How To: Detect Email Scams

There are a HUGE number of scam emails making the rounds at the moment. Some of these are targeting University of Cambridge users specifically and some are just general scams out to get your money or your personal details. However, they all have a few things in common. Knowing these commonalities – or at least being aware that there are some – can help you protect yourselves.

Signs of the Scams

They are often (though not always!) badly spelled and punctuated. Sometimes this is subtle and sometimes it’s not, but look closely and take note.

They do not address you by your full name, but instead say ‘member’ or ‘subscriber’ or ‘user’. Any bank, building society or web site [such as eBay or PayPal] will address you by name, whether that be your real full name or your registered user name. Calling you by name isn’t, in and of itself, an indication that the message is on the up and up, but it’s a good start.

Any links in the message do not go where they purport to go (e.g. a link says: http://ebay.co.uk/login.php but when you hold your mouse cursor over it, the status bar shows: http://ebay.co.uk.192.168.21.63/login.php or something similar).

The message asks for your to ‘confirm your details’ or something bad will happen (e.g. your bank/email/eBay/Paypal/etc. account will be cancelled and/or deleted). No legitimate agency will ever ask you to provide personal data in an email. You should also be aware of any agency asking you to log in to confirm your personal info via a web site. This is not a typical occurrence and I’ve never known any site like eBay or PayPal to do it (well, PayPal once, but that was an unusual circumstance). If anyone asks you to do it, be suspicious. I am always happy to check these emails over for you if you’re not sure of their legitimacy. Just forward it to me and I’ll have a look.

For emails that supposedly come from someone in the University, the ‘from’ or ‘reply-to’ or ‘return-path’ addresses may be from a free email service rather than an @cam.ac.uk address. This is not always the case – the most recent ‘Dear User, Your Webmail is over quota’ messages have had a ‘From’ address that says @cam.ac.uk, but the ‘SENDER’ address is a non-Cambridge address. Below is a ‘correct’ version of what you should see:

-------- Original Message --------
Return-Path: <webmaster@english.cam.ac.uk>
Received: from hostname (hostname [192.168.0.0])     by hostname (Cyrus v2.3.14) with LMTPA;  Mon, 11 Jan 2010 12:33:47 +0000
From: webmaster@english.cam.ac.uk

Note the return-path at the top and the from: field at the bottom? They’re the same. This is good. Unacceptable would be: return-path: <imascammer@freemailsite.org> with from: webmaster@english.cam.ac.uk. There are cases where this could be a legitimate email, but be suspicious.

For emails that claim to come from within the University and which are supposed to refer to University resources, the link inside the message does not go to a University web address (remember – hold your mouse over the link and look at the status bar to see where a link is really trying to take you! If your web browser or email client doesn’t show you a status bar by default, you can usually turn it on under the ‘View’ menu).

Check the time that the message was sent or received, especially if you know the person from whom it is supposed to have come. Would Dr Bloggs really be emailing you at 2AM? Even more suspiciously, would HM Revenue & Customs email you at 6AM? (Though that last is a whole other skillet of spam.)

It also helps to remember that occasionally, Cambridge users are actually targeted by scammers. It makes things seem more legit if they attach the (freely available) University Crest or put the (also freely available) University’s Old Schools address in the signature. These things do not a legitimate message make. Don’t forget that no one in the Computing Service will ever ask you for your password over email or via the phone, now will they ever ask you to ‘confirm your details’ in order to keep your email account.

(Updated 5 Oct 2017)