Email fraud

Last updated December 04, 2023

Email fraud (or email scam) is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

Email fraud can take the form of a confidence trick ("con game", "scam", etc.). Some confidence tricks tend to exploit the inherent greed and dishonesty of its victims. The prospect of a 'bargain' or 'something for nothing' can be very tempting. Email fraud, as with other "bunco schemes", usually targets naive individuals who put their confidence in schemes to get rich quickly. These include 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices.

Another form of email fraud is an impersonation technique known as email spoofing: the recipient is misled by falsified origin information (From:) into making an anticipated payment into the fraudster's account rather than the correct one. The method is known as phishing or spear phishing: 'phishing' involves sending thousands of emails claiming, for example, that an account has been compromised; 'spear phishing' typically involves a precisely crafted message to a single individual who is expecting a request to make a large payment to a legitimate payee.

Forms

Spoofing

Email sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many instances of email fraud use at least spoofing, and as most frauds are clearly criminal acts, criminals typically try to avoid easy traceability.

Phishing

Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker^[1]^[2] or to deploy malicious software on the victim's infrastructure such as ransomware. Some spoof messages purport to be from an existing company, perhaps one with which the intended victim already has a business relationship. The 'bait' in this instance may appear to be a message from "the fraud department" of, for example, the victim's bank, which asks the customer to: "confirm their information"; "log in to their account"; "create a new password", or similar requests. Instead of being directed to the website they trust, they are referred to an identical looking page with a different URL. After entering their log-in details, their username and password is visible to the perpetrators. In many cases, phishing emails can appear to be benign - for example, a message prompting the receiver that they have a new friend request on a social media platform. Regardless of how innocent the message is in itself, it will always lead the victim to an imitation web page and false log-in prompt.

In a study, researchers concluded that cognitive reflection and sensation-seeking tendencies are modest but significant predictors of susceptibility to phishing.^[3] Additionally, participants who were pressured to make quick email legitimacy judgments made more errors.^[3]

Bogus offers

Email solicitations to purchase goods or services may be instances of attempted fraud. The fraudulent offer typically features a popular item or service, at a drastically reduced price.

Items may be offered in advance of their actual availability. For instance, the latest video game may be offered prior to its release, but at a similar price to a normal sale. In this case, the "greed factor" is the desire to get something that nobody else has, and before everyone else can get it, rather than a reduction in price. Of course, the item is never delivered, as it was not a legitimate offer in the first place.

Such an offer may even be no more than a phishing attempt to obtain the victim's credit card information, with the intent of using the information to fraudulently obtain goods or services, paid for by the hapless victim, who may not know they were scammed until their credit card has been "used up."

Requests for help

The "request for help" type of email fraud takes this form: an email is sent requesting help in some way. However, a reward is included for this help, which acts as a "hook". The reward may be a large amount of money, a treasure, or some artifact of supposedly great value.

This type of scam has existed at least since the Renaissance, known as the "Spanish Prisoner" or "Turkish Prisoner" scam. In its original form, this scheme has the con man purport to be in correspondence with a wealthy person who has been imprisoned under a false identity and is relying on the confidence artist to raise money to secure his release. The con man tells the "mark" (victim) that he is "allowed" to supply money, for which he should expect a generous reward when the prisoner returns. The confidence artist claims to have chosen the victim for their reputation for honesty.

Other

Business email compromise is a class of email fraud where employees with privileged access (such as to company finances) are deceived into making invalid payments or installing ransomware
Advance-fee scam: Among the variations on this type of scam, are the Nigerian Letter also called the 419 fraud, Nigerian scam, Nigerian bank scam, or Nigerian money offer. The Nigerian Senate emblem is sometimes used in this scam.
Lottery scam: The intended victim is often told their name or email address was selected through a random computer ballot and sponsored by a marketing company. In order to claim their so-called winnings, the victim is asked to provide their bank account details and other personal information. The victim is asked to contact the claims agent or award department.
FBI email: Claim to be an “official order” from the FBI’s Anti-Terrorist and Monetary Crimes Division, from an alleged FBI unit in Nigeria, confirm an inheritance, or contain a lottery notification, all informing recipients they have been named the beneficiary of millions of dollars.^[4]
Hitman: An email is sent to the victim's inbox, supposedly from a hitman who has been hired by a "close friend" of the recipient to kill him or her but will call off the hit in exchange for a large sum of money. This is usually backed up with a warning that if the victim informs local police or the FBI, the "hitman" will be forced to go through with the plan. This is less an advance-fee fraud and more outright extortion, but a reward can sometimes be offered in the form of the "hitman" offering to kill the man who ordered the original hit on the victim.^[5]
Investment schemes: Emails touting investments that promise high rates of return with little or no risk. One version seeks investors to help form an offshore bank. The Fifth Third Bank brand, name, and logo have been frequently exploited in this scam. The computer security company McAfee reports that, at the beginning of September 2006, over 33% of phishing scam emails being reported to McAfee were using Fifth Third Bank's brand.^[6]
Romance scam: Usually this scam begins at an online dating site, and is quickly moved to personal email, online chat room, or social media site. Under this form, fraudsters (pretended males or females) build online relationships, and after some time, they ask for money from the victims. They claim the money is needed due to the fact they have lost their money (or their luggage was stolen), they have been beaten or otherwise harmed and they need to get out of the country to fly to the victim's country.
Dating extortion scam: After baiting an individual into intimate conversations, they are told to pay unless they want their conversations posted online and they are named a cheater. There are no reports from the FBI that indicate that the records are actually removed once payment has been made.^[7]
Online business directory: Typically offering a free subscription to a non-existent directory with hefty fees for maintenance in the fine print.
Death certificate scam: Person will get an obituary off Internet. Find out relatives related. Get their emails. Contact them with fake story of another family member near death, which of course, is only told in ambiguous language. It originates out of Ethiopia with the "makelawi" tag in the email, but it can have de (German free email tag) along with it.
Marriage agency scam: Pretending to be translation agency or marriage agency, they do not actually translate emails nor connect to real brides, but fabricate emails and create fake profiles on dating sites. They can use pictures of real people from other websites. Typically they are aimed at foreign men looking for brides from the former Soviet countries. When a victim is engaged, they ask for communication expenses such as translations, voice phone calls, video calls, "agency fees". They impersonate the brides instead of providing a matchmaking service to them. The real ladies may not be aware that someone is using their identity.
Secret shopper: The intended victim is solicited via email to work as a 'secret shopper', often after the victim's resume has been posted at a job search site. Once engaged, the victim is sent a counterfeit check along with instructions and forms for work as a secret shopper. The provided instructions typically are to make several small transactions at nearby businesses, recording their experience on an official looking form. Universally is the instruction for the victim to also create a significant wire transfer, with a request to rate the experience. The counterfeit check is cashed at the unsuspecting victim's financial institution in order to accomplish the listed tasks.
Traffic ticket spam: Fraudulent emails claiming the recipient had been issued a traffic ticket. The spam, which spoofed a nyc.gov email address, claimed to be from the New York State Police (NYSP).^[8]
Word of Mouth: This type of email spam states that an anonymous person posted a secret about the recipient and that he needs to pay a fee in order to see the message.
Job Scams: The victim is seeking a job and posts a resume on any internet job site. The scammer spots the resume and sends the victim an email claiming to be a legitimate job listing service, and claiming to have a client who is looking for an employee with their skills and experience. The victim is invited to click on a link to apply for the job. Clicking the link takes the victim to a job description specifically written for the skills and experience on the victim's resume, and provides a very high salary, and invites them to "click here" to apply for the job. If the victim clicks on that "apply" link, they are taken to an "application" form that asks for the normal job application information, PLUS the victim's social security number, date of birth, the name of the bank and account number where they will want their paycheck to be deposited to, a "relative" reference, etc. With this information, the scammer can open up a bank account in any on-line bank and utilize the victim's credit to buy items online and ship them to associates who are in on the scam.
PayPal scam: Fraudulent emails claiming the victim has been issued a payment to his/her account, however processing will be complete once the victim has sent the item he/she is selling to the individuals address. This scam is mostly common in selling items to individuals abroad.

Avoiding email fraud

Due to the widespread use of web bugs in email, simply opening an email can potentially alert the sender that the address to which the email is sent is a valid address. This can also happen when the mail is 'reported' as spam, in some cases: if the email is forwarded for inspection, and opened, the sender will be notified in the same way as if the addressee opened it.

Email fraud may be avoided by:

Not responding to suspicious emails.
Keeping one's email address as secret as possible.
Using a spam filter.
Noticing the several spelling errors in the body of the "official looking" email.
Ignoring unsolicited emails of all types and deleting them.
Not clicking on links.
Not opening unexpected attachments, even if they appear to be from someone the user trusts. Many email fraudsters attach viruses or malware to emails.
Ignoring offers from unknown sources. The contents of an email are not a formal or binding agreement.

Many frauds go unreported to authorities, due to feelings of shame, guilt, or embarrassment.

Related Research Articles

<span class="mw-page-title-main">Spamming</span> Unsolicited electronic messages, especially advertisements

Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose, or simply repeatedly sending the same message to the same user. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. It is named after Spam, a luncheon meat, by way of a Monty Python sketch about a restaurant that has Spam in almost every dish in which Vikings annoyingly sing "Spam" repeatedly.

An advance-fee scam is a form of fraud and is one of the most common types of confidence tricks. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster claims will be used to obtain the large sum. If a victim makes the payment, the fraudster either invents a series of further fees for the victim to pay or simply disappears.

A confidence trick is an attempt to defraud a person or group after first gaining their trust. Confidence tricks exploit victims using a combination of the victim's credulity, naïveté, compassion, vanity, confidence, irresponsibility, and greed. Researchers have defined confidence tricks as "a distinctive species of fraudulent conduct ... intending to further voluntary exchanges that are not mutually beneficial", as they "benefit con operators at the expense of their victims ".

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by e-mail

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

A Joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early Joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them, but they are now typically used by commercial spammers to conceal the true origin of their messages and to trick recipients into opening emails apparently coming from a trusted source.

Internet fraud is a type of cybercrime fraud or deception which makes use of the Internet and could involve hiding of information or providing incorrect information for the purpose of tricking victims out of money, property, and inheritance. Internet fraud is not considered a single, distinctive crime but covers a range of illegal and illicit actions that are committed in cyberspace. It is, however, differentiated from theft since, in this case, the victim voluntarily and knowingly provides the information, money or property to the perpetrator. It is also distinguished by the way it involves temporally and spatially separated offenders.

<span class="mw-page-title-main">Lottery scam</span> Fraud pretending to be a lottery

A lottery scam is a type of advance-fee fraud which begins with an unexpected email notification, phone call, or mailing explaining that "You have won!" a large sum of money in a lottery. The recipient of the message—the target of the scam—is usually told to keep the notice secret, "due to a mix-up in some of the names and numbers," and to contact a "claims agent." After contacting the agent, the target of the scam will be asked to pay "processing fees" or "transfer charges" so that the winnings can be distributed, but will never receive any lottery payment. Many email lottery scams use the names of legitimate lottery organizations or other legitimate corporations/companies, but this does not mean the legitimate organizations are in any way involved with the scams.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

<span class="mw-page-title-main">Romance scam</span> Confidence trick using romantic intentions

A romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining the victim's affection, and then using that goodwill to get the victim to send money to the scammer under false pretenses or to commit fraud against the victim. Fraudulent acts may involve access to the victim's money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it sometimes has a similar URL. A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.

Telemarketing fraud is fraudulent selling conducted over the telephone. The term is also used for telephone fraud not involving selling.

Internet fraud prevention is the act of stopping various types of internet fraud. Due to the many different ways of committing fraud over the Internet, such as stolen credit cards, identity theft, phishing, and chargebacks, users of the Internet, including online merchants, financial institutions and consumers who make online purchases, must make sure to avoid or minimize the risk of falling prey to such scams.

A scam letter is a document, distributed electronically or otherwise, to a recipient misrepresenting the truth with the aim of gaining an advantage in a fraudulent manner.

Mass-marketing fraud is a scheme that uses mass-communication media – including telephones, the Internet, mass mailings, television, radio, and personal contact – to contact, solicit, and obtain money, funds, or other items of value from multiple victims in one or more jurisdictions. The frauds where victims part with their money by promising cash, prizes, and services and high returns on investment are part of mass market fraud.

A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

An overpayment scam, also known as a refund scam, is a type of confidence trick designed to prey upon victims' good faith. In the most basic form, an overpayment scam consists of a scammer claiming, falsely, to have sent a victim an excess amount of money. The scammer then attempts to convince the victim to return the difference between the sent amount and the intended amount. This scam can take a number of forms, including check overpayment scams and online refund scams.

References

↑ Jansson, K.; von Solms, R. (2011-11-09). "Phishing for phishing awareness". Behaviour & Information Technology. 32 (6): 584–593. doi:10.1080/0144929X.2011.632650. ISSN 0144-929X. S2CID 5472217.
↑ Fatima, Rubia; Yasin, Affan; Liu, Lin; Wang, Jianmin (2019-10-11). "How persuasive is a phishing email? A phishing game for phishing awareness". Journal of Computer Security. 27 (6): 581–612. doi:10.3233/JCS-181253. S2CID 204538981.
1 2 Jones, Helen S.; Towse, John N.; Race, Nicholas; Harrison, Timothy (2019-01-16). "Email fraud: The search for psychological predictors of susceptibility". PLOS ONE. 14 (1): e0209684. doi: 10.1371/journal.pone.0209684 . ISSN 1932-6203. PMC 6334892 . PMID 30650114.
↑ "New E-Scams & Warnings. FBI". Fbi.gov. Retrieved 2012-02-18.
↑ "Hitman Bribe Scam". snopes.com. Retrieved 2012-02-18.
↑ "Top 10 Phish Scams". McAfee. 2006-09-01. Retrieved 2006-09-01.
↑ "Internet Crime Complaint Center's Scam Alerts". IC3.gov. 2012-10-23. Retrieved 2013-12-22.
↑ "Internet Crime Complaint Center's (IC3) – Scam Alerts". ic3.gov. October 17, 2011. Retrieved October 26, 2011.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Jansson, K.; von Solms, R. (2011-11-09). "Phishing for phishing awareness". Behaviour & Information Technology. 32 (6): 584–593. doi:10.1080/0144929X.2011.632650. ISSN 0144-929X. S2CID 5472217.

[2] Fatima, Rubia; Yasin, Affan; Liu, Lin; Wang, Jianmin (2019-10-11). "How persuasive is a phishing email? A phishing game for phishing awareness". Journal of Computer Security. 27 (6): 581–612. doi:10.3233/JCS-181253. S2CID 204538981.

[:0-3] 1 2 Jones, Helen S.; Towse, John N.; Race, Nicholas; Harrison, Timothy (2019-01-16). "Email fraud: The search for psychological predictors of susceptibility". PLOS ONE. 14 (1): e0209684. doi: 10.1371/journal.pone.0209684 . ISSN 1932-6203. PMC 6334892 . PMID 30650114.

[4] "New E-Scams & Warnings. FBI". Fbi.gov. Retrieved 2012-02-18.

[5] "Hitman Bribe Scam". snopes.com. Retrieved 2012-02-18.

[6] "Top 10 Phish Scams". McAfee. 2006-09-01. Retrieved 2006-09-01.

[7] "Internet Crime Complaint Center's Scam Alerts". IC3.gov. 2012-10-23. Retrieved 2013-12-22.

[8] "Internet Crime Complaint Center's (IC3) – Scam Alerts". ic3.gov. October 17, 2011. Retrieved October 26, 2011.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking malware Botnets Data breach Drive-by download Browser helper objects Viruses Data scraping Denial of service Eavesdropping Email fraud Email spoofing Exploits Hacktivism Keyloggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Polymorphic engine Privilege escalation Ransomware Rootkits Bootkits Scareware Shellcode Spamming Social engineering Screen scraping Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Code obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection

v t e Types of fraud
Business-related	Billing Cramming Disability Drug / Pharmaceutical Email Employment Fixing Impersonation Intellectual property Internet Job Long firm Odometer Phone Health care fertility quackery Racketeering Return Tech support Slamming Telemarketing Wine
Family-related	Fertility Marriage Paternity
Financial-related	Advance-fee lottery scam Bank Bankruptcy Chargeback Cheque Credit card and carding Forex Insurance Lottery Mismarking Mortgage Overpayment Securities Shill bidding Tax
Government-related	Benefit Electoral Medicare Visa Welfare
Other types	Affinity Charity Confidence trick Counterfeiting Faked death Forgery Hoax Impersonation Mail and wire honest services Romance Bride Scientific Spyware Vomit White-collar crime
list Category

v t e Scams and confidence tricks
Terminology	Confidence trick Error account Shill Shyster Sucker list
Notable scams and confidence tricks	1992 Indian stock market scam 2G spectrum case Advance-fee scam Art student scam Badger game Bait-and-switch Black money scam Blessing scam Bogus escrow Boiler room Bride scam Charity fraud Clip joint Coin-matching game Coin rolling scams Drop swindle Embarrassing cheque Exit scam Extraterrestrial real estate Fiddle game Fine print Foreclosure rescue scheme Foreign exchange fraud Fortune telling fraud Gem scam Get-rich-quick scheme Green goods scam Hustling Indian coal allocation scam IRS impersonation scam Intellectual property scams Kansas City Shuffle Locksmith scam Long firm Miracle cars scam Mismarking Mock auction Moving scam Overpayment scam Patent safe Pig in a poke Pigeon drop Pork barrel Pump and dump Redemption/A4V schemes Reloading scam Return fraud Salting Shell game Sick baby hoax SIM swap scam Slavery reparations scam Spanish Prisoner SSA impersonation scam SSC Scam Strip search phone call scam Swampland in Florida Technical support scam Telemarketing fraud Thai tailor scam Thai zig zag scam Three-card monte Trojan horse White van speaker scam Work-at-home scheme
Internet scams and countermeasures	Avalanche Carding Catfishing Click fraud Clickjacking Cramming Cryptocurrency scams Cybercrime CyberThrill DarkMarket Domain name scams Email authentication Email fraud Internet vigilantism Lenny anti-scam bot Lottery scam PayPai Phishing Referer spoofing Ripoff Report Rock Phish Romance scam Russian Business Network SaferNet Scam baiting 419eater.com Jim Browning Kitboga Scammer Payback ShadowCrew Spoofed URL Spoofing attack Stock Generation Voice phishing Website reputation ratings Whitemail
Pyramid and Ponzi schemes	Aman Futures Group Bernard Cornfeld Caritas Dona Branca Earl Jones Ezubao Foundation for New Era Philanthropy Franchise fraud High-yield investment program (HYIP) Investors Overseas Service Kapa investment scam Kubus scheme Madoff investment scandal Make Money Fast Matrix scheme MMM Petters Group Worldwide Pyramid schemes in Albania Reed Slatkin Saradha Group financial scandal Secret Sister Scott W. Rothstein Stanford Financial Group Welsh Thrasher faith scam
Lists	Con artists Confidence tricks Criminal enterprises, gangs and syndicates Impostors In the media Film and television Literature Ponzi schemes