What Are Email Scams?
Email scams (or email frauds), such as phishing and BEC, are deceptive cyber attacks carried out through — you guessed it — email, in order to dupe unsuspecting victims into giving up sensitive information or money.
They can take on various forms, from seemingly innocuous requests for personal details to sophisticated forms of trickery that can lead to identity theft or financial loss.
Email scams often deploy psychological manipulation, appealing to a person’s emotions, fears, or desires. For instance, they may create a sense of urgency, claiming that your account is compromised and needs immediate attention, or they might promise an amazing deal or prize in exchange for your personal information. The aim is always to trick the recipient into taking an action that benefits the scammer at the expense of the victim.
The increasing sophistication of these scams makes them harder to detect. Scammers have improved their strategies, and recently have started using generative AI tools to their advantage. This makes it difficult for even experienced users to distinguish between legitimate emails and scams. However, understanding the different types of email scams and their common characteristics can provide a first line of defense against these threats.
This article is part of a series of articles about email security.
In this article
7 Common Types of Email Scams and Real-Life Examples
The first three types listed are traditional social engineering attacks, while the last two are new types of attacks, which will become major threats in 2024 and beyond.
1. Phishing Attacks
Phishing attacks are among the most common email scams. These attacks trick recipients into revealing sensitive information, such as passwords, credit card numbers, or social security numbers.
A typical phishing scam might involve an email that appears to come from a reputable organization, like a bank or a social media platform. The email usually contains a link to a fake website that mimics the look of the genuine site. Once on the fake site, victims are prompted to enter login details or other sensitive information, which the criminals then use for their nefarious purposes.
Real life example:
In 2023, a sophisticated phishing campaign targeted WordPress administrators. Scammers sent fake security advisories for a non-existent vulnerability (CVE-2023-45124) to trick site administrators into installing a malicious plugin. This plugin was in fact malware that could allow attackers to compromise the website.
2. Business Email Compromise (BEC)
Business Email Compromise (BEC) is another prevalent type of email scam. In a BEC scam, fraudsters impersonate a high-ranking executive or business partner in an attempt to trick an employee into transferring funds or revealing sensitive information.
These scams often involve a high degree of social engineering, where scammers study their targets and use the information gathered to make their emails seem more credible. They might, for instance, use the executive’s writing style or refer to recent company events to make the email appear genuine.
Real life examples:
In 2016, an Austrian aerospace company was duped out of €50 million ($55.8 million) by scammers pretending to be the company’s CEO. The scammers convinced an employee to transfer the funds for a bogus acquisition project, resulting in a significant financial loss for the company.
Another notable attack occurred between 2013 and 2015 when Google and Facebook were targeted. A Lithuanian cybercriminal posed as a reputable hardware vendor and sent fraudulent invoices to these companies, successfully swindling over $100 million.
3. Email Spoofing
Email spoofing involves the creation of email messages with a forged sender address. The purpose is to make the recipient believe the email came from someone or somewhere other than the actual source.
Spoofing can be used in conjunction with other types of scams, like phishing or BEC scams, to make the fraudulent email seem more credible. For example, a scammer may spoof an email to appear as if it’s from a trusted institution, like a bank, to trick the recipient into providing their login credentials.
Real life example:
A recent high profile spoofing attack was the takeover of the Bloomberg Crypto X (Twitter) account. Attackers used a phishing attack to compromise the attack, and then leveraged it to spread misinformation about cryptocurrencies and steal Discord credentials.
4. Quishing
Quishing is a newer form of phishing that exploits QR codes. In these scams, attackers embed malicious links in QR codes, which, when scanned, lead victims to fraudulent websites. These websites often mimic legitimate services, prompting users to enter sensitive information like login credentials or financial data.
The convenience and growing popularity of QR codes, especially for contactless transactions, have made quishing an attractive method for cybercriminals. Users should be cautious when scanning QR codes, especially those received from unknown or unsolicited sources, as they could be gateways to deceptive sites designed to steal personal information.
Real life example:
In late 2023, a U.S. energy company was targeted by over 1,000 malicious emails, with around 29% of them containing QR codes. These phishing campaigns used Bing redirect URLs and sometimes exploited other domains like Salesforce applications and Cloudflare’s Web3 services. The QR codes were embedded within a PNG image or PDF attachment to evade email filters and reach recipients’ inboxes.
5. Use of Generative AI in Email Attacks
The rise of deepfakes and large language models (LLMs) has introduced a new dimension to email scams. Deepfakes, which are hyper-realistic fake videos or audio recordings, are now being used in phishing attacks to impersonate trusted individuals or officials. This technology can create convincing messages that seem to come from legitimate sources, thereby increasing the likelihood of victims trusting and acting on fraudulent requests.
Large Language Models (LLMs), like GPT-4, are also being leveraged by cybercriminals. These AI models can generate convincing and contextually relevant text, making phishing emails and BEC attacks more sophisticated and harder to detect. Scammers use these tools to craft personalized emails that mimic the tone and style of legitimate correspondence, thereby increasing their chances of deceiving recipients. They can also use it to personalize email attacks at scale.
Learn how to prevent GenAI-based BEC attacks. Read the whitepaper “Decoding BEC in the Age of ChatGPT”
Real life attack trends:
According to a report by Zscaler, in 2023 there was a significant surge in phishing attacks, with a 47.2% increase compared to the previous year. The education sector was the most targeted industry, with attacks increasing by 576%. The report attributes much of the rise in attacks to the use of AI tools like ChatGPT, which made it easier to launch targeted campaigns.
Recognizing Email Scams: The Red Flags
Here are the main things to watch out for to avoid falling for an email scam.
Suspicious Sender Addresses
Often, the first red flag of an email scam is a suspicious sender address. Scammers may use email addresses that look similar to those of legitimate companies, but with slight variations or misspellings.
For example, an email from ‘[email protected]’ might be mimicked as ‘[email protected]’. These minor alterations are usually a telltale sign of an email scam.
Furthermore, be wary of email addresses that use a combination of random letters and numbers, as legitimate businesses usually don’t use such addresses.
Also, check if the email is addressed to you personally. Scammers often use generic salutations like “Dear Customer” because they send out mass emails.
Urgent or Threatening Language
Another common characteristic of email scams is the use of urgent or threatening language.
Scammers often create a sense of urgency, inciting fear or excitement to push you into acting quickly without giving much thought. Phrases like “Your account will be closed” or “Immediate action required” should raise an alarm.
Also, emails that offer too-good-to-be-true offers or deals could be scams. Always approach emails with caution, and investigate the details carefully by going directly to the relevant company’s website, while avoiding clicking on links or opening attachments in the email itself.
Requests for Personal or Financial Information
Legitimate companies will never ask for sensitive information like a password, credit card number, or social security number via email. If an email asks to provide or verify such information, it’s most likely a scam.
In general, any email that asks you to click on a link to update account information, verify a password, or confirm credit card details should be treated with suspicion and reported to your IT department.
Unusual Attachments or Links
Email scams often include attachments or links that contain malware or lead to phishing sites. These attachments or links may be disguised as invoices, documents, or other seemingly harmless files. However, once opened or clicked, they can install harmful software on a computer or lead to a malicious site where the user’s information can be stolen. Users must be cautious when opening attachments or clicking links in emails.
Inconsistencies in Email Content
It’s important to pay attention to the content of the email itself. Are there spelling or grammar errors? Does the tone or style of the email seem off? Do the logos or other images look distorted or low quality? These can all be signs of a scam. Legitimate businesses and organizations typically have high standards for their communications, so these types of errors and inconsistencies can be a warning that something isn’t right.
Protecting Against and Avoiding Email Scams
Here are some proactive steps individuals and organizations can take to prevent falling victim to these scams.
Verify Suspicious Emails
When users receive an email that seems suspicious, they should not interact with it. Instead, it’s critical to verify its legitimacy by contacting the sender or company directly through an official website or trusted phone number. Recipients should not use any contact information provided in the suspicious email itself as they will lead to the scammer.
It is also important never to reply to suspicious emails, as this confirms to the scammer that the email address is active, which can lead to more scam attempts in the future.
Use DMARC
Domain-based message authentication, reporting and conformance (DMARC) is an email security protocol designed to protect a company’s email domain from being used for email scams and other cyber threats. Implementing DMARC can help protect your email domain from being used in phishing attacks and email scams.
DMARC works by allowing email domain owners to specify how to handle emails that were not authenticated using SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) standards. This helps prevent scammers from spoofing a company’s email domain.
Use Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more verification factors to gain access to a resource such as an email account. MFA adds an extra layer of protection to an email account, making it much harder for scammers to gain access even if they have a user’s password.
Most email service providers offer MFA. For individual email users, it’s important to enable and use MFA. For companies, it’s critical to implement MFA and enforce its use by employees.
Provide Security Awareness Training
One of the most important ways to protect against email scams is to educate and train employees regularly. Everyone who uses email should be educated about the risks of email scams and how to avoid them.
Security awareness training should be provided on a regular basis to ensure that everyone is up to date with the latest threats and best practices. This can help build a culture of cybersecurity, where everyone takes responsibility for protecting against email scams.
Leverage AI-powered Email Security Solutions
Email security solutions that leverage AI technology can help detect and stop AI-powered social engineering attacks. By using Transformer-based models, similar to the ones that power large language models like GPT, it is possible to identify characteristics that suggest an email was generated by AI, and identify whether it might have malicious intent.
It’s not enough just to detect AI-generated content, because today many legitimate emails today are written with the help of generative AI tools, or use templates with recurring phrases, which might be similar to the output of LLMs.
Advanced email security tools combine AI detection with traditional social engineering detection tools, such as sender reputation and authentication protocols information (SPF, DKIM, DMARC) to eliminate false positives, and identify emails that are both generated by AI and highly likely to be from a malicious source.
Learn more in our article: An AI for an AI: LLM-Based Detection of GPT-Generated BEC Attacks
Preventing AI-Based Social Engineering Attacks with Perception Point
Perception Point’s approach to combating GenAI social engineering attacks involves an advanced AI-enhanced threat prevention solution that utilizes Transformers — AI models adept at understanding the semantic context of text.
This method is effective due to its ability to recognize and analyze patterns characteristic of Large Language Model (LLM)-generated content.
The process works as follows:
- Pattern identification: The system groups emails with similar semantic content, allowing it to pinpoint specific patterns indicative of LLM-generated text. This model was initially trained on a vast array of malicious emails and continues to evolve with exposure to new attacks.
- Probability scoring and analysis: When an email is processed, the model evaluates its content, identifying the likelihood of the email being LLM-generated and its potential for malicious intent. It also provides a detailed textual analysis to identify the nature of the threat.
- Minimizing false positives: To address the challenge of false positives, Perception Point’s model integrates insights from the previous steps with additional data, such as sender reputation and authentication protocols, to accurately determine if the content is AI-generated and whether it is malicious, spam, or legitimate.
By implementing this innovative AI technology in their multi-layered detection platform, Perception Point provides a robust defense against GenAI-generated email threats. This approach leverages the identifiable patterns in LLM-generated content, advanced image recognition, anti-evasion algorithms, and patented dynamic engines.
Perception Point can be used to proactively neutralize these evolving threats, preventing them from reaching the inboxes of end-users and causing damage.
