Scam emails are one of the Internet’s biggest problems. The web provides a venue for dispersing information across the globe to billions of people and also a venue for widespread malicious activities. It’s necessary to know what type of scam emails are out there and how to identify and report them to the appropriate authorities.
What Is a Scam Email?
Scan emails are emails intended to trick the recipient into disclosing sensitive information such as bank account numbers or unique identification numbers. The scammers then use the sensitive information for malicious operations such as monetary and identity theft.
There are many types of scam emails, and they include:
This is a type of a scam email where a hacker poses as a legit website to steal information from a recipient. For example, the hacker may pose as your bank by sending an email that looks very similar to legit ones from the bank. The aim is to trick the recipient into visiting a website with a false domain name similar to the platform being impersonated (e.g., BankOfAmerica.com and Bank0fAmerica.com, note the capital “O” replaced with zero) and providing sensitive details.
Phishing attacks are usually sophisticated and difficult to spot if you’re caught off guard. That’s why banks and other online platforms advise that you should never provide your password or PIN to anyone.
A phishing email.
Spam refers to unsolicited emails that the recipient hasn't provided consent to receive. A lot of spam emails come from fraudulent actors intending to sell substandard products or products that don’t arrive to the customer after payment. Some spam emails also include malicious links that secretly install malware on the recipient's computer when clicked.
3. Business Email Compromise (BEC)
This type of scam email is targeted at enterprises. The sender pretends to be the CEO or any high-ranking officer of your organization with the intention to authorize a money transfer to their account. A sophisticated scammer might stalk the social accounts of your organization's executives to learn how to impersonate them.
Where to Report Scam Emails
If you receive an email you suspect to be a scam, the first thing to do is avoid engaging with that email entirely. If you open it unknowingly, don't fret, but take some additional precautions:
- Avoid clicking any links in a suspicious email – it could be malware that’ll damage or steal information from your computer.
- Don't open any attached documents, as they are also vectors for spreading malware.
- Don’t give up any information that the sender requests from you.
Afterward, you can make a difference by reporting scam emails to the appropriate entities to make others aware and avoid becoming a victim. You may report within your organization, to your email service provider, law enforcement body, or the organization being impersonated.
Report within Your Organization
It's mainly the responsibility of your organization's IT and security team to prevent employees from receiving scam emails. However, you're not absolved of all responsibilities. You can help by reporting scam emails to the IT or security team so that they'll have a look and decide the next steps.
If your organization provides cyber awareness training, they'll likely advise you to report any suspicious emails and tell you the appropriate channels to do so within the company. You can also inquire about what information regarding the scam emails to report and the actions to take if you mistakenly engaged with a suspicious email.
A typical scam email report to your organization should include:
- A screenshot or an attached copy of the email.
- Details about the sender and the context of the email.
- Other relevant information such as time and date.
Below is an example of how to report a suspicious email to your organization. It’s a simple email making an IT personnel in your organization aware of a spam email you received so that they can have a look and take action if needed. The IT personnel may decide to trace the IP address of the spam email and block it from sending messages to anyone within your organization.
Report to Your Email Service Provider
Another effective measure is reporting scam emails to your email provider. Your email provider can open an investigation because of your report and block the address sending the messages – this way, other users won’t fall victim to the scam.
Most email clients provide a straightforward option to report suspicious emails. For instance, in Gmail, open the email and select the three-dot menu in the top-right corner next to the reply button. Then, click “Report spam” or “Report phishing” and Gmail’s staff will take it up from there.
Many other email clients have similar methods of reporting suspicious clients, so you shouldn’t have a problem figuring it out. It’s advisable to report scam emails because your mailbox provider has ample technological and human resources to trace their origin and implement changes where needed.
For example, if the suspicious email is from another account on the same email service, they can ban it. If it’s on another email provider’s domain, they can coordinate with their personnel to ban the account. If it’s an elaborate scheme that requires law enforcement attention, they can also take the case up.
Report to Law Enforcement & Other Authorities
You can decide to report scam emails directly to law enforcement entities so that they can take legal action. The appropriate law enforcement channel to report to depends on your jurisdiction, but the first one to consider is your local police department.
Your local police department will likely appreciate your report and take the required action where they can. However, they often have limited resources to pursue scam cases, especially those perpetrated by people outside their jurisdictions. That’s why you may also consider reporting scam emails to these global agencies, especially if you live in North America, Europe, or Australia:
- The U.S. Federal Trade Commission (FTC) has a dedicated website to report scams and fraudulent emails.
- All U.S. states have a domestic Consumer Protection Office where you can report scam emails.
- The U.S. Justice Department’s National Center for Disaster Fraud (NCDF) complaint form.
- The Canadian Anti-Fraud Center’s reporting system.
- The European Anti-Fraud Office.
- The Australian Competition & Consumer Commission (ACCC)’s Scamwatch website.
- eConsumer.gov, a partnership between consumer protection agencies around the globe.
- The UK's National Cyber Security Centre (NCSC).
Report to Impersonated Businesses and Organizations
You can prevent considerable harm by reporting scam emails to an organization being impersonated that you’re familiar with. For example, if you receive a scam email impersonating your bank, you can quickly alert the bank so that they’ll know what’s happening. This way, the bank can send out an active warning to other customers to avoid falling victim to the impersonation. Companies often appreciate this and may even give you a freebie as a token of appreciation.
Research shows that the three most impersonated brands in phishing attacks are Microsoft, DHL and Google. Other top impersonated brands include Apple, Amazon, WhatsApp, Netflix and Facebook. These brands have billions of users worldwide, so you’re likely familiar with them. They deal with phishing attacks from thousands of malicious actors concurrently which makes it difficult to counter.
You can help by reporting any impersonation you notice directly to them. Most of these brands have dedicated pages on their websites where you can report phishing attacks or specific email addresses for receiving such reports. However, make sure that you are reporting to the brand being affected.
Example of a page for reporting phishing attempts (by Google).
Email scams are a major menace on the internet. According to the American Federal Bureau of Investigation (FBI), business email compromise alone caused $43 billion in losses from 2016 to 2021. It’s necessary to know what type of scam emails you’ll likely encounter and the appropriate channels to report them to prevent other people from falling victim to the scam. As for an organization, it’s vital to know the effective mail phishing security methods to adopt.
Email scam doesn’t just affect people but also innocent brands. An email service provider can blacklist a shared IP address abused by a hacker, and other brands using the same IP address will also be affected. That’s why it’s advisable for enterprises to use a dedicated IP address for their mass mailing purposes if possible. Many ESPs, e.g., UniOne, offer dedicated IP addresses that are easy to set up.