Scams are getting trickier and trickier. And it looks like we’re still falling for them.
According to the latest Phishing Benchmark Global Report by Fortra’s Terranova Security, 60% of those who clicked on a malicious phishing link ended up compromising their business account passwords in the process. And over one in ten of all those tested, clicked.
Though the percentage of fraudulent messages has been steadily declining over the past decade, it is still too high. Last year, nearly half (45%) of all emails sent around the world were spam, resulting in roughly 160 billion spam emails being sent and received per day. Considering that there are 4.5 billion email users globally, that amounts to around 35 spam emails per day for each of us. Sounds about right, doesn’t it (if a bit low!).
No one is immune to these nuisances, as a sample size of our Fortra SMEs will show us. We spoke with several Fortra experts and asked them about their experiences with scam emails, when they noticed them the most, and what they did when they showed up in their own inboxes.
Their insights form the basis for this blog. Let’s dive in as our experts provide their personal answers to the following questions:
While not likely to bring down the global average, their responses can help us look more closely the next time we skim an email.
When in the year are scammers most active?
Do scammers all get together and agree on a “most productive time of the year?” Maybe not. But there are definitely certain months when you'd be better off betting on a lot of malicious mail.
Survey says? Holidays.
“I’ve noticed more scammers active on Amazon Prime day, Black Friday (in the U.S.) and during ‘Back to School’ and election seasons.” —Lisa Lombardo, Software Development Manager
“Sales like Black Friday, the Christmas season, or the cold months when we all need heating usually brings more scammers out. Other highly active periods include monthly, when you receive bank statements, and during special sporting events like the Olympics, World Cup, and Euros.” —Keith Fuller, Technical Consultant
“Scammers impersonate tax authorities, or tempt people with too-good-to-be-true deals, especially during the holiday shopping season, Black Friday, back-to-school season, or sporting events like the Olympics.” —Krzysztof Sobierajski, Technical Consultant
Emergencies and Disasters
“In my personal experience, I have seen scam initiatives during festivals (like Diwali or Christmas) or during natural calamities (such as the recent floods in India).” —Raghu Bhat, Senior Support Manager
“Scammers have preyed on every opportunity from Covid-19 and natural disasters to Black Friday and Cyber Monday.” —Dario Soria, Professional Services Manager
Tell us about the kinds of scams you’ve spotted in real life.
As scams get more subtle, they can fool even the best of us. Part of the genius is being able to distinguish one in the first place. Sometimes we can — and sometimes we can’t. But with each dupe, we get a little better at distinguishing the flaws for next time.
You Won!
“I received a call stating I won a lottery during the Diwali bonanza. They asked me to pay an amount to register my details and ship the prizes to my home. They claimed I would receive a one-time password (OTP), which I would have to share with them.” —Raghu Bhat
The Professional Ploy
“When selling something on Facebook, I was scammed.” —Keith Fuller
“You often see scams targeting accounting businesses by sending fake invoices in the hope that they will be processed.” —Krzysztof Sobierajski
Speaking of professional deception, Amador Manero, a Senior Technical Support Manager at Fortra, shared his own personal account of when he found himself “one click away from being taken for a ride.” States Manero:
“Last September, I was on the phone talking with who I believed was my local gas supplier. The representative was polite and confident, but my personal details on file were eight years out of date. Assuring me that ‘It happens sometimes,’ they updated my information and sent me an SMS link to digitally sign my service contract. I told him I was uncomfortable signing over the phone like that, but he increasingly insisted that I sign the link he had sent. At this point, I knew something wasn’t right.”
The Family Card
“I was targeted by someone spoofing my sister’s email, claiming that she was in stuck in Europe and needed money.” —Kelly Egnitz, Lead Technical Consultant
“My parents came close to falling for the text message from an unknown number. The scammer said something like, ‘Hi Mum! I’ve broken my phone! Can you help?’ and requested money for a new iPhone. My mum became immediately suspicious because she knows how I feel about iPhones. Luckily, they messaged me and quickly realised the whole thing has been a scam attempt before any personal details were shared.” —Dr. Steve Jeffery, Lead Solutions Engineer
The “Got Your Back”
“I have received emails from ‘Microsoft’ claiming that my license had expired. Or, from ‘Medicare’ saying that I am eligible for some special device or treatment because of some condition I supposedly have.” —Kelly Egnitz
“My family still gets targeted phone calls pretending to be a ‘computer support technician’. They often pretend to know things about your computer (it’s pretty much a safe bet to guess certain operating systems, manufacturers, etc.) and combine it with some easy-to-gather information (your name and address, etc.). Given a few truths and a couple of educated guesses, it can all sound just plausible enough — and those tiny bits of information can become the leverage they need to slowly ensnare you in their trap.” —Chris Hudson, Professional Services Principal Architect
Targeting the Elderly
“A repeated scam I have seen recently revolves around a celebrity (Dolly Parton most recently) being impersonated on social media preying on senior citizens to get them to send the scammers money for various reasons.” —Bob Erdman, Associate VP, Research & Development
“A 90-year-old friend of mine, who was a retired doctor, rang me to help her with an unusual problem. When I came by to see the problem, I noticed unusual applications installed on her PC, allowing attackers uninterrupted access to it.” —Krzysztof Sobierajski
The Stalker/Profiler
“The scams that concern me the most are those where the fraudsters have meticulously compiled detailed profiles of individuals over many years. These scammers obtained your email from a decade-old data breach and have since enriched this profile through subsequent leaks tied to the same address. With just enough effort to make their schemes appear legitimate — perhaps by referencing a family member or an employer — they significantly enhance their chances of deception.” —Chris Hudson
The Anatomy of a Social Media Scam
Bob Erdman breaks down the attack sequence of a serial social media scammer.
The scammers use a network of accounts with varying names usually ending in numeric values that can be easily increased when accounts are disabled.
They begin with getting someone to follow their fake social media account.
Then they reach out via direct message to chat up the person.
After some social engineering, they try and get a photo and address for the person for “prize delivery”, and if they can get it, their direct phone number.
Once on the hook, they will try and get the victim to go to another secure communication app that offers encrypted communications. They will send an app store link asking the victim to install it in order to facilitate the actions. This makes it harder for family/law enforcement to track.
The request to send money generally takes the form of using gift cards or cash apps. When purchasing the gift cards, to send the codes on the back to be monetized, they often request the victim to use cash, which makes it much harder to track or dispute like a credit card fee.
If they start to see actions blocking their social media interactions, they fall back to the secure communications apps and direct text messaging. By tracking the scammers’ accounts, you will see a mix of both fake individual accounts and fake business accounts under which they are maintaining a network of fraud.
How did you know it was a scam?
Typically, there are some tell-tale signs that give them away, but with the advent of generative AI, even those red flags are getting harder to see. Without blatant grammatical errors or language barriers, the scam emails showing up in our inboxes are more believable than ever. However, sometimes a well-trained eye can still spot the difference.
“Something Was Off”
“The way the email was written was not in a style my sister would have used. Plus, if she were really in trouble and needed immediate cash, she would have called, not sent an email.” —Kelly Egnitz
“I could tell because the attacker failed to provide accurate information (like legitimate names or real locations). Also, the format of the email (typos or lack of formatting) usually is a giveaway.” —Dario Soria
"Sometimes there will be a picture of a fake call center person or ‘agent’ waiting to complete the transaction. These will always be random photos scraped from the internet that you could often recognize as a public figure.” —Bob Erdman
“The clever ones are emails with logos that look legitimate. But look closely — hover over it with the mouse and verify what the link actually is.” —Kelly Egnitz
“I Did My Own Digging”
“I remained skeptical and confirmed the from email address (or the URL provided) using virustotal.com. To be safe, I don’t respond to any unsolicited phone calls.” —Lisa Lombardo
“While I was still on the phone, I started looking for information on that phone number. I was able to find information from people affected by the scam, and when I insisted that it was not a viable option to sign a document by cell phone, he hung up on me directly.” —Amador Manero
“I asked for their official address and website info, did a search on their whereabouts, and came to know it was fake.” —Raghu Bhat
“Unfortunately, I realised it was a scam when it was too late. I had already posted the item, and the seller then told me I had to pay to get my money back.” —Keith Fuller
“Celebrities are not contacting you to send you a car.” —Bob Erdman
How Did You Handle It?
An uncomfortable feeling often accompanies the realization that you’ve been duped — or that someone has tried. During those moments, there are a few things responsible digital citizens can do to make sure that doesn’t happen to anyone else. Ideally, a few of those actions could even bring the perpetrators to justice. Here is what a few of Fortra’s experts had to say about scam follow-through.
"I Reported Them”
“We informed law enforcement and opened cases to make sure that there was an official record created.” —Bob Erdman
“I alerted my entire family to make them aware of the scam, and also reported the phone number.” —Amador Manero
“I use Google to see if a site is legitimate. If it’s not, I turn it in. I also block and report phone numbers and illegitimate Facebook requests (that I know are fake accounts).” —Kelly Egnitz
“I did not encourage the discussion and shared the caller phone numbers and other details with authorities.” —Raghu Bhat
“I ignore scams, report them when possible, and tell others to be on the lookout.” —Lisa Lombardo
"I Contacted the Banks”
- “It can be hard to convince victims that they have been taken advantage of. I got involved and was able to alert family members of some victims as to what was going on and what to watch out for. We notified the fraud department at the victim’s banks to alert them of prior transactions and what to watch for that could be fraud in the future.” —Bob Erdman
- “It took me some time to gather forensic evidence and report it to the authorities. I also changed the user permissions, as administrator permissions are not required for daily work and are seldom used. I then also confirmed that the scammers do not have accessed my friend’s bank account.” —Krzysztof Sobierajski
- “Unfortunately, blocked scammers often return with a new account and the same messaging, so continued vigilance is required.” —Bob Erdman
How Could Others Handle It?
Luckily, for the uninitiated there is still hope of spotting — and neutralizing — fraudulent emails before the ransomware message has a chance to hit the screen. You don’t need incredible powers of perception, though that might help, and there is no need to zoom in on logo pixels (though that could, as well). As these experts explain, the way to handle a scam situation can be broken down into a few doable steps.
The More You Know
“Education and awareness are key. People who are targeted need to know that a bank will never ask you to provide a one-time code or ask to transfer money to some dodgy account.” —Krzysztof Sobierajski
“Education! NEVER click a link in a text if you are not 100% sure it is legitimate. If you don’t know who it came from, don’t click it!” —Kelly Egnitz
Stay Skeptical
“Never offer information in response to requests unless you’re the instigator of that communication. Assume that your data is already compromised. A connected world means that, even if it’s not out there today, it might be tomorrow.” —Chris Hudson
“Do not send an item until the payment has cleared in your bank account, and for expensive items, it should be a face-to-face transaction.” —Keith Fuller
“Be skeptical, don’t lose judgment with pressure tactics to act quicky, confirm using a completely different contact type, and tell your experience to others, so they can learn.” —Lisa Lombardo
“A healthy dose of paranoia with phone, email, and even in-person exchanges is often the only medicine that will be effective.” —Chris Hudson
Do Your Research
“Take down their details and search for authenticity. Scammers usually rush to complete the transaction as they do not want to give us time to identify their fakeness. Do proper research and ensure the details are genuine before proceeding with the next steps.” —Raghu Bhat
Slow Down and Look Around
“Check in on friends and family that might be susceptible to these types of fraud. Less technically savvy parents, grandparents, and minor children may be at high risk.” —Bob Erdman
“When you find yourself on a scam call, I would advise not panicking. Find someone who can help you handle the situation. Scammers usually pressure you to make a fast decision. Contacting someone else usually helps. Also, asking for a phone number to call them back is usually a nice trick.” —Dario Soria
Ultimately, you want to “report the fraud to the social media abuse contacts, relevant financial institutions, and law enforcement,” as Erdman advises. “Sometimes funds can be recovered or transactions reversed.”
Can Your Employees Do This?
Krzysztof Sobierajski explains the importance of employee security awareness training when it comes to combatting scams. He notes that “education and awareness are key as people are a weak link in the cybersecurity posture,” stating that “people should be able to do the following:”
If in doubt, verify the bank’s request independently. Do not click on a link sent by the “bank” in SMS or email. Even if it seems convenient, better safe than sorry.
Look out for red flags such as urgent requests, poor grammar, and poor spelling. Do not open “LAST WARNING” attachments.
Be wary of even opening photos from unknown people via WhatsApp. Best to ignore and block.
Do not give out personal details via social platforms to reduce the possibility of having your identity stolen.
Use a separate email address for social media. Keep one email account for regular communications with the bank and a different one for communicating with Facebook. Your social media emails can be something like “[email protected],” “[email protected],” or even a 10-min-email account like “https://10minemail(.)com.”
Erdman adds, “If it seems too good to be true, it could be a scam. Look closely at what they are asking for. Don’t ever buy gift cards and send pictures of the codes to claim a prize, legitimate companies do not work that way.”
Beating Scammers at Their Own Game
What stands out about all these first-hand fraud encounters is that scams are essentially a mind game. As an industry, cybersecurity has gotten so good at creating technology that can block bad traffic, root out malware, and find malicious attachments that attackers are deciding they’re better off trying their wits against a less invested-in weapon: us.
As we continue to build our own mental databases of “scam signs to spot,” our wits will match theirs, and coupled with technology, we can be a formidable adversary ourselves to any hopeful attackers. If knowledge is power, then the more we can learn about scammers and their techniques, the better.
Build a Cybersecurity Culture
Learn how you can partner with Fortra to build a security-aware culture that helps protect your business.
Make Fortra Your Cybersecurity Ally
Our mission at Fortra is to help organizations increase security maturity while decreasing operational burden. Our vision is a stronger, simpler future for cybersecurity. Who’s with us?