One of the easiest ways to tell if an email you’ve received is genuine is by checking the email address of the sender. But what happens when the sender is someone you trust, and the email still turns out to be a scam? We’ve been looking into the ‘trusted sender’ scam.
How does the ‘trusted sender’ scam work?
A scammer finds the contact details for their victims; whether that’s through a hacking attempt of someone who holds a lot of customer information, buying them through the dark web, or simply accessing email addresses that are available freely online through a company website.
Using this list of emails, the scammer can then contact their recipients claiming to be a person that the victims will trust, prompting them to click a link or download an attachment. This then allows the phisher to install malware on the victim’s machine, or takes them to a webpage where they will be asked to input their personal information or bank details.
Who is the ‘trusted sender’?
The trusted sender can be any person or company that a recipient feels safe talking to. This might be a business or an organisation that they’ve had email conversations with in the past, or a person who is well known or well liked by the recipient. The ‘trusted sender’ scam is particularly effective when the victim is expecting an email from a person or organisation.
Many of the phishing scams we’ve found out about fall under the umbrella of a ‘trusted sender’ scam; emails pertaining to be from Royal Mail, your boss and even your child.
How to tell if the sender is legitimate
With phishing emails that claim to be from someone you trust, with an email to match, it can be much harder to find out whether you’re looking at an email from your boss or an email from a scammer. However, there are some simple ways that you can check whether you’re being contacted by the real deal, or an imposter.
Firstly, pick up the phone. This is by far the easiest and most effective way of checking the legitimacy of a phishing email, by calling the recipient first. Make sure that you find the recipient’s contact number yourself, rather than using any contact numbers provided to you in the email; remember, that could go straight to the scammer’s mobile.
You can even do this with telephone scammers; ask for a reference number for the call, hang up, and contact them directly yourself. They’ll be able to confirm whether the email that you’re looking at is legitimate, or whether you should send it to Junk.
Don’t click any links. Don’t click a link to a webpage, don’t click a link to the business, don’t click an image in the email, don’t click an attachment. Remember, any and all of these links could be laden with malware ready to worm its way onto your smartphone or your computer. If you want to check whether an organisation or a business really did send you that email, find your way to their website yourself.
When you’re done, click ‘Report’
Some email clients have a 'Report' buttong for scams; you can click this to report a suspicious email to Microsoft, Google, or whoever manages your email. You can also forward these emails to the National Cyber Security Centre; find out how here. Otherwise, make sure you send it to Junk.