Identify Email Scams

This contains a few simple tips to help you and your organisation avoid falling victim to email scammers.

1 – Be vigilant, everyone is a target

The most important thing to remember is that we are all vulnerable to hackers or scammers, no matter how small your organisation. It only takes one scam email to succeed for the financial or operation information of you and your organisation to be at risk.

2 – Beware all suspicious emails

Phishing scams are emails that are falsified to appear as if they are from a trusted source to dupe you into divulging personal information or installing malicious software that can take control of your computer.

Commonly these emails are disguised to look like they come from large service providers (HRMC, O2, UPS, Apple, Facebook, Gmail etc), but can also appear to come from people you know.

Be suspicious of any message from an organisation you don’t have a service with, or that asks for your password or personal or financial information.

Always check the full address that the email has come from – if it isn’t from @ the company they say, then it is a scam. This email is purporting to be from O2, but the email address gives it away as a scam:

3 – Be sceptical to avoid becoming a victim

Foreign offers are often fake, you probably aren’t due a rebate from HMRC, and it is unlikely a long-lost relative has left you money or is stuck in a compromising position in a foreign jail.

Scammers use emotion to try to make you click first and think later, so slow down in your response to surprising emails.

Does the email look right? Check spelling and grammar, capitalisation of words, resolution of logos and whether anything specific to you has been included. Phishing emails are designed quickly and sent in bulk, so use of language and design of the email can often be a giveaway. Go with your gut; if it seems suspicious, it’s probably a scam.

4 – Be careful what you click on and hover over links

Never click on links in a suspicious or unexpected email, even if it looks like a link to a safe website. If you hover your mouse over a link (don’t click!) it will reveal the true destination URL. If it isn’t a URL you trust, don’t click. If in doubt use Google to find the real website of the company, and provide required information that way.

The link in this phishing email looks like it goes to, but hovering over the link reveals a completely unrelated website:

Some URLs will be very similar to the one they are mimicking, so it is important to be vigilant. The most important part of the web address is the text that comes immediately before the first / (excluding ‘http://’).

Examples of good URLs


Examples of bad URLs


This directs to, not


Again, this does to, as it is immediately before the first slash


Some websites do have things ahead of the web address, such as blog or help, but these must be separated by a dot. A hyphen, or anything else, will lead to another website

5 – Don’t download unknown attachments

Clicking on attachments can download malicious software to seize control of your computer. Commonly scammers will encrypt your computer or whole network, locking away files and photographs until a ransom is paid.

Never click on unexpected attachments, even those sent from the actual email address of someone you know. Once hackers take control of an email address they will try to spread infection to anyone in their contact list.

6 – Use strong passwords

Every website now requires a long complicated password, and it can be tempting to take shortcuts and simply reuse passwords. Try not to do this.

A passphrase is a series of words, with or without spaces – you may find these can be easier to remember than a long string of characters. You can use free online generators to create your passphrase.

You can make stronger passphrases by adding numbers or characters in place of letters, and capitalising letters. So, infamous argument hatter becomes infa&ouS argu&3nT haTT3R

A password management programme can be useful to help maintain strong unique passwords without having to memorise endless combinations. LastPass is one example of a free password manager.

7 – Enable two-factor authentication

For accounts with messaging functions, that could easily be used to spam or infect your contacts, consider using two-factor authentication (2FA) for extra security.

2FA requires a secondary key, other than a password, to log in. You probably already use 2FA when internet banking.

The large networking sites all have slightly different names for 2FA- Facebook login approval, Twitter login verification, LinkedIn two-step verification and Google 2-step verification – and most require you to enter a code sent to your phone to prove your identity