Spotting bogus emails

Email has its origins in US military and academic institutions of the 1970s. The network was private and its users were known and trusted, so it didn’t need to be too secure. Its creators could hardly have predicted that this simple system would survive largely unchanged into the 21st century and become an essential part of our lives.

Simplicity, openness, and the fact that it’s free are some of email’s greatest strengths, but they also leave it open to abuse. We’ve all faced the challenge of trying to tell whether a message is genuine, knowing that a bogus message could lead to identity theft, financial loss, or damage to our computer. With a little knowledge, you can protect yourself well from these threats.

Safety first

In the past, poor software design meant it was advisable to not even open suspect messages. But email software has improved, and nowadays, opening any email is generally safe.

Instead, you are at risk if you:

Check the From address

A simple email comprises a To and From address, subject and body.

It’s actually possible to spoof the From address. In other words, anyone can send a message purporting to be from any address. So, for example, a message ‘From’ support@bt.com may not really be from BT.

Note: This might sound like an unforgivable shortcoming, but consider that the postal service is no different: I can write to you, but put someone else’s address on the back of the envelope.

Thankfully, modern systems for detecting spoofing mean most scammers no longer spoof the From address, or spoof it to something that’s blatantly fake.

So, if you suspect a message is bogus, check its From address. If for example the message is about your Amazon account but the From address doesn’t end in something like @amazon.co.uk, alarm bells should ring.

Note: Unfortunately, many email apps hide the From address initially, showing just the sender name. The sender name is useless because bogus messages almost always spoof it (e.g. ‘Barclays Helpdesk’). So, ignore the sender name, and learn how to reveal the From address in your email software. Often, you do so by hovering over or clicking the sender name.

Check the destination of links

To achieve its aim, a bogus email might for example tell you that someone has hacked into your Facebook account, and have a link saying ‘click here to change your password’. You needn’t take chances with these links:

Note: In Safari you need to click View > Show Status Bar to enable this.

I have a separate guide to interpreting web addresses.

Check for bad spelling or grammar

A common sign that a message is bogus is bad spelling or grammar. In the heat of the moment it may be easy to miss, but it’s often the most obvious clue, so take your time. For example:

Note: My customers often forward me suspect messages, asking if they’re bogus. Of those that are, almost all contain simple giveaways like this.

Of course, a genuine sender may make a spelling mistake, and conversely, a scammer may write perfect English! So there’s no definitive rule here.