Scam email messages and text (SMS) messages are two of the most popular ways that cyber crooks deliver scams to your doorstep. This is why it is so important to know how to spot these scams before it’s too late.

Here’s some of our top tips for avoiding scam texts and emails.

Don’t click on links or open attachments.

Let’s start with the most important advice. If you don’t click on any links, open any attachments (or for that matter, reply) when you get an unexpected text, or email, then there’s not many ways left for such messages to scam you.

In fact, if you simply avoid clicking on links or attachments on any email or on any text message, you can protect yourself from many of the most prolific scams on the Internet today.

If you’re not sure if an email or text is the real deal, you can always contact the relevant entity directly. So if a message appears to have come from the IRS or HMRC, you can go to the IRS or HMRC website directly and contact them, instead of clicking a link.

Take the example below which is a scam text in circulation claiming to come from courier company DHL.

If you receive such a text and don’t know if it is genuine and don’t want to click the link, you can contact DHL using the information on their website to see if the text is real or trying to scam you. In the case of the message above, it’s fake and tries to trick recipients into installing spyware that is disguised as a tracking app.

Watch out for the usual social engineering tricks

Social engineering refers to what the messages actually claim. They’re the story that scammers use to get your attention and to lure you into compromising your security. Scammers use countless iterations of the same social engineering tricks because they’re very successful.

Successful social engineering tricks will often be crafted to cause alarm to the recipient, as well as trying to lure them into acting urgently. Social engineering tricks may claim (or imply) that a recipient’s action is time sensitive.

Popular social engineering tricks scammers use include –

• The claim that your account has been disabled because of security issues or violations.
• The claim there has been a problem with your payment or billing information that needs fixing.
• The claim you need to confirm your personal information
• The claim you have a pending delivery but there is a problem you need to resolve
• The claim that you’ve made a purchase or payment that you don’t recognise
• The claim you’ve won or inherited a large amount of money or expensive prize, or are due a refund, tax rebate or tax relief
• The claim you need to open an attached invoice or billing document

The below text and email examples illustrate some of these social engineering tricks, one focusing on Amazon and the other on PayPal.

Always check the web address after you click a link

If you did click a link and have landed on website asking for you to enter information (even if it’s your username and password) then stop, and check the web address first. It is the official web address of the entity in question?

For example, if you click on a link on a message that appears to have come from PayPal, has it taken you to PayPal.com? Or is it something entirely different? Or does the URL contain the word PayPal but isn’t PayPal.com – like www.paypal-verifiy-details.com (in which case it’s still a scam!)

This example shows a typical spoofing (phishing) website that appears to look like the Netflix login screen. But look at the address – it doesn’t belong to Netflix, whose web address is Netflix.com. If you enter your login information on this page, it will go to cyber crooks.

Also look out for URL obfuscation tricks. What this means is when a scammer attempts to make a web address look real when it’s not. This can include using the entity’s name (i.e. Netflix) in the URL, or using subdomains. To make this clearer, look at the examples below – all of which would be fake.

www.Netflix-verify-details.com – this is a web domain that contains the word Netflix, but it isn’t Netflix.com
www.Netflix-com.com – again this domain contains the word Netflix, but it isn’t Netflix.com
www.Netflix.verifymydetails.com – this domain uses a subdomain (on the left side, called Netflix) but it still isn’t Netflix.com

Watch out for bad spelling, grammar and generic greetings

This might be harder for text messages which are generally short and sweet. But for phishing scam emails, you can look out for bad spelling and grammar which you would not normally associate with official communications from reputable entities.

Also watch out for generic greetings like “dear customer” or “dear user” when a company you have an account with would normally greet you with your actual name. The above email contains both of these red flags (in a single word!)

Use good security software

Full security software solutions don’t just look for malware infections. They can also look for patterns that can detect phishing attacks. Good security software can detect phishing scams as they happen and alert you before it’s too late.

Also keep your software up-to-date and avoid using unsupported software, including (and especially) your operating system.

If it appears too good to be true, it probably is

A scammer can send an email or text that can claim anything. Including that you’ve won a big prize or competition. But think first. Did you enter that competition or lottery? Would a company really be offering a product for such a low price tag?

Does it appear too good to be true? Because if it does, it’s probably going to be a scam and you should proceed with caution.