Tis the Season to Be Jolly -- and Wary

The Holiday season brings fond memories, excitement, buying gifts for family and friends, and scams. Lots and lots of scams. Learn some handy tips to avoid email scams.

Happy Krampas the Hacker - Art by Tom Tate, ChatGPT, and Freepik AI Image Generator
Happy Krampas the Hacker - Art by Tom Tate, ChatGPT, and Freepik AI Image Generator

Tis the Season for Scams

The Holiday season brings fond memories, excitement, buying gifts for family and friends, and scams. Lots and lots of scams. While hackers try to work their evil all year long, it seems like there's been an uptick as the Christmas and Hanukkah of scam emails flooding my inbox. 

The Tells of a Scam

Bad actors use a variety of tactics to separate their marks from their money, identity, data, and so forth.  Common forms include phishing, spoofing, ransomware, and malware. 

Just this morning, a concerned hacker took the time to let me know my Norton Security Suite would update on December 6, 2023. For my convenience, he attached a PDF copy of the invoice. How thoughtful and considerate. Too bad sarcasm is so hard to convey in an article. 

Fortunately, the email provided several "tells" (a poker term referring to habits a player has that tell what kind of hand they have) that told me this was a hacking attempt. Check out the screenshot below and I'll go over the five main ways the erstwhile hacker gave himself away.

Hacker email showing how to tell it's a scam.
Hacker email dated excitement
  1. The Subject Line was poorly punctuated and awkwardly worded.
  2. That is not a Norton email address.
  3. The grammar throughout was abysmal, clearly the author was not a native English-speaker.
  4. More bad grammar pointing out the attachment.
  5. Half-hearted attempt at replicating the Norton logo.

This is a very poor as scam emails go. Perhaps it was put together by a hacker's kid in hacker class for a school project. I'd flunk him for this effort.

What's the Hacker's Goal in this Case?

It's apparent that the hacker wants me to either click on the PDF or download it and then open it. Either one of these actions might result in one of the following actions:

  • Installs a virus or other malware that fouls up my PC. 
  • Encrypts all my data and demand money to get it back. 
  • Installs spyware to capture personal and financial information.
  • Takes me to a "payment" site where I can renew my subscription, providing them with my credit card information directly. Might as well cut out the middleman.

There are more, but you get the picture – nothing good will come of clicking or downloading that document.

Professional Hackers are Much Better at Disguising Their Scams

Scammers at work
Scammers at work

Yep, this attempt was as plain as the nose on my face, and easy to avoid. However, professional, experienced email scammers are much better at their crime. I've received emails that have everything down pat, identical in every respect to an email from the real company. Here's a list of what they can get right:

  • Logos, addresses, contact numbers, and emails.
  • Subject Lines are logical and generally grammatically correct.
  • Sender's email looks like it came from the company.
  • Body of the email reads well.
  • A variety of links are provided for you to conveniently take whatever action the email urges.

So, how do you distinguish between a real email and a scam? Here are the steps I take and recommend to anyone wanting to protect themselves from cybercrimes.

  1. Do I do business or have an account with the sender? If not, it's a scam. No need to go any further.
  2. Read the entire email, including footers looking for grammatical mistakes and awkwardly worded phrasing.
  3. Look closely at the suffix of the sender's email (the stuff following the @). Sometimes they scammer has added an extra letter or two in a manner the casual observer will miss.
  4. Consider if the email matches previous communications with that company.
  5. Was I expecting anything from the company?
  6. What are they asking me to do?
  7. Does it simply feel wrong?

Even with all this analysis, I've come down to the last question, and decided something wasn't right. So, what should you do?

When in Doubt, Log into the Company Website Directly

Never, ever click a link in any email you were not expecting to receive. For example, signing up for an account with an online service provider like Twitch or a store often results in them sending you an email to confirm your address. Legit, click away. 

You may get an email with a temporary password and be asked to log in and create a new one. If you were expecting it, go for it.

In situations where I am uncertain, I ditch the email and log into the company on my own, using my saved credentials. I can check my account to see if there are any problems and fix them right then.

I'll be Scammed for Christmas

Yes, this time of year is wonderful. As Bing Crosby sang, "I'll be Home for Christmas," which many folks get to do every year. Practice being wary and block those nasty hackers following the suggestions in the article, and you'll be spared the version, "I'll be Spammed for Christmas." That's not festive in the least!

Remember, when in doubt, go to the website directly and DO NOT click links, attachments or anything else in the email.