How do you tell if a message is a scam or not?

Unless you’ve been living under a rock the chances are you have received plenty of scam messages over the last few years.  Scam messages are often sent via SMS, email, WhatsApp and via social media messaging systems.  If you’ve been following my blog you know that this is hardly a new topic of discussion, in fact most of my blog posts over the last few years have had a cyber security theme and that’s no accident.

What we haven’t really talked about much lately is how to distinguish between a legitimate message and a scam so let’s do that now.

Before I go on I need to give you fair warning, it is sometimes very difficult to tell the difference, sometimes even us cyber security professionals have trouble distinguishing fake from real.  I’ll talk about what to do if you are uncertain about the legitimacy of a message a bit later in this article.

It used to be that you could pick a scam message a mile away based on just a couple of metrics, usually the message would be full of grammatical and spelling errors and often any images included were poor quality but as time goes on the content of these scam messages is continually improving making them harder to detect.  Combine this with the knowledge that many larger businesses such as banks and telcos often outsource their customer service departments to international providers where English is not their native language so even legitimate messages can have a tinge of poor grammar and spelling.

So how do we determine the legitimacy of a suspected scam message?  

Today the most useful tool we have is logical thinking and common sense.  If we assume that every scam message is trying to get you to take some kind of action (hint: They aren’t) then analysing the content of the message becomes critical, what are they trying to get you to do?  The obvious one is where a link is included in the message, usually the link will take you to a legitimate LOOKING website to prompt you for a user name and password, usually after you provide your credentials the web page closes or some message is shown designed to disarm you.  More advanced scammers actually pass your credentials along to the legitimate website and attempt to sign you in, this is a kind of ‘man in the middle’ attack and they are becoming more common.  See my last blog post about Pineapples for more info about an emerging type of MITM attack.

In the example above, if we ask the question “What are they trying to get us to do?” the answer is “To follow a link and hopefully extract some information from you.”  The content of such messages varies quite a bit but almost always they try to induce some kind of emotion in you, maybe they employ fear to get you thinking “If I don’t do what the message says I might lose access to my account.”, some use greed by claiming you are owed a refund or someone has sent you a parcel etc. of course this all started way back with the Nigerian Prince scams…. Free money anyone?

Most of these are easy enough to spot if you just take the time to answer the question “What is this message trying to get me to do?”

Scam messages encourage you to take some kind of action but that is not always the case.  Take this example below, an SMS message that appears to be from Bendigo Bank.

If we apply the “What are they trying to get me to do?” test to this message then you would have to conclude that the message is legitimate, the message contains no links, no phone numbers to call and no call to action other than telling you to independently find the phone number for the bank and call them.

In isolation there is no way to tell if this message is legitimate or not so therefore we should proceed with caution and do exactly as the message says, call the bank and ask but most importantly you have to go and find the phone number for the bank yourself.

Now, let’s look at a message received by the same person the following day:

This message is clearly a scam, they are trying to get you to follow a poorly disguised link.  I can’t show you what it would have looked like if you did follow the link because the site has been taken down but you can bet it would have been a good copy of the Bendigo Bank login page.  But what does this second message tell us about the first one?  Was that first message designed to soften you up so that when the second message arrives you are more likely to take action?

I can picture the scenario now, you receive the first message, dutifully call the bank who no doubt tell you everything is fine but to be on the safe side you should immediately change your internet banking password which you do.  The next day you receive the second message and due to the events of the previous day you think the second message is legit and without thinking too much you give the scammers your brand new internet banking password and your money is gone.

No so long ago I was speaking with a client about this and he said to me “I ignore all messages that say they are from my bank.”  He then went on to say that if they really wanted to contact him they would send him a letter in the post.  Personally, I think this is dangerous thinking, if you receive a message from any organisation you do business with you should first asses it’s authenticity then take appropriate action, ignoring the message could well lead to greater problems.

So what should you do when you can’t tell if a message is a scam or not?

The first thing to do is ask your trusted I.T. partner, at Australia Wide I.T. we see far more scam messages than most and coupled with our cyber security expertise we can probably figure out if a particular message is legitimate or not.

If there is still uncertainty you should contact the apparent sender by phone (after having found their phone number independently of the suspect message) and talk to them about it.  Of course you may decide that it’s not worth the effort and ignore the message entirely, like my customer said, they’ll probably just send you a letter anyway right?