How do I recognise scammers?

Protecting yourself from cyber-harm

Author: Eric Allgood CMgr CAHRI MAITD

Spotting the signs of a scam, phishing, or malware attempt can be difficult at times, but even the most basic and obvious can catch us unaware.

The problem with disasters is (aside from the ACTUAL disaster this is) that they distract our attention and can cause us to stop paying attention.

Scammers will:

  • Attempt to gain your trust through the claim they are from a well-known company, agency or other known contact;
  • Gain trust by using readily sourced information about you (social media for example);
  • Will suggest their own verification process, such as go to this web site, click here or call this number;
  • Will appeal to your emotions (fear, anxiety, etc.); and/or
  • Create a sense of urgency to try and force decisions without consideration.

Phishing/Malware scams: use emails or sms to get you to click a link because of and event such as your new invoice is ready, or your bank account has been locked, etc. These links either install malware or get you to answer the most common identity questions (including your bank details) so they then can either take the money from your account or steal your identity.

Online shopping scams: becoming a much more common thing with retail moving predominantly to online. I happen to know this one from personal experience, and the signs were so damn obvious I kick myself every time I think about it (… ouch!). These scams use well known brands and advertise them at ridiculous prices, you follow the link and do what you normally would in order to buy something and then your account has been debited (normally multiple times) and you receive nothing.

Classified scams: quite common and usually involve you transferring money before you can view an item.

Business email scams: (I have received quite a number of these across the numerous associations I am an Executive Committee member to) involve an email designed to look like it has come from someone with authority within the organization declaring an underpayment or the need for an urgent payment with an invoice to follow.

What can you do to avoid these things? The answer/s is/are quite simple:

  • If you receive an email or sms from an alleged authority (your bank, CEO, ATO, etc.), DO NOT REPLY to the email, but either call the ATO/Bank or email (new email, address typed in) your CEO/co-worker to confirm.
  • If you receive an sms/email from your bank stating that your account is locked and you need to reset your password, just log on like you normally would, it your account is locked the legitimate site will direct you how to fix that. Alternatively call the supposed source directly.
  • If you receive a call from someone claiming to be your bank or a Government Department, ask for a reference number, state you are busy and you will call back, if they offer you their number, just state it’s ok, I already have it. Call back if it is legitimate then just explain your concern and they will understand.
  • Never click on a link.
  • Never open an attachment in an email you were not expecting, you can always call the source emailer and check.
  • Check the spelling of websites, I recently received an ‘infringement notice’ sms and the link for payment referred to the DMT; a very American version of the transport department. Furthermore, there was no dot gov or dot au in the address!
  • Grammar, is the spelling and grammar up to the usual standard of the sender? If no, then no!
  • Does it seem to good to be true? Does the website for those Rolex watches misspell Rolex, does it not have the correct website address?
  • Is there any evidence the product or service exists?

In short, if you answer yes to any of the following questions, the email you just opened may well be a scam.

  • Is the email from someone you do not know personally, or communicate with normally?
  • Is the person (known or not) asking for something unusual, issues related to an online account or password, or otherwise acting out of character?
  • Is the sender’s email address from a suspicious sounding domain? (i.e. @micro-softsupport.com, @paypal-security.net)
  • Were you CC’ed on an email with some other people you do not know?
  • Does the subject line seem irrelevant, not make sense, or not match the content of the email?
  • Is the email a reply to a message you never sent?
  • Did the email come at an odd time, like 2:00 am?
  • Is the sender asking you to click on a link or open an attachment?
  • Does the email contain a .zip or other executable file?
  • When you hover over any links within the email, does it show a different link than what is contained within the body of the email?
  • Does the email contain a link, but no other information?
  • Is the link to a well-known website, but spelled incorrectly and somewhat suspicious looking? (i.e., paypal.paymentsnow.com, bankofamericacom.net)
  • Is the sender stating something bad will happen if you do not click the link, or that there is extreme value in clicking the link?
  • Does the email contain poor grammar or spelling mistakes?
  • Is the sender warning you that they found inappropriate content or images of you online?
  • Is your gut or “Spidey Sense” trying to tell you something…