How to spot a scam email (and scam texts)

Image: Rawpixel.com/Shutterstock

The fact that you and everyone you know will receive spam and scam emails (and texts) for as long as they live should be added to the famous Ben Franklin quote, “… in this world nothing can be said to be certain, except death and taxes.” Death, taxes, and spam. It’s constant, ever-present, and you likely have a few hundred of them sitting in your Spam folder as you read this. The very fact that we even need to have a spam folder tells us there’s a problem.

While email providers and the best Windows antivirus solutions can often do a decent job at spotting the false missives from Nigerian princes that hit your inbox, both remain far from foolproof—so you need to know how to spot a scam email to avoid falling prey to their tactics. Here’s some advice that can help.

Further reading: 5 easy tasks that supercharge your security and how to spot an online scam: 3 dead giveaways

Always know (and verify) the sender

An email from someone you know suddenly arriving in your inbox with no warning is a red flag. Typically, when we get email from our family or friends, it’s about a topic we are actively discussing, so when there is no warning of an incoming email, tread lightly; it could be a scam. If there is a link inside a suspicious email, then it’s almost always a scam. Hackers and ne’er-do-wells can sometimes take over someone’s email account and just start spamming all of their contacts with nefarious links that seem safe, but will plant malware on your system, or worse. Luckily, this tactic is easy to counter since you can just verify if the person who you think sent the email did indeed mean to send it. A simple phone call or text will do, and if they exclaim, “What email?” then you know what to do.

It’s also important to point out that when examining these emails, don’t just look at the name of the sender, but the email address. For example I got a spam email from “Facebook” recently, which is obviously fake, but when I clicked the drop-down for the actual address and CC’d people, I saw the details below. Even your grandma knows that is fishy. Not to mention the address Facebookmail750@gmail.com—come on spammers, try harder.

Always check links in email

As a general rule it’s safest to never click any links in emails, even if you think you know the source. As we just said, you might not actually know the source and clicking links in email is how the vast majority of people fall victim to phishing operations (see the United States Presidential election of 2016 for how disastrous this can be).

That said, if you are sure of the source, and you are confident it is not a spam or scam email, you can always check the actual link prior to clicking it. The process is quite simple. Just hover your mouse over the link in the email, and a little window will pop-up in the lower corner of your browser (usually on the left side) showing you what the actual link. For example, when I hover over this masterfully written article’s link on PCWorld.com, I can look in the lower left-hand corner to see where it will take me. You might need to enable this preview window in your browser, so if you don’t see link previews, click “View” in your browser’s controls and look for something called Status Bar or similar.

When hovering over what you think might be spam links, you’ll usually see some very strange URLs that are not typical, which usually means it’s spam, of course. You can see an example below.

Spelling mistakes are a huge red flag

Spelling mistakes, odd punctuation, and weird use of language are probably the easiest red flags to recognize. The majority of scam operations are run from countries far away, where English is not their native tongue, and hence you get stuff like this.

Sure, nobody is perfect and email can be seen as a casual way to communicate at times, so even we have typos in our emails from time-to-time. But if you’re reading an email thinking the person must have been drunk while typing it, mark it as Spam.

Be wary of email from big companies

You will likely never receive an email from Facebook, Apple, or Google, unless you are paying for a service from them, so it could be an invoice for iCloud, or Google Storage, or similar. They will not just email you out of the blue, usually, to let you know there’s an issue with your account. They will, however, send you an email when a foreign device logs into your account, but hopefully that’s you on a new device, and not some nefarious person. You should enable two-factor authentication on all your accounts for online services anyway, so something like this should not be possible in the first place.

That said, there are exceptions that can be safe. For example, I recently got an email from Google asking me to add a second phone number to my two-factor authentication setup, and since Google is usually smart about these things, it thoughtfully included a non-clickable link at the bottom if I wanted to copy-and-paste it myself instead of clicking an active link. That’s because, as we’ve said previously, savvy users know to be wary of clickable links. Most big companies will also write in their emails to you that they will never ask for your password over email.

One more thing to note: Typically, if you do get an email from a big company like Facebook, there will not be clickable links in the email. It’ll be just to inform you of something. However, if you are curious enough to follow up, do it outside the email itself. Open Facebook, or your Google settings, or your iPhone, and investigate the issue there instead of through the email you received.

Texts are just as dangerous as email

I’ll admit it, I have definitely been curious about a few texts I have received, which were worded like, “Your Amazon package is delayed. Check its status here.” Most of us have an Amazon package en route often enough for this type of message to be applicable, but more often than not, it’s a scam.

Text messages are much more dangerous than emails because there’s not really a way to see where the embedded link is taking you unless you preview it, but not everyone knows how to do that. Smartphones have gotten smarter by displaying a preview of what is linked in a box with an image, but of course the scammers have found ways around this, so there’s usually not a preview box. The best thing to do, in almost every case, is simply ignore the text, block the sender, and navigate directly to the website of the alleged link. If that example Amazon package was indeed delayed, you’ll find evidence of it in your orders summary on Amazon.com.

In the link above, you know it’s a scam just based on the URL alone, but what if the message is more sophisticated? What if they use your name, or say something in the message that is actually applicable to your life?

The same rules apply to texts as they do to emails—if you don’t know the sender, do not open any links. Even if you know the sender, contact them separately to verify they are the ones who sent it. Either way, your life will not deteriorate in any noticeable fashion if you simply do not click the link provided.

Stay vigilant, don’t click, stay safe

To sum things up, the best Windows antivirus tools can often spot a lot of scam emails for you, and the vast majority of phishing and malware attacks are only successful if the target clicks on a link provided. While there are “no click” malware attacks going around right now, they are expensive for a third party to purchase on the black market, so they usually target high-level government employees, journalists investigating corruption, and those types of people. Most regular people will only get scammed if you respond to a mysterious message, whether it’s via email or text. So be safe, do not click on links you get that seem fishy, no matter how curious you might be about it.