Email fraud

Email fraud (or email scam) is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

Email fraud can take the form of a

confidence trick ("con game", "scam", etc.). Some confidence tricks tend to exploit the inherent greed and dishonesty of its victims. The prospect of a 'bargain' or 'something for nothing' can be very tempting. Email fraud, as with other "bunco schemes

", usually targets naive individuals who put their confidence in schemes to get rich quickly. These include 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices.

Another form of email fraud is an

spear phishing

: 'phishing' involves sending thousands of emails claiming, for example, that an account has been compromised; 'spear phishing' typically involves a precisely crafted message to a single individual who is expecting a request to make a large payment to a legitimate payee.

Forms

Spoofing

Email sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many instances of email fraud use at least spoofing, and as most frauds are clearly criminal acts, criminals typically try to avoid easy traceability.

Phishing

Phishing is a type of

sensitive information to the attacker^[1]^[2] or to deploy malicious software on the victim's infrastructure such as ransomware

. Some spoof messages purport to be from an existing company, perhaps one with which the intended victim already has a business relationship. The 'bait' in this instance may appear to be a message from "the fraud department" of, for example, the victim's bank, which asks the customer to: "confirm their information"; "log in to their account"; "create a new password", or similar requests. Instead of being directed to the website they trust, they are referred to an identical looking page with a different URL. After entering their log-in details, their username and password is visible to the perpetrators. In many cases, phishing emails can appear to be benign - for example, a message prompting the receiver that they have a new friend request on a social media platform. Regardless of how innocent the message is in itself, it will always lead the victim to an imitation web page and false log-in prompt.

In a study, researchers concluded that cognitive reflection and sensation-seeking tendencies are modest but significant predictors of susceptibility to phishing.[3] Additionally, participants who were pressured to make quick email legitimacy judgments made more errors.^[3]

Bogus offers

Email solicitations to purchase goods or services may be instances of attempted fraud. The fraudulent offer typically features a popular item or service, at a drastically reduced price.

Items may be offered in advance of their actual availability. For instance, the latest video game may be offered prior to its release, but at a similar price to a normal sale. In this case, the "greed factor" is the desire to get something that nobody else has, and before everyone else can get it, rather than a reduction in price. Of course, the item is never delivered, as it was not a legitimate offer in the first place.

Such an offer may even be no more than a phishing attempt to obtain the victim's credit card information, with the intent of using the information to fraudulently obtain goods or services, paid for by the hapless victim, who may not know they were scammed until their credit card has been "used up."

Requests for help

The "request for help" type of email fraud takes this form: an email is sent requesting help in some way. However, a reward is included for this help, which acts as a "hook". The reward may be a large amount of money, a treasure, or some artifact of supposedly great value.

This type of scam has existed at least since the

mark

" (victim) that he is "allowed" to supply money, for which he should expect a generous reward when the prisoner returns. The confidence artist claims to have chosen the victim for their reputation for honesty.

Other

Business email compromise is a class of email fraud where employees with privileged access (such as to company finances) are deceived into making invalid payments or installing ransomware

Nigerian Senate

emblem is sometimes used in this scam.

Lottery scam: The intended victim is often told their name or email address was selected through a random computer ballot and sponsored by a marketing company. In order to claim their so-called winnings, the victim is asked to provide their bank account details and other personal information. The victim is asked to contact the claims agent or award department.
FBI email: Claim to be an “official order” from the FBI’s Anti-Terrorist and Monetary Crimes Division, from an alleged FBI unit in Nigeria, confirm an inheritance, or contain a lottery notification, all informing recipients they have been named the beneficiary of millions of dollars.^[4]

Hitman: An email is sent to the victim's inbox, supposedly from a hitman who has been hired by a "close friend" of the recipient to kill him or her but will call off the hit in exchange for a large sum of money. This is usually backed up with a warning that if the victim informs local police or the FBI, the "hitman" will be forced to go through with the plan. This is less an advance-fee fraud and more outright extortion, but a reward can sometimes be offered in the form of the "hitman" offering to kill the man who ordered the original hit on the victim.^[5]

Investment schemes: Emails touting investments that promise high rates of return with little or no risk. One version seeks investors to help form an offshore bank. The Fifth Third Bank brand, name, and logo have been frequently exploited in this scam. The computer security company McAfee reports that, at the beginning of September 2006, over 33% of phishing scam emails being reported to McAfee were using Fifth Third Bank's brand.^[6]
Romance scam: Usually this scam begins at an online dating site, and is quickly moved to personal email, online chat room, or social media site. Under this form, fraudsters (pretended males or females) build online relationships, and after some time, they ask for money from the victims. They claim the money is needed due to the fact they have lost their money (or their luggage was stolen), they have been beaten or otherwise harmed and they need to get out of the country to fly to the victim's country.
Dating extortion scam: After baiting an individual into intimate conversations, they are told to pay unless they want their conversations posted online and they are named a cheater. There are no reports from the FBI that indicate that the records are actually removed once payment has been made.^[7]
Online business directory: Typically offering a free subscription to a non-existent directory with hefty fees for maintenance in the fine print.
Death certificate scam: Person will get an obituary off Internet. Find out relatives related. Get their emails. Contact them with fake story of another family member near death, which of course, is only told in ambiguous language. It originates out of Ethiopia with the "makelawi" tag in the email, but it can have de (German free email tag) along with it.
Marriage agency scam: Pretending to be translation agency or
dating sites. They can use pictures of real people from other websites. Typically they are aimed at foreign men looking for brides from the former Soviet countries
. When a victim is engaged, they ask for communication expenses such as translations, voice phone calls, video calls, "agency fees". They impersonate the brides instead of providing a matchmaking service to them. The real ladies may not be aware that someone is using their identity.

Secret shopper

: The intended victim is solicited via email to work as a 'secret shopper', often after the victim's resume has been posted at a job search site. Once engaged, the victim is sent a counterfeit check along with instructions and forms for work as a secret shopper. The provided instructions typically are to make several small transactions at nearby businesses, recording their experience on an official looking form. Universally is the instruction for the victim to also create a significant wire transfer, with a request to rate the experience. The counterfeit check is cashed at the unsuspecting victim's financial institution in order to accomplish the listed tasks.

Traffic ticket spam: Fraudulent emails claiming the recipient had been issued a traffic ticket. The spam, which spoofed a nyc.gov email address, claimed to be from the New York State Police (NYSP).^[8]
Word of Mouth: This type of email spam
states that an anonymous person posted a secret about the recipient and that he needs to pay a fee in order to see the message.

Job Scams

: The victim is seeking a job and posts a resume on any internet job site. The scammer spots the resume and sends the victim an email claiming to be a legitimate job listing service, and claiming to have a client who is looking for an employee with their skills and experience. The victim is invited to click on a link to apply for the job. Clicking the link takes the victim to a job description specifically written for the skills and experience on the victim's resume, and provides a very high salary, and invites them to "click here" to apply for the job. If the victim clicks on that "apply" link, they are taken to an "application" form that asks for the normal job application information, PLUS the victim's social security number, date of birth, the name of the bank and account number where they will want their paycheck to be deposited to, a "relative" reference, etc. With this information, the scammer can open up a bank account in any on-line bank and utilize the victim's credit to buy items online and ship them to associates who are in on the scam.

PayPal scam: Fraudulent emails claiming the victim has been issued a payment to his/her account, however processing will be complete once the victim has sent the item he/she is selling to the individuals address. This scam is mostly common in selling items to individuals abroad.

Avoiding email fraud

Due to the widespread use of

web bugs in email, simply opening an email can potentially alert the sender that the address to which the email is sent is a valid address. This can also happen when the mail is 'reported' as spam

, in some cases: if the email is forwarded for inspection, and opened, the sender will be notified in the same way as if the addressee opened it.

Email fraud may be avoided by:

Not responding to suspicious emails.
Keeping one's email address as secret as possible.
Using a
spam filter
.
Noticing the several spelling errors in the body of the "official looking" email.
Ignoring unsolicited emails of all types and deleting them.
Not clicking on links.
Not opening unexpected attachments, even if they appear to be from someone the user trusts. Many email fraudsters attach viruses or malware to emails.
Ignoring offers from unknown sources. The contents of an email are not a formal or binding agreement.

Many frauds go unreported to authorities, due to feelings of shame, guilt, or embarrassment.

References

S2CID 5472217
.

S2CID 204538981
.

^
PMID 30650114
.

^ "New E-Scams & Warnings. FBI". Fbi.gov. Retrieved 2012-02-18.

^ "Hitman Bribe Scam". snopes.com. Retrieved 2012-02-18.

^ "Top 10 Phish Scams". McAfee. 2006-09-01. Retrieved 2006-09-01.

^ "Internet Crime Complaint Center's Scam Alerts". IC3.gov. 2012-10-23. Retrieved 2013-12-22.

^ "Internet Crime Complaint Center's (IC3) – Scam Alerts". ic3.gov. October 17, 2011. Retrieved October 26, 2011.

v
t
e
Information security
Related security categories

Computer security

Automotive security

Cybercrime
Cybersex trafficking

Computer fraud

Cybergeddon

Cyberterrorism

Cyberwarfare

Electromagnetic warfare

Information warfare

Internet security

Mobile security

Network security

Copy protection

Digital rights management

vectorial version
Threats

Adware

Advanced persistent threat

Arbitrary code execution

Backdoors

Hardware backdoors

Code injection

Crimeware

Cross-site scripting

Cross-site leaks

DOM clobbering

History sniffing

Cryptojacking

Botnets

Data breach

Drive-by download

Browser Helper Objects

Viruses

Data scraping

Denial-of-service attack

Eavesdropping

Email fraud

Email spoofing

Exploits

Hacktivism

Insecure direct object reference

Keystroke loggers

Logic bombs

Time bombs

Fork bombs

Zip bombs

Fraudulent dialers

Malware

Payload

Phishing
Voice

Polymorphic engine

Privilege escalation

Ransomware

Rootkits

Scareware

Shellcode

Spamming

Social engineering

Spyware

Software bugs

Trojan horses

Hardware Trojans

Remote access trojans

Vulnerability

Web shells

Wiper

Worms

SQL injection

Rogue security software

Zombie

Defenses

Application security
Secure coding

Secure by default

Secure by design
Misuse case

Computer access control
Authentication
Multi-factor authentication

Authorization

Computer security software
Antivirus software

Security-focused operating system

Data-centric security

Obfuscation (software)

Data masking

Encryption

Firewall

Intrusion detection system
Host-based intrusion detection system (HIDS)

Anomaly detection

Security information and event management (SIEM)

Mobile secure gateway

Runtime application self-protection

Site isolation

v
t
e
Types of fraud
Business-related

Billing

Cramming

Disability

Drug / Pharmaceutical

Email

Employment

Fixing

Impersonation

Intellectual property

Internet

Job

Long firm

Odometer

Phone

Health care
fertility

quackery

Racketeering

Return

Tech support

Slamming

Telemarketing

Wine

Family-related

Fertility

Marriage

Paternity

Financial-related

Advance-fee
lottery scam

Bank

Bankruptcy

Chargeback

Cheque

Credit card and carding

Forex

Insurance

Lottery

Mismarking

Mortgage

Overpayment

Securities

Shill bidding

Tax

Government-related

Benefit

Electoral

Medicare

Visa

Welfare

Other types

Affinity

Charity

Counterfeiting

Faked death

Forgery

Hoax

Impersonation

Mail and wire
honest services

Scam
Romance

Bride

Scientific

Spyware

Vomit

White-collar crime

list

Category

v
t
e
Scams and confidence tricks
Terminology

Scam

Error account

Shill

Shyster

Sucker list

Notable scams and
confidence tricks

1992 Indian stock market scam

2G spectrum case

Advance-fee scam

Art student scam

Badger game

Bait-and-switch

Black money scam

Blessing scam

Bogus escrow

Boiler room

Bride scam

Charity fraud

Clip joint

Coin-matching game

Coin rolling scams

Drop swindle

Embarrassing cheque

Exit scam

Extraterrestrial real estate

Fiddle game

Fine print

Foreclosure rescue scheme

Foreign exchange fraud

Fortune telling fraud

Gem scam

Get-rich-quick scheme

Green goods scam

Hustling

Indian coal allocation scam

IRS impersonation scam

Intellectual property scams

Kansas City Shuffle

Locksmith scam

Long firm

Miracle cars scam

Mismarking

Mock auction

Moving scam

Overpayment scam

Patent safe

Pig in a poke

Pigeon drop

Pork barrel

Pump and dump

Redemption/A4V schemes

Reloading scam

Return fraud

Salting

Shell game

Sick baby hoax

SIM swap scam

Slavery reparations scam

Spanish Prisoner

SSA impersonation scam

SSC Scam

Strip search phone call scam

Swampland in Florida

Technical support scam

Telemarketing fraud

Thai tailor scam

Thai zig zag scam

Three-card monte

Trojan horse

White van speaker scam

Work-at-home scheme

Internet scams and
countermeasures

Avalanche

Carding

Catfishing

Click fraud

Clickjacking

Cramming

Cryptocurrency scams

Cybercrime

CyberThrill

DarkMarket

Domain name scams

Email authentication

Email fraud

Internet vigilantism

Lenny anti-scam bot

Lottery scam

PayPai

Phishing

Referer spoofing

Ripoff Report

Rock Phish

Romance scam

Russian Business Network

SaferNet

Scam baiting
419eater.com

Jim Browning

Kitboga

Scammer Payback

ShadowCrew

Spoofed URL

Spoofing attack

Stock Generation

Voice phishing

Website reputation ratings

Pyramid and
Ponzi schemes

Aman Futures Group

Bernard Cornfeld

Caritas

Dona Branca

Earl Jones

Ezubao

Foundation for New Era Philanthropy

Franchise fraud

High-yield investment program (HYIP)

Investors Overseas Service

Kapa investment scam

Kubus scheme

Madoff investment scandal

Make Money Fast

Matrix scheme

MMM

Petters Group Worldwide

Pyramid schemes in Albania

Reed Slatkin

Saradha Group financial scandal

Secret Sister

Scott W. Rothstein

Stanford Financial Group

Welsh Thrasher faith scam

Lists

Con artists

Confidence tricks

Criminal enterprises, gangs and syndicates

Impostors

In the media
Film and television

Literature

Ponzi schemes

Retrieved from "https://en.wikipedia.org/w/index.php?title=Email_fraud&oldid=1188122645"

[1] S2CID 5472217
.

[2] S2CID 204538981
.

[:0-3] 
PMID 30650114
.

[4] "New E-Scams & Warnings. FBI". Fbi.gov. Retrieved 2012-02-18.

[5] "Hitman Bribe Scam". snopes.com. Retrieved 2012-02-18.

[6] "Top 10 Phish Scams". McAfee. 2006-09-01. Retrieved 2006-09-01.

[7] "Internet Crime Complaint Center's Scam Alerts". IC3.gov. 2012-10-23. Retrieved 2013-12-22.

[8] "Internet Crime Complaint Center's (IC3) – Scam Alerts". ic3.gov. October 17, 2011. Retrieved October 26, 2011.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]