Email Security and Authentication
Surviving the Inbox Scam-pede: How to Navigate the Wacky World of Email Scams
minute read
In today’s email ecosystem, marketers and subscribers alike share a common fear: the email scam. When brands fall victim to scams, they risk losing money, their reputations, and their subscribers’ trust.
Subscribers have just as much to lose.
Emails that promise everything from weight loss solutions to untold riches creep into mailboxes and trick unwitting consumers into exposing their personal data and losing their hard-earned dollars.
Unfortunately, email scams are becoming more prevalent and more sophisticated by the day—aided in some cases by new technology like Chat GPT.
Especially with the holiday season fast approaching, it’s critical for marketers to ensure their email programs (and subscribers) are safe and secure.
Scam vs. spam: An important distinction
Before we dive into the messy (and often dangerous) world of email scams, let’s review a definition and a distinction. What exactly is an email scam, and how does it differ from the everyday spam that lands in subscriber mailboxes?
Apart from just one letter, the difference between a spam email and a scam email is intent. After all, perfectly legitimate emails from reputable senders can be considered spam. While spam is generally just unwanted email, scams always have a malicious goal.
Often, email scams will come in the form of a phishing attack. Phishing is a form of identity theft in which a cyber-criminal uses a seemingly authentic email from a reputable source to trick recipients into giving out sensitive, personal details like bank account or credit card information, social security numbers, or other forms of Personally Identifiable Information (PII).
Email scams aren’t new, but scammers are becoming more intelligent and constantly leveraging new technology to make their emails seem more and more legitimate. Let’s take a look at some typical email scams, and why they’re so effective.
The Uber survey scam
The concept of this Uber survey phishing email is simple. The subscriber is prompted to click on the link within the email, where they’ll be directed to a website asking for personal information. This PII will ultimately be used for nefarious purposes.
Beginning with the subject line, this scam email—claiming to be sent by Uber, a trusted company name—exhibits a common phishing trait: grammatical errors.
Spelling and grammatical errors are common tropes in scam emails. By using poor spelling or grammar, scammers are able to weed out recipients too smart to fall for the attack.
In a deliverability-related twist, the scammers use the term “UberUsers” in the subject line. While it’s common for phishing emails to use generic and misbranded greetings and subject lines, this may be an attempt to circumvent mailbox provider filtering algorithms and see the email land in the inbox.
The 419 (or Nigerian prince) scam
The 419 or Nigerian Prince scam is one of the oldest online fraud schemes. While the scam gets its name from the section of the Nigerian Criminal Code (419) that pertains to swindling, there are many variations of this email.
Generally speaking, each 419 scam email features a compelling backstory, reference to a wealthy individual, and a prompt to transfer or hold money on behalf of the “prince.”
419 scams are even evolving to keep up with the times. More recent versions of this tactic may refer to Ukrainian business people seeking refuge in other countries.
Whatever the script, all 419 scams aim to gain access to personal information or bank account details.
Though these attacks may seem like blatantly obvious scams, they’re extremely effective. 419 schemes prey on the most basic human emotions. The scammers appeal to a subscriber’s naivety, generosity, greed, or even a sense of romance to succeed.
In addition to our baser instincts, 419 scammers rely on sheer volume to find their targets, sending hundreds of thousands of phishing emails and casting a wide net to find just a few victims. As we see with other email scams, these messages are becoming more sophisticated as more personal data becomes available online and with the aid of emerging technologies.
While Nigerian Prince scams may not seem relevant to email marketers, stories of scammers targeting businesses and organizations are on the rise. Employees must be trained on this type of phishing attack and made aware of what to look out for in their own B2B mailboxes. Otherwise, employees risk exposing critical (and private) company data.
The Netflix payment declined scam
This email claims to be sent by Netflix. It’s a classic phishing attempt that aims to access a subscriber’s credit card or bank account information. The scam is effective for several reasons, but namely because it preys upon a consumer’s sense of fear or concern for financial matters. Naturally, the subscriber is inclined to act and correct the error.
The Netflix payment declined scam email includes several hallmarks of a traditional phishing attempt. It leverages the brand logo, claims there’s a problem with account or payment information, uses a generic greeting, unfamiliar sending domain, and creates a sense of urgency by indicating a 48-hour window for the subscriber to engage.
How can brands avoid email scams?
These examples make clear just how convincing phishing scams can be and how easily brands can be misrepresented.
More than ever, marketers must stay vigilant in the face of increasingly intelligent and numerous email scams.
So, how can brands ensure their messages appear legitimate and maintain subscriber trust?
Authenticate your emails!
Domain-based Message Authentication, Reporting and Conformance—or DMARC for short—is an email authentication protocol.
It is designed to give email domain owners the ability to protect their domain from unauthorized use. Senders should implement an enforcement DMARC policy (i.e., p=quarantine or p=reject) to prevent scammers from using your trusted domain.
An enforcement policy means that messages failing SPF or DKIM will automatically be sent to the spam folder or dropped by the mailbox provider entirely. This helps protect your subscribers from malicious emails.
Implement Brand Indicators for Message Identification (BIMI)
BIMI is an email standard that allows brands to display their logo in supported mailboxes like Gmail, Yahoo and Apple.
In order for the logo to be displayed, senders must have their domain’s aforementioned DMARC policy at enforcement. Therefore, BIMI inherently protects your brand (and your subscribers) against the forging of legitimate email—also known as spoofing.
By adding brand impressions to every email, recipients can rest assured that the message comes from a legitimate sender.
Personalize!
Dear Shopper! Dear Friend! Hello User! Because scammers don’t have access to subscriber PII, scam emails typically use generic greetings.
Leveraging the zero-party data subscribers have willingly provided your business, emails should be personalized and customized to include relevant subscriber information, like names and preferences.
Maintain consistency
Maintaining consistent branding, sending frequency, tone, and footer information within your email messages helps build trust and confidence with your subscriber base. Sudden or unexpected changes to your email program may appear suspicious.
Consistency should also apply to your Friendly-From (the name that shows your brand wants to be identified and is visible in an email client) and sending domain. Because scam emails often use lookalike Friendly-From names or domains, maintaining consistency in these fields helps trusted, legitimate emails maintain recognizability.
Educate your subscribers on potential scams
Even when brands implement strict authentication, personalize, display logos, and send using consistent tone, visuals, and language—scammers will persist.
Awareness is any organization’s best defense against email phishing scams. Brands should be educating their subscribers on scams, what pieces of information email communications will or will not ask for, scammy email elements to be wary of, and how to report potential scams.
Most brands have a web page dedicated to scam education, but few marketers send emails dedicated to subscriber education.
Particularly if the sender has a robust affiliate program, marketing emails dedicated to scam education can help build trust, reiterate the value your brand provides, and help subscribers stay informed.
Preparing for scammer season
Email scams skyrocket during the holiday sales season, so securing your email program and educating employees should be part of any email marketer’s holiday season preparation.
For more expert advice to get your email program in peak shape for the holiday season, read our guide, The Email Marketer’s Peak Sales Season Prep Guide.