How to avoid spam scams and phishing emails

My dad used to love fishing when he was a youngster, sometimes I worry that he wouldn't realise that fishing is no longer such an innocent activity. At least it's not when you are referring to casting a line on the internet.

Phishing – where naughty people attempt to gain everything from your password to your credit card details – is a constant threat. You might think that you, and those you know, aren't stupid enough to fall for a fake email. But can you be sure? And can you be sure that your parents wouldn't respond to what looks like a legitimate email from HMRC about the tax they are owed?

Here's our guide to avoiding spam, scams and phishing emails. Get your parents to read it and keep them safe online – it's scary out there.

1) Do you know the person who sent the email?

Is the email from someone you know? That doesn't necessarily mean it is safe. The IDG Tech Media team recently received an email from one of our colleagues. The email included that person's usual signature, and an attachment with a note saying that it was something we should read.

Given that we would frequently share documents this way, a couple of us were caught out, clicking on the attachment. And then, because it seemed to want to open in Google Docs, we entered our Google address and password…

Big mistake – that's how our colleague was originally caught out. The attached document was irrelevant and that was probably what tipped us off that the email account in question had been compromised.

What happened when we entered our email and login details is we gave the phisher access to our email. Your email won't necessarily be hacked straight away, but it will be compromised unless you go and change your password pretty sharpish. Which is what we did.

2) Do you really know the person who sent the email?

Apparently my good friend John has invited me to play at Ruby Palace casino. That was very nice of him, but I don't actually have a friend called John.

Would you fall for such an email if you did have a friend called John? These types of emails use common first names based on the assumption that everyone will know someone who has that name.

3) Is the email from an organisation that you are a customer of?

The vast majority of phishing emails I see are from banks and services that I have nothing to do with. This is a big clue that the email is not from that organisation. If you bank with Lloyds and receive an email from Barclays I guarantee that it is a phishing email.

Take this email from 'the Halifax'. The fact that I don't bank with the Halifax is quite a good indicator that there is no "irregular online banking activities on my Halifax account".

Even if you don't bank with the Halifax there are a few clues that this is not a legitimate email. The biggest giveaway is that the email is scattered with grammatical errors. And Halifax seems to have lost its capitalization in a couple of places. (We'll come back to grammar and spelling later).

Another clue is that the email requests that you download a form to verify your account. We have no doubt that in order to view the form we would have to enter our banking log in and password. And if you are on a PC there might even be malware attached.

Ask yourself, why would they send a document for me to download rather than ask me to go to my bank's website?

It is equally possible that the email will include a plea to click on a link to verify your details. We can guarantee that this link may take you to what looks like the website of the organisation in question, but it will not be. Foolish people will enter their login details and grant the malicious party access to their bank account. You don't want to do that. 

Rule of thumb: If you get an email from your bank or any other organisation never click on the URL in the email. Always access the website using the usual URL that you would normally use. 

If there is a URL in the email hover over it with your mouse and you will see the actual URL that the email wants to direct you too. Is it your bank? We bet it isn't. Don't click by accident while you are doing this!

4) Is the email from HM Revenue & Customs?

HMRC does not email people to tell them that they are due a tax rebate, don't fall for this.

5) Is the email making shocking claims that you can verify some other way?

This is also a common scam on Facebook. You'll see a shocking story claiming that a particular shampoo causes horrendous blisters, or that Eastenders has been axed. The link is sure to take you to a dangerous website. Before you let your curiosity get the better of you just search for the story in Google. Chances are that a story will appear showing the claims to be false.

6) Is the email full of spelling and grammatical errors?  

We've all heard about the comedy emails from Nigerian princes who are hoping that you can look after some money for them. All you have to do is give someone your bank details. Or pay a few thousand pounds to help the money on its way. Surely nobody is stupid enough to fall for that.

Turns out that some people have fallen for these sorts of scams – why else would they exist. It is apparently the case that the more poorly worded the scam email the more likely the responses are to be useful to the scammer. Basically only idiots will reply, and those are the only people that the scammer will spend time trying to exhort.

If the email was well worded and appeared to be legitimate then the amount of responses would increase, but that's not necessarily what the scammer is looking for. They want to spend time on only the leads that are likely to pay up. Not those of us who are likely to see through the scam at some point in the process. Just don't be one of that 0.000001% who are gullible enough. 

7) Is the email referring to you by name?

Another clue as to the legitimacy of the email is the way they address you. If they call you 'Dear' or 'Beloved', don't fall for it. Any company that you do business with will have your details on file so they have no reason to refer to you as 'Customer' or 'Client'. (Actually make that "costumer" – brilliant misspelling in the email below!)

For example, the "Verify your Apple ID" email below clearly isn't really from Apple.

You should still beware of an email, even if it does address you by name. Perhaps the scammer has been able to glen information about you using other means.

It is likely that your bank has come up with a way to prove that the email is from them. For example, Santander includes a image chosen by you in every email they send. If that email isn't there you can be confident that the email is not from them.

Note: the email may refer to you by name if the email address they are using starts with your name. For this reason we get quite a few random emails addressing us as "hello news" or "good day reviews" because they are targeting some of the group email addresses we use here.

8) Who sent the email?

Another clue is the email address of the person who sent the email. As you will see from this email claiming to be from Apple, if you look at the actual email address it is not from Apple at all. The email comes from the onmicrosoft domain. Apparently Microsoft's not being too careful about who it lets onto its domain-hosting servers.

It's pretty easy to change the name associated with your email address to fool someone into thinking that the email is from someone else. To change your name in Outlook, for example, just go to Preferences > Accounts and change your Full Name in the field.

You won't always be able to see at a glance the real email address of the person who emailed you. To see what the email address is in Outlook, for example, hover over the name until the email address shows, then you will know whether it is clearly not who it says it is from. (The chance that it's really from Steve Jobs is pretty slim anyway).

9) Is the email offering something that's too good to be true?

If you were looking for a new car would you fall for an email from a company that is offering "Used cars for sale"?

Apart from the fact that this email is clearly intended only for people in the US – which is a pretty good clue if you live in the UK... But someone based in the US, maybe even in Greenwood, Indiana could be fooled. Especially when they see the phone number and address of poor Peter Anderson. Just seeing the phone number could serve to make the email look more trustworthy.

Never ever reply to an email like this.

10) Are you using a spam filter?

All the emails we've shown you here were nicely tucked away in our spam filter. Make sure you have a spam filter on and you may never see a spam email.

You'll note from this email about the iPhone 6 claiming to be from Apple was caught by our spam filter and it even warns us that people have been caught by this message. (We didn't download the images associated with the email on purpose, you'll see why if you read on).

What NOT to do if you get a scam phishing email

Don't respond

Never ever respond to the phishing email. Not even if you want to ask to unsubscribe, and certainly not if you want to make a joke at the scammer's expense.

All your response will do is confirm that the email address is in use, and get you added to a list of people to email with scams. You've already proven to be more susceptible than most.

Don't download the images

Most modern email clients don't download the images in emails. If you click to download the images in the email the server will be notified and the sender will know this is a legitimate email address. Again, this will show that your email address is in use and you will receive even more spam.

Make sure that your email is set to not download images automatically.

Turn off the preview

If your email client lets you view a preview of an email beside your inbox, that may make scanning through your emails quicker, but it does mean that you could end up viewing emails you don't want to open. Once opened that email has alerted the spammer that your email address is live, so expect to receive more spam.

In Outlook go to Preferences > Reading and set Automatically download pictures form the internet to 'Never'.

Don't click on the links

As we explained above, you can hover over the link to see what the actual URL is and this is usually enough to prove that you are being sent to a illegitimate website. Even if it does look legitimate, never ever click on the link. If you visit a shady site it could install cookies or worse on your computer. Cookies are files that are stored on your smartphone, tablet or computer and they can track you when you are online. The scammers can use them to track your browsing habits and build up a picture of your interests.

For this reason if you have accidentally visited such a site make sure you clear your cookies (Read: how to clear cookies in Safari on a Mac).

Don't download any attachments

If there is an attachment do not download it. The attachment is likely to include a virus or other malware that will be installed on your computer. If you are using a Mac you may think you are safe from viruses, but it is still possible to pass them onto PC using colleagues or clients, so take no risks. Make sure you are running antivirus software so that any attachment is scanned before it is downloaded.

The five rules for staying safe online  

  1. Don't click a link in an email
  2. Don't download attachments
  3. Don't click on a URL
  4. Don't add your username and password
  5. Don't respond to the email

Obviously there are emails that are completely safe, we're not suggesting you never respond to an email ever again, the important thing it to verify that it is from whom it says it is from, and that they know it has been sent.

Stay safe out there!