emails and they’re pretending to come from a legitimate source like a coworker, a company you have an account with, or from a random sender with something simple like “You’ve won a $20 Starbucks gift card, click here to redeem now”. These can be sent via email or text message and the sender’s goal is usually one of these:

• Steal money
• Gain access to sensitive data
• Get your login credentials (usually for bank accounts, PayPal etc.)
• Install malware or ransomware on your device

To give you an example of how serious these can be, in 2021 Scripps Health was targeted in a ransomware attack that crippled Scripps’ computer system for nearly a month and caused the personal information of 1.2 million patients to leak. This information included social security numbers and driver’s license numbers so it’s safe to say the attacker’s intent was to steal personal information and probably use it for identity theft later down the road, or sell it in the dark web. Naturally, there was a lawsuit following this which Scripps settled for 3.5 million dollars.

In other words, someone at Scripps most likely clicked a malicious link because they didn’t spend five seconds thinking if that link was legitimate or not. That allowed the attacker to install ransomware on their systems, eventually forcing Scripps to shut down their computer systems for a month, having a complete PR catastrophe and having to settle a lawsuit for $3.5M. I don’t know if they paid a ransom to the attacker to get their systems back open, but that’s also a possibility.

All this because someone couldn’t spot a scam.

How do you spot a scam?

Let’s look at the email I received. The five things I look out for are these

• Sent from public domain
• Misspelled domain
• Poorly written email
• Includes links, phone numbers and a call to action
• A sense of urgency

These are usually easy to spot if you know what to look for.

Red Flag #1 – Sent from public domain

The email I received was pretending to be from PayPal but a quick look at the sender address reveals it was sent from a random gmail address. A little bonus red flag is the fact that the name on the email address does not match the sender’s name.

Looking at the sender’s address is the first thing you should do. Look at the part that comes after the @ sign, that is the domain. Generally speaking, only a company that owns a domain can use that domain for their email addresses. In other words, an email coming from PayPal would most likely come from an address that ends with @paypal.com. Gmail on the other hand is a public mail service accessible to anyone so it’s considered a public comain. A small self-employed hairstylist might email you from a gmail address, but a legitimate large company would never contact you from a public domain email like that.

Red Flag #2 – Misspelled domain

Sometimes scammers create domains that resemble well-known companies. They can’t access official @paypal.com emails, but they might email you from an address that ends with @paypall.com, @appple.com or @g00gle.com. By changing a few characters they’re hoping that people will quickly glance at the sender address and mistakenly assume it’s coming from a trustworthy source.

Red Flag # 3 – Poorly written email

Take a look at the whole email. Read it and feel out the language. Does it sound professional? In most cases, you’ll spot poorly written language that sounds weird and awkward.

The scam email I received was mostly written well, but the thing that stands out is on the bottom. It says not to reply to the email because “it will just confuse the computer that sent it”. That’s an extremely clumsy way of trying to say “Please do not reply to this message; it was automatically generated, and replies will not be read.” They also signed it by saying “Thank & Regards”.

Look for spelling errors and sentences that don’t sound natural. If you see those, it could be a foreign scammer who doesn’t quite know how to properly write in your language.

Red Flag #4 – Links and Call to Action

Think before you act.

For the scam to work, they need you to take action. That action can be clicking malicious links in the email, downloading attachments that contain malware or ransomware, or like in my case, simply calling a phone number. Usually, scammers prefer to send links to automate their scams and minimize manual labor, but in my case, they actually sent me a phone number saying nearly $500 would be taken from my account unless I reached out to them. My guess is they’d want me to call and then explain there’s been a mistake and to revert the charge they’d need access (meaning login credentials) to my PayPal account. Which, if I was dumb enough to give them, they’d then use to steal money from me.

A more typical scam would be sending a malicious link that they urge you to click. They might pretend that your account has been compromised with a “click here to reset your password” -link. Or saying an unauthorized charge was made on your bank account or credit card, following with a link you can click to “block the charge”. Or maybe you just won a free iPhone and need to redeem it within 24 hours. Or, a stunningly beautiful woman is feeling lonely and urges you to click a link to her dating profile so you two can meet.

The best thing to do? Ignore it and delete the email. Don’t click any links, don’t answer the email, do nothing. If you’re not 100% sure whether the email is a scam, simply investigate the situation without interacting directly with the email you received. For example, if the email says they’ve noticed unauthorized login attempts at your online bank, open up your web browser, navigate to the bank’s website, and manually log in. From there you can change your password, or contact customer service. When contacting customer service never trust the contact information that’s given you in a suspicious email – instead look it up on your own, to make sure you end up talking with the real customer service and not someone who’s pretending to be something they’re not.

Red Flag # 5 – The Sense of Urgency

This might be the most important one and for a good reason – it works. The scammers want to give you a sense of urgency so you would act before thinking. In my case, it was the $500 that was going to be charged unless I contacted them within 24 hours. It can be someone pretending to be your boss asking you to quickly check an important presentation 5 minutes before a company-wide meeting. Or you just won $10,000 but only if you click the redeem link within 5 minutes.

The psychology behind this is to get you to feel like you have to act right now and skip the step of evaluating whether the email is trustworthy or not. I’m confident a lot of the people who fell to these kinds of scams looked back at their mistake, shook their heads, and said “Of course, how did I not catch that?”.

There are a lot of urgent emails in your inbox, but none of them are so urgent you can’t spend 30 seconds scanning through it, evaluating if it has any of the red flags listed above.