Don’t Fall for Email Scams This Black Friday

The infrastructure that runs the Internet’s email hasn’t changed a whole lot in the past 30 years. Yes, we’ve layered a few things on top of it like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) but at its heart, the protocol remains the same. That’s the problem. Email was designed in a simpler time. A time when the Internet was a trusted resource and nobody gave a second thought to the fact that it’s easy to say fudge the headers on an email so that it looks like your boss is getting an email from the President of the United States commending you for all your excellent work. I’m not saying that has happened or that I was a part of it…but hypothetically, it is possible.

So, if email can’t be trusted, what can we do? Well first, these days email is a lot more trustworthy. It is much easier to detect emails sent from someone, but say they are from the President, thanks to things like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

Even with these new technologies though, email scams are still rampant. As we charge headlong into the holiday season, let’s stop for a moment and look at a few things you can do to make sure you don’t fall for the latest scam. (Which is not sending emails to unsuspecting bosses…)

Email Scams You Need to Be Aware Of

Let’s take a look at a few of the many ways that bad people try to do bad things to you via email. This first group of scams all fall into the category of Phishing scams. A Phishing scam is basically an email designed to fool you into thinking it is from someone it is not and convince you to click on a link embedded in the email.

The Fake ‘’Account verification’’ Requests

These can seem to come from your bank, Netflix, Twitter, or one of those sites that you don’t admit to having an account on. It doesn’t matter where they are coming from, they all have the same basic message. 

“Your account has been locked for a REASON. To unlock your account before we delete it totally, click on this link.

Here’s a hint, no trusted system out there sends these emails out randomly. If you get one and you are not currently interacting with this organization, then it is almost assuredly a phishing scam.

When in doubt, pull out the paperwork you have for this organization, find a phone number and call them. Ask if there is a problem with your account. When they say no, thank them, wish them a great day, hang up, mark the email as spam, and move on with your life.

The unexpected ‘’Billing error’’ notifications

Did you know that it is possible for bad people to figure things out about you without you telling them? It is relatively simple to find out where a website is hosted. When bad people find out information like this, they like to use it for their gain and your loss. Such is the “Billing Error” notice.  

For instance, if you are a SiteGround customer and you get an email from SiteGround notifying you that there has been a billing error and you now owe $XXXXX more, stop. Don’t click any links in the email. Instead, go to the SiteGround support page and start a chat session with one of their great support people. They can tell you if there’s an issue with your account or not. 

Here’s an example of a phishing email that requests from a SiteGround customer to update their billing details in order to be able to renew their domain:

Notice that this fake email does not contain the name of the recipient, and SiteGround original emails should include the name you’ve used for registering your account. 

Next, notice that this email has grammar and spelling mistakes. These are red flags for a scam email along with the poor formatting. 

Finally, the signature is not the one used by the SiteGround team. 

When you confirm that there is not actually a billing error, thank the nice support person, wish them a wonderful day, disconnect, mark the email as spam, and move on with your life.

The ‘’Order confirmation’’ requests

An oldie but a goodie – and one that pops up a lot these days because ecommerce has exploded – is the “Order Confirmation” email. These are most effective when they are from companies that you’ve never dealt with. They usually involve large sums of money as well. The idea here is to alarm you so much that you will obviously click the link to “Unconfirm” the order. 

If the email looks like it is from a company you don’t do business with, ignore it. Mark it as spam, and move on with your life.

If it looks like it is from a company you do or have done business with, contact them directly outside of the email. Talk with the sales or accounting department and see if someone has placed an order on your behalf… When you find that the answer is no…well, you know the drill by now.

The ‘’Click and collect’’ scam

Thanks to the recent pandemic, “Click and Collect” has become a common way to shop. You buy something online from a nearby retailer. You drive to their store and let them know you are there, they bring the item out to your car. Sometimes, they even put it in your trunk so you don’t have to even meet them face to face.

Nowhere in the Click and Collect workflow is there an email that says “Click here if you didn’t order this.” Treat these the same as Order Confirmation requests. If you don’t deal with the company, it’s a scam. If you deal with the company but haven’t placed an order, it’s a scam. If you are in doubt, contact the company directly, not by replying to the questionable email.

Sometimes, scammers are really REALLY good. They send you an email that looks exactly right.

Real Life Phishing Emails (Well, Screenshots)

What do good phishing emails look like? Here are a few examples of actual phishing scam emails sent to SiteGround customers.

Apart from all the red flags already covered above, the ‘from’ email address of these emails is not a valid SiteGround email. What is more, a proper SiteGround email would never mention the payment method used by you to pay for the service in question.

If you’re a SiteGround customer who comes to report such emails, SiteGround would ask you to send the whole email as an attachment, as they use it to train their own systems to block such emails (in case your email is hosted with SiteGround), so that they do not reach your inbox. In case your email is not hosted with SiteGround, you can mark it as spam in your email provider.

To learn more about how to stay safe from phishing email attacks, check out the blog post on this topic.

How Do You Stay Safe from Email Scams During the Holidays?

So how would you tell if this was a scam email? Well the easy answer is to “practice safe email”. Here are a few of the things I do before I click a link on an email, any email.

1. Check the ‘from’ address.
   We’ve already done this but so very many phishing emails come from implausible email addresses. Most scammers don’t bother to try and hide it because so few people pay attention. A recent phishing attempt sent to me purported to come from NetFlix. However, the email address was XXX@yahoo.jp. Yes, Yahoo has a Japan domain but they don’t send email for NetFlix from it! Not even to Japanese customers.

   A good rule of thumb is if you were not expecting an email from someone, even a family member or friend, treat it as suspicious until you know it was actually from them. If you don’t recognize the person it came from, then automatically assume it is malicious until you can prove otherwise. 

2. Check all links before clicking.
   Most email clients these days will let you hover over a link that says “Click Here” (or wherever) and see what the actual URL is. Read it VERY CAREFULLY. Pay attention to the domain name. https://goog.le is not the same as https://google.com. Read it carefully. If it looks suspicious, do not click it.

   Some email programs will show you the link in a popup when you click it and ask for verification before it actually opens a browser to that link. If your email program will do this, by all means turn this feature on. Yes, it adds an extra step before you can see that precious baby picture your friend sent you, but it allows you to make sure that you are actually going to see a baby picture and not install malware on your computer.

3. Do not automatically download attachments
   Your email program should be set to not automatically download attachments. This means that if you download something from an email, you will have to do it on purpose. If the email doesn’t seem right or fails any of the checks we’ve discussed here, don’t download anything. Even things like Microsoft Word documents which seem innocuous (click here to see the invoice for the service you didn’t order) can do malicious things if you open them. If you weren’t expecting someone to send you an email attachment, don’t open it!
4. Read The Headers
   Ok, this is for the hardcore email nerds out there but those of us who have been doing this a while can discover a lot by reading the headers that come with every email. These days email programs hide the headers from you but they are there if you want to read them. 
5. Listen to your gut
   My wife, The lovely and talented Kathy, got an email from our worship pastor one day with the subject line “I love you”. She was good friends with this man and while the subject line confused her, it also piqued her interest. She opened it only to find that there was a malicious script attached to the email. It deleted about ½ of the images we had stored on our home server before I could stop it. Thankfully, I had a backup so there was no loss, other than the hours it took to clean up the mess. Had she simply called him, opened a new email and written him at the address she had in her contacts list, or contacted him in any of a half-dozen other ways, she could have found out that it was not from him but was a scam. Instead of trusting her gut, she opened the email.

Other Black Friday Scams To Be Aware Of

Email is by far the easiest way for bad actors to get unsuspecting people to do bad things. However, there are a couple of other ways.

Links to malicious ‘’Copycat websites’’

If you get an email with a link to goog.le, it’s easy enough to spot. However, if you are doing your shopping at https://reallyLongDomainName.com and you misspell it or “fat finger” it (typo), then you might end up at a site that looks exactly like the one you were aiming for.

Bad actors look for common misspellings for profitable domains. They buy them up and put copycat sites up. These are sites that look just like the one you were looking for. They probably even have products and a shopping cart. However, make no mistake, they are scams. When you put in your personal information and credit card number, you are not going to get those purple widgets you ordered that your sister will just love. You won’t get anything but a nasty surprise when your credit card statement arrives.

This is really easy to thwart, if you pay attention.

First, after you arrive at a site, look at the address bar. Is there a little lock next to the domain name?

The little lock means that the domain you are using has a secure certificate and that it is valid. If you don’t have a little lock, or if there is a line through it, that means that either the certificate does not exist, or that it is invalid for that domain. Both of those are really big red flags that you don’t want to do any business on this site or put in any of your personal information.

A SSL certificate isn’t always enough to prove that you are on the right website. Scammers can register sitegroound.com, for example, and install a certificate on it. The certificate just provides encryption in most cases. It’s always a good idea to also double check the URL address, especially when you make payments, create accounts, fill out forms, etc.

Sites impersonating landing or login pages

The final type of website scam we’ll talk about are fake login pages. These might be part of a very good looking fake, or you might arrive at a site only to find that before you can get to the good stuff, you have to enter your login credentials. If this is an ecommerce vendor you normally do business with, or an institution you bank with, stop. Don’t do anything else. Sites like that don’t just put up a login page without letting everyone know well in advance. These are nothing more than “password collectors”. 

If you do enter your credentials into the site, they won’t work…because they are fake. But humans are stubborn. You will assume that you mis-typed something…especially if you are using a long and very secure password. So you’ll try again.

If you are like most of us, when it doesn’t work the second time, you will assume that you’ve used the wrong password and you’ll try another password, and another, and maybe even a 4th one before starting to think that something may be wrong.

Every set of credentials you entered have gone into a database and bad people will start using them to try and sign in to any site they think you may have an account on. Since you were giving them real login credentials, you’ve given away the keys to the kingdom.

Be watchful, be alert, be suspicious bordering on paranoid. Make sure before you put any information into a website, you are absolutely sure you are at the right website. Looks can be deceiving.

How to Practice Safe Internetting This Holiday Season

1. Always be suspicious of unknown or unexpected emails.
   If you don’t know the person, or even if you do know them but aren’t expecting to hear from them, be suspicious. Yes, your long lost aunt may be contacting you via email with a hotmail.com email address to tell you that she’s leaving you her entire fortune when she dies and she needs you to sign the will, but chances are really good that it might NOT be her. Verify before you take any action.
2. Don’t click a link in an email until you are absolutely sure you know where it is going and what is going to happen.
3. Don’t provide your personal information to any site unless you are positive and you know that it is the site you think it is. If you don’t think you are on the right site, close the browser immediately.
4. Whenever possible, use a Virtual Private Network (VPN) from a reputable provider.
   I won’t name my Internet provider but I will say that I do not trust them. They have been known to make it easy for bad people to watch the traffic going across their network and pull out information as they see it. These days almost all websites use encryption to make sure that’s not easily done, but it is still possible for people with enough time, money, and determination. So whenever possible, I use a VPN to encrypt my traffic even further.

   VPN software isn’t expensive these days, as a matter of fact, if you are a “computer person” you can download, configure, and run your own. I don’t recommend that as it’s easy to get it wrong, but I’ll admit to having done that in the past. These days, I use a commercial VPN that comes with my virus protection. Now, my neighbor can’t see any of my traffic because I’ve got an encrypted tunnel between my network and a server in Miami, FL, USA. (I can choose from about 50)

5. Don’t use the same password on any 2 websites
   Look, I know how hard this is. It’s difficult to come up with one secure password that you can remember, let alone the 20-30 you need to make sure every site is different. I suggest using a password manager from a reputable software company. There are a few of them out there. The one I use works on Windows, Mac, iOS, iPadOS, and Android. So, no matter where I am at, my passwords are with me. All my passwords on all major sites are long, random, and unique. If you know one of them, you can’t get into anything but that one service I use it for.

Wrap-up

Stay safe out there this holiday season. Have fun, enjoy the company of family, and if you get an email from me saying that Bill Gates is giving 1 Bitcoin to each person that forwards this email…well, you get the idea.