7 Pro Tips To Spot A Fake Email - Email Scam đźš© Red Flags đźš©
Have you ever received a phishing or scammer email? How did you know it was phishing or a scam?
Email scams and phishing are so common. A lot of us think we’re really good at recognizing these thanks to obvious grammatical errors, bad spelling, insane over use of fonts or type faces, and general unprofessional looking flaws in the body of text that are red flags. But scammers have gotten better at curating very realistic looking emails AND sending them from legitimate looking domains.
While we still have the obvious ones that comes from a .cz domain or comes from a gmail address, sometimes you may see one that comes from what looks like, hypothetically, google.com or youtube.com, and if both the text of the email AND the domain look legit, how can you tell if they’re actually phishing or not?
Taking a look at that from line first is a really good way to determine email legitimacy. If I got an email that said it was from Instagram and told me to reset my password but the sender was actually joebobthehacker@gmail.com, kinda obvious that’s not Instagram, right? So many scammers can get caught if more users just checked the from line, plus it can save you a ton of time since you wouldn’t have to investigate further after seeing that red flag. Just delete / block / report as phishing, and move on.
At this point as you’re looking at your inbox, you may be wondering how all these scammers got your email address? They may have bought it from a data broker. All those sites that collect data about regular people like me and you and make that data super easy to search and find: those are data brokers. If you’ve ever googled yourself and seen your: name, home address, phone number, email addresses, marital status, occupation, random photos and more show up… it’s because of Data Brokers collecting and posting this information on their sites.
Thieves use this info to social engineer and target you with phishing and scams, and to thwart them, you can use DeleteMe.
DeleteMe will remove your personal information from websites like Spokeo, PeopleFinder, PeopleSearchNow and more - these are data brokers who sell your information to orgs like marketing firms and insurance companies.
By removing your data from these data brokers - it inherently improves your search results as well.
DeleteMe is a great way to protect your privacy and your identity. If you're concerned about your personal information being out there on the internet, or you’re sick of all the scammy emails, then you should sign up for DeleteMe today.
Use the code SNUBS at checkout - that’s S N U B S - for 20% off any of the consumer plans. or just click the link below or hit up JoinDeleteMe.com/MorseCode to sign up today and that code will automatically apply at checkout! Sign up now and safeguard your personal information today!
Huge thank you to DeleteMe for sponsoring this episode.
The unfortunate reality is that a mail server can be set up to send email from what looks like a legitimate domain, but is actually a spoofed email address. In the case of email spoofing, the address does indeed spell out the legit company’s domain, so it can be even harder to tell if it’s real or not. They could even choose to use a domain that could theoretically be owned by the company in question, but in actuality is just a sly way to scam. An example could be: chase . com for Chase Bank, but the attacker buys the email server Chase-Bank-Mail dot com or chase dot bankmail dot com - in this case the attacker is using a subdomain. They could also use punycode or unicode - these are non-latin characters that are used on regional keyboards or different parts of the world, but look identical to our latin characters.
This tutorial comes with a caveat: If an attacker sends an email from their own domain, then they would pass these tests, because these tests have everything to do with email spoofing - so use this information as just one of the tests you should go through whenever determining if these are real or not. If they aren’t spoofing anything and are just hoping you don’t check the from line, then you could still fall victim to a scam. So make sure to check that domain first.
I’m using a gmail inbox for all of these examples. When looking at the drop down for basic info about this email, you may see a Reply-To email line. If it’s from a company, this may redirect replies to a customer service inbox. But if it’s a scam, the reply-to line may be the scammers email address. If it looks super fishy, it probably is. But if you don’t see a reply-to line - that probably means the sender has not set this up to redirect replies.
Here’s another dead giveaway for this page of info: if the from line includes Via at the end, that means the domain sending the email doesn’t match up with the one in the From line. You may also see a line that says “Signed-By” and that may not match the domain in the from line. Both can be indicators of a spoofed email. Sometimes a company might use a third party service to send marketing emails so those may be legitimate, but if the domain looks weird, then proceed with caution.
So we have to dig deeper into the email, not just looking at the From line and the body of the email text, but at this part called the Header. Email headers include the from, to, date and subject but also a ton of jargon about where the email originated and if the sending server is authorized to send from a specific domain.
I’m going to use Gmail for my example but each email provider will give you some way of viewing the email header info - though the steps may vary. I’ll include this link below that shows you exactly how to find the header for most popular email providers.
In Gmail, click the 3 little dots next to the reply arrow and click Show Original. This page will look totally off putting and technical, but theres only a couple of lines that you really need to pay attention to. You want to look for a line that says Received and shows the domain name and IP address, and the Received-SPF line.
Oftentimes, a spoofed email will have a different domain associated with the Received line, and the Received-SPF line will show you either a Softfail or Fail. A legitimate email should say Pass on the Received SPF line and give you a legitimate domain and IP address on the Received line.
In some cases, the Received line will show you a similar domain, like if a company has purchased many different domains for their business, so you may want to look up the IP address to see if it’s owned by that company. To look up the whois info on a domain, you can use this site: whois.domaintools.com and type in the IP address. This will show you who owns that domain - if it looks sketchy, it probably is.
Received-SPF means sender policy framework, and it allows domains to specify which servers are authorized to send emails on their behalf. Great example: I work with a PR company from time to time for product reviews, and they sent a product review email from a Microsoft domain instead of their usual PR company domain. Because the microsoft domain wasn’t an authorized sender, the email failed to pass, and it ended up in my spam folder unbeknownst to me. Unfortunately that meant I missed out on a product for review, but it also shows the importance of making sure your business’s email is set up correctly.
Tangent aside, a Pass is one of the indicators you should look for in a legitimate email. The SPF data isn’t 100% as a surefire way to tell, though, as I showed in my example with that PR company. A fail or softfail can happen with even legitimate emails, so it’s important to use this as ONE of the steps to determine if an email is legit.
If you like this video, a subscribe would me a lot to me. I use subscriptions as an indicator that I am actively building an audience here who is interested in these topics, and it lets me know you find value in this kind of content.
Two other indicators of spoofing are the DKIM and DMARC lines. All 3 should just say PASS if they are legitimate. But again, this would say PASS if a scammer just used their own domain instead of trying to spoof a real company’s email domain, so you should be checking these alongside the telltale signs I’d mentioned before getting into the technical header info.
DKIM tells you whether an email has been altered in transit, but that’s in transit. If no one is altering a spoofed email in transit then it’s still a spoofed email. If you see PASS with a domain next to it, you can check if that domain matches the one in the FROM line - if they do match, that’s a good sign!
DMARC checks that the from email address domain was tested and matches what’s the SPF and DKIM lines expected. If any of these lines Fails or Softfails, be very cautious, either the company sending it didn’t set up their server correctly, or it’s a scam.
See all passes? Then you should be good to go as long as the from and reply-to lines look legit. Of course, proceed with caution anytime you’re using email to communicate, and don’t click on links in emails, and never download attachments from emails. I’ve seen lots of my own youtuber friends fall for email scams and get locked out of their online accounts so it is a real concern and something you should be very aware of. Let me know if you have questions and check the links below for references and sources.
Thanks again to DeleteMe for sponsoring this video, bye yall!
