We all receive countless emails, texts and messages on WhatsApp, Facebook and others, and life is busy so we are not always alert to scams and phishing attempts designed to steal our personal information or infect our devices.
This is not a new phenomenon. When you consider the only way to get money, is to take it from other people, not everyone wants to work hard for it. Indeed cheating someone out of it is usually quicker and more lucrative than working (which is just selling your skills and time as a service in exchange for what someone thinks the results are worth paying for).
Phishing came in the 1990’s, taking advantage of technically illiterate people, callously and unscrupulously stealing life savings. And as much as 2FA on everything is a pain, it really does give you time to stop and think.
It used to be easy to spot a phishing email. Advancements in AI have changed the game though; simply because it used to be in poorly done in broken English, and ChatGPT et all just gives them the tools to do a better job on the con.
The worrying trend is you can now create video from images, replicate voices, easily used to trick you into believe a loved one is in trouble. Our older generation still fall for people calling up pretending to be the bank, and most boomers would be unable to distinguish an AI image.
The other issue is automation, this enables scammers to do this at huge scale, simply playing the numbers game.
To complete the perfect storm, is the growing need to do it. As the cost of living gets tighter and the economy strains, more people will do the modern equivalent of stealing bread to feed their children.
It will get even more sophisticated and harder to spot, and it will happen more. And our only defence is education, learning how the scams operate, and sharing this information to be passed on on.
It’s really time for the Government to overhaul the school education system in my opinion. Why teach primary kids algebra when they need to be taught how to use modern tools correctly? The internet is a huge part of our lives now, understanding trusted sources of information and what people have to gain from putting a certain spin on things is essential to understand motivation and questioning authenticity.
The worst part, is in the older generations the trust in people has gone. We have to think everything could be a scam, even your child texting you from a new number.
So What is Phishing?
Phishing is a type of cyberattack where criminals attempt to trick individuals into revealing sensitive information, such as passwords, credit card details, or personal data. They might be trying to get your social login details.
Phishing emails often appear legitimate, masquerading as messages from trusted companies or organisations. Familiarising yourself with the tactics used in phishing attacks can help you spot them quickly.
Scamming has been around for centuries though, this is just a modern twist. Arguably the first was the Snake in the Garden of Eden, but there are plenty of examples in Ancient Greece too.
The word scam is from the 60’s though, it was commonly called a con or swindle. The term conman is short for confidence man, relating to William Thompson in 1849 who duped people out of their valuables.
The example that springs to mind is Snake Oil salesmen, who made a living from offering a magical elixir to make you feel better. And that still exists in many guises in the healthcare industry, playing on our vanity or desire to be healthy.
Common Characteristics of Phishing Emails
Emails are easier to handle than calls, as you have time to research. A phone call catches us off guard and is a constant focus, and only afterwards we have time to process the conversation and our actions.
1. Suspicious Sender Address
Phishing emails often use deceptive or slightly altered sender addresses to look authentic. For example, an email might claim to be from a well-known brand but use a slightly altered domain name, such as “support@paypal-secure.com” instead of the legitimate “@paypal.com.” They will often use real templates to make the branding in the email content look the same.
Domains are easy to come by, unregulated, and can be instantly used to send emails. Look out for extra words, strange characters, or misspelled domains in the email address.
You may see what’s called a sub-domain. For instance Centreparcs send legit emails from @email.centreparcs.co.uk. The dot shows it’s part of the centreparcs.co.uk domain, whereas email-centreparcs.co.uk would be a completely different domain.
The easiest solution is to always be wary, if it’s an email from Paypal or Facebook, don’t click on the links. Just go to the platform directly as any urgent messages for you will be there waiting under notifications.
Think about what the email is trying to get you to do. If it’s saying your account is frozen, hacked or whatever, and wants you to click on a link to log in, then it’s likely an attempt to get your login details by sending that link to a page to collect them. If it’s a newsletter, then it’s unlikely a scam as it’s not asking you to do anything.
In this example below the phishers went to the trouble of a 301 redirect on their fake domain. So when I searched it, it went to the correct Bose website.
How to check the sender address
We usually see what is know as the sender name, which can be manually edited. If you click on it, it usually gives the email although please note, it is possible to spoof an email and send it from another email.
If you click “reply to”, it will show you where you are sending the response which can be somewhere else. Spoofed emails usually end up in spam folders as they do not have correct SPF records which list the IP address where the legitimate emails are sent from.
Trust the spam filter, it’s right 90% of the time so anything there needs extra due diligence.
In this instance for bose-global.com, the domain was newly registered and was an a Cloudflare account with 25 million other websites. The sender name did also not appear on LinkedIn for the company, let alone for the role stated. The email was also a generic marketing.manager@bose-global.com, rather than his name, which is standard practise in big corporations.
2. Generic Greetings
Authentic emails from companies where you have an account usually address you by name. Phishing emails, however, often use vague greetings like “Dear Customer” or “Hello User.” If it starts with “Hello Dear”, I usually ignore it instantly.
A bank or online shopping site you use regularly should know your name, so emails addressed generically should raise suspicion. This doesn’t mean if they use your name, it’s instantly legit, just an obvious red flag to look out for.
3. Urgent or Threatening Language
Phishers commonly try to create panic by using phrases that suggest urgency, such as “Act now!” or “Your account will be locked.” This language is intended to push you into making hasty decisions without verifying the email’s authenticity.
Phrases like “Immediate action required!” or “Your account will be suspended within 24 hours” are typical scare tactics used in phishing emails.
A common one I see is a threat to expose you for something you have done, usually related to your browsing history and threats to share images from your webcam. But lets be real, if they are not sending any screenshots to prove they have them, then it’s a scam.
Please note, if they are sending pictures of you to prove it and are blackmailing you legitimately, this is not phishing but blackmail. It’s serious, and I’d urge you to talk to someone trusted. Personally I’d go to the Police, but a trusted friend or family member is a good first step.
There are two key benefits to this. Sometimes explaining things to someone else, means we have to put things into a logical order. That helps us to understand it better ourselves, which often enables us to work it out. So you don’t even need them to help, just explaining it helps us make sense of it. Plus the time delay reduces the emotion of your decision making.
As a parent, I recently gave my 9 year old daughter a personalised card with the note inside telling her that I’d always love and support her. And that if she was ever scared to tell me something, to bring that card to me as a reminder of a pledge to always help her in times of need regardless of situation. I know I cannot speak for all parents, but some will hopefully be more understanding than you fear.
4. Suspicious Links or Attachments
Phishing emails may contain links leading to malicious websites or have attachments designed to infect your device. These links often redirect to websites with slightly altered URLs or fake login pages to capture your personal details.
Always hover over links to check the URL, or copy and paste into a notepad to see where it’s really going. You can also use the inspect button by right-clicking on windows.
A phishing link might look like “www.paypall-login.com” instead of “www.paypal.com as the pages are hosted elsewhere as a contact form, so they can collect every bit of data you add.
Always void clicking on attachments from unknown senders.
5. Poor Grammar or Formatting
Legitimate companies usually proofread their emails, so poor grammar, awkward phrasing, or unusual formatting can indicate a phishing attempt.
Be wary of emails that contain odd sentence structures, spelling mistakes, or an unusual layout, as these are signs of a potentially fraudulent email.
This is what is improving through, thanks to Chat GPT not having English as a first language means nothing. You can just tell AI what you want to say.
Quick Practical Tips for Identifying Phishing Emails or Scam Calls
1. Check the Sender’s Email Domain or Google the Phone Number
Hover over the sender’s name to reveal the full email address. If the domain looks odd or doesn’t match the official website’s domain, it’s likely a phishing attempt.
If it’s a call, say you want to phone the number on the website or back of your bank card and ask them how you can be transferred to them or a colleague. Reps should leave notes on the account so technically anyone can deal with it.
I’ve worked on the phones in the Amex Fraud team. Data Protection means they cannot discuss your account over the phone without confirming your identity. But they will understand if you are being security conscious.
2. Verify Links Before Clicking (or don’t click them)
Hover over any links within the email to preview the URL. Legitimate links should direct you to official websites. Avoid clicking on any links that look suspicious or that you don’t recognise.
Better still, don’t click on them. Go via their website or app which you know is valid and correct.
3. Don’t Download Attachments and Have a Firewall
Often phishing emails have dodgy downloads like .exe files, .zip files, or other unusual extensions. Use the email preview tool even when looking at images, word, or excel.
On windows there are free tools; Windows Security scans for malware daily. Microsoft Defender offers real-time protection and automatically checks downloads and gives warnings. You don’t need paid options.
4. Look for Security Indicators
Legitimate emails often contain elements that reassure the reader about security. For example, an official email from your bank states they will never ask you to confirm sensitive information online.
5. Trust Your Instincts and your email spam filters
The old adage is correct, if something sounds too good to be true, it usually is. If something feels “off,” take the time to verify the sender or message through a separate, trusted channel. Most companies provide customer service numbers you can call to confirm the legitimacy of the email.
If it’s in spam, there’s a reason.
If it’s a family member needing help, what is their usual contact method? If it feels weird with language they are using, ask questions and keep the conversation going. Don’t give information away but ask questions only they would know, like if you said “have you asked your brother” and they say “what brother? what are you on about gran?”, then you it reinforces what they are saying a bit more.
6. Understand intent of the contact
This to me is the biggest education piece. If someone is contacting you, there is a reason. Correctly identifying and understanding that is essential.
Some will be genuine. Maybe a sales call or email. And this is where it gets dangerous, as the example I had yesterday was written like a genuine business enquiry and those not switched on would have fallen for it as it was very well done.
All businesses, legit or not, will grow to understand their processes, including what works and doesn’t. Fraudsters will adapt and improve, knowing what works and doesn’t. But the intent will always remain. They will want you to hand over your login details, or download something to your computer, and regardless of the backstory or reasoning, these need to be your triggers to stop and think about what you are doing. Any legitimate person will understand if you need to pause until you are ready to do so.
What to Do if You Suspect a Phishing Email
- Don’t Click Any Links or Open Attachments: Avoid engaging with any elements in the email.
- Report the Email: You can forward suspicious emails to the National Cyber Security Centre at report@phishing.gov.uk and according to the NCSC this resulted in 196k urls taken down.
- Delete the Email: Once reported, delete the email to reduce the risk of accidental engagement.
- Scan for Malware: If you’ve interacted with a phishing email and downloaded something or saw any pop ups, run a security scan on your device to detect any malicious software. Again, the free windows security is enough, you don’t need to pay for a premium service.
If you clicked on a link and entered your details, go and change them immediately via the correct website by goggling it.
There is loads of good advice from the National Centre for Cyber Security too.
Protecting Yourself and family
Use strong passwords. I appreciate they are not easy to remember, but even the simple practise of swapping out letters for special characters helps (i.e ! or I, or @ for A).
Where possible, keep banking passwords completely unique from other websites that you use as banking apps are the most secure, and always have 2FA added. Again, this stops fraudsters from getting access even if they have your login email and password.
This means do not use the same email and password as standard sites such as Fantasy Football, etc. Even ecommerce sites will have better security, but sign ins just for newsletters and paywalls are easily compromised. Yes, it’s highly likely your email address and previously used passwords are on the Darkweb.
For banking, always have notifications turned on for any movement of money or transactions, as being alerted quickly can stop things.
Encourage your friends and family to do the same, and talk to people often. I found out my dad changed one of my brothers number after having a conversation, all because he got a text saying “Hi Dad, this is my new number.” and just changed guessed which son it was (as the others usually call) and changed it. Luckily he didn’t respond to start the chain of events leading to a request to send money.
Common Scams and Phishing for 2024
- The “hey mum, I’ve lost my phone can you transfer me money” text. Ask for a call if you doubt it, asking questions they should no the answer to.
- The postal/courier text/email, saying they tried to deliver or are holding a package as not enough postage was paid.
- Automated Calls from HMRC advising the police are after you
- TV license emails
- Service provider emails, like Netflix or Disney+
- iCloud scams saying it’s full, which then gets your iCloud login details
There are also a lot of emails claiming to be from Amazon Business or big companies that is not them directly. I wouldn’t call this phishing though, it’s affiliate links which take you to the site, but give the sender commission on any sales. It’s more miss-representation than a con.
Real Case Study for Spear Phishing
I got niche Spear Phished yesterday to prompt this warning Public Service Announcement. That is a deliberate targeting of a specific individual, group or organisation. In this case, they targeted me as a digital marketer. Arguably, by the high value client approach, this could be whale phishing which targets senior staff.
On getting the first contact from a James Martin at Bose Global, my initial due diligence was to check the sending email domain (detailed above as @bose-global.com). The obvious reason to be suspicious is that I am a boutique agency and far too small for the global brand. I actually responded advising them of this, but got the second response.
The interesting thing about the email, is that it’s entirely believable by using the right language associated with the business proposal, which I assume was drafted with ChatGPT. Professional curiosity led me to check the drop box link, and the contents are all named relevantly to the email content, so it’s got a high level of attention to detail.
I can only assume something extracted would have malware, but it could easily have been a longer term effort to get a money transfer or something. I wasn’t going to find out.
The only way of knowing 100% it was phishing was the email it was sent from, and subsequent investigation which I doubt many will do. They were other red flags, but I am wary of mentioning them too closely to keep them coming in the future.
And I am not alone. According to the UK government’s Cyber Security Breaches Survey 2024, businesses said phishing attacks was the most common cyber attack.
The First Contact
Hi,
I am James from Bose, a US-based audio brand. We are planning to expand into the United Kingdom market and are looking for support from advertising partners.
https://www.youtube.com/@Bose
I have reviewed your services and believe that your company can meet our needs. We would love to discuss strategy, budget, and the services you provide.
Please contact us via email at your convenience.
Sincerely,
James
Follow up Email
It’s a pleasure to connect with you and discuss this exciting partnership opportunity.
I am James, the Head of Marketing for the audio brand BOSE. The audio industry is rapidly growing with streaming platforms like Spotify, Netflix, and YouTube, valued at $12.52 billion in 2023 and expected to reach $15 billion by 2024.
Since our founding, we have built a strong brand with millions of loyal customers worldwide, ranking among the Top 3 brands in the U.S. and the Top 5 globally.
With this growth trend, BOSE aims to expand its presence and increase global sales across more than 56+ countries by 2025. These are promising markets for development, and your country is among them.
After thorough consideration, we believe that your company has the experience and capability to optimize digital marketing that we need for the upcoming growth. We are reaching out to seek your support in this area.
Our current advertising budget ranges from $50,000 to $90,000 per month for the brand awareness phase and can increase to $150,000 to $270,000 during the sales growth phase across all sales platforms. You are welcome to propose budgets and bids that match your company’s capabilities and resources.
Our proposed service fee is between 12-18% of the total monthly marketing budget (+ any applicable taxes).
We are looking for a long-term collaboration to ensure effective, stable allocation for personnel and related costs across departments.
Our goal is to increase brand visibility, attract new customers in emerging markets, and drive sales through Google advertising and social network advertising. Campaigns include display ads, search, performance optimization, and shopping ads to boost retail sales of audio products on our existing platforms:
https://www.facebook.com/Bose
https://www.instagram.com/bose/
https://www.bose.com/
In addition to public data, we have prepared detailed documents gathered by the company on marketing campaign objectives, including: annual sales data, product pricing, CRM information, ROAS, ad conversion rates, cost-per-conversion, etc., so you can better understand the project during your research or planning phase:
Campaign Materials,Service Fees,Bonuses,Job Requirements (drop box zip file link):
Link Password: 8386
I believe this information will provide you with the most accurate and clear introduction to our company.
I look forward to receiving a preliminary proposed communication plan from you and your team within the next Tuesday or Wednesday, about the project and the service fee schedule for the work items your company proposes for this project so that we can move quickly to the next step.
Please CC this email to your specialist so we can discuss some further details via email.
After receiving your research, we will review and respond within 2 to 3 days.
We will also arrange a suitable meeting time to discuss and sign the cooperation contract.
If you need further information, please let me know! We are ready to meet and discuss further.
Best regards,
Conclusion
Phishing emails are a common form of cyberattack, and will get more sophisticated. So recognising them can help protect you and your data. By keeping an eye out for red flags like suspicious sender addresses, urgent language, and unusual links, you can confidently navigate your inbox and avoid falling for phishing scams.
Remember, any time spent verifying an email’s authenticity is far better than dealing with the consequences of a phishing attack.