With all of the emphasis on phishing and social engineering scams, it might be easy to lose sight of old-fashioned swindles. While there are some cutting-edge techniques out there for tricking you into handing over private information (like login/password or payment information), there are still plenty of emails that are just advertisements for less-than-reputable companies who would like you to pay for inadequate services or buy a service that will have you saying “goodbye” to your hard-earned cash. Today, we’ll take a look at some classic spam: cold emails from shady or unvetted companies.
Spam: not necessarily phishing
The term “spam” has been around long enough in its current usage that it’s hard to remember what it meant before the internet. It references the famous sketch from Monty Python’s Flying Circus where some patrons ask what’s on a café’s menu, only to be given a very long list of various combinations of Spam. Regarding email, spam could come from anyone: a well-known (but overly aggressive) national brand, threatening scammers, or just “cold calls” from unknown small businesses and consultants.
There are plenty of tools that can be used to judge the credibility and usefulness of an email. One of our favorites is Proofpoint, which takes a global network of billions of emails and applies machine learning techniques to make the best guess of whether or not something is spam or fraudulent email. As an MSP, we see quite a bit of what does and doesn’t get caught in these filters and see the trends among our clients. With the knowledge that we gain across our client base, we can then look specifically at emails that beat the filter, as well as things that can’t get through even though they are legitimate.
There is a ton of direct marketing done via email, though. It used to be really easy to pick up the phone and start making cold calls, but today, it’s far easier to send 1000s of emails with a few clicks. With that type of accessibility, even legitimate companies may try out an email campaign on unsuspecting leads. These emails sometimes get through spam filters, and sometimes get caught in them: things like reputation and setting email security policies are important to the email deliverers—namely Microsoft and Google.
Sales email or scam?
Let’s say, for a moment, that an email makes it through your spam filter and into your inbox, and it seems to match exactly with something you were already thinking about. Launching a new website, for instance, means that you’d likely buy the domain name, then put together the project for building the website. Do you have a web developer that you work with, or are you looking for someone? Do you need some outside help with marketing the site once you’re done?
If you’ve been thinking about these questions and—magically—an email arrives letting you know about a company that specializes in exactly these very things, you may think it was exactly the right time and reply to it. How did they know you were in the market, though?
If you register a domain name without ensuring your WHOIS privacy, the information is immediately publicly available. Website developers and webhosts could simply look at who owns new domains, do a little research on email addresses at your organization, and start sending as many emails as they can to get your attention. It isn’t fate bringing you together, in other words.
Because this information isn’t private, both legitimate developers and scammers could reach you with the same message: “we’ll build a new website for you for [low cost]!” Whether or not the company is legitimate. you’ll have their attention when you re. back out, and they’ll keep throwing res. ces at you until they get a firm reason not to.
Vetting a cold email?
If you’d like to not be hounded by a web developer’s sales department or a scammer trying to trick you into buying a website that might never be built, there are plenty of resources online that should help you establish the legitimacy of a company that’s reaching out. While they are imperfect, you should be able to do some research to find out if the company is listed on Yelp or Google to find reviews and judge their legitimacy before reaching out to them. Well-established companies will ask their clients to leave a review just to establish credibility for this exact reason. There is still a possibility that a not-so-reputable company could have illegitimate reviews to inflate their rating, but those platforms do their best to eliminate that possibility.
Other platforms are far more strenuously vetted and gatekept, like Clutch.co or G2.com. There, you’ll find a great deal of technical help, but the bar for entry is much higher. If you find a company on G2, there’s probably nothing to worry about, as far as the company’s legitimacy is concerned. Look for these kinds of review sites in any other vertical to find trusted services and companies.
Beyond this, you might turn to social media posts to find some real-world opinions about a company, although that might not make sense if the company is a small outfit of web developers. It’s still worth noting that social media has its own imposter problems, and anonymous accounts on various platforms have been tied to actual companies’ marketing departments time and time again. If you see someone being too overly enthusiastic and consistently talking about how great a company or service is, it should be taken with a grain of salt.
Just say “no”
Even by doing the vetting yourself, though, you could be researching a legitimate company, but then contacting a third-party and being lured into a scam. Ultimately, the FTC says to simply treat marketing materials as if they are scams. If you don’t expect the email, you shouldn’t be opening it, let alone clicking on any links or calling back any numbers contained therein. While cold-calling techniques don’t really make someone a scammer, there are just too many things that could go wrong when dealing with an email that you’re not expecting. While researching the subject, I looked for sources that claimed that cold emails were effective; one Harvard Business Review article linked to a reputable how-to on building a business network from scratch. The article is, 8 years later, amended to include a note that the author was convicted of fraud in 2022.
Any service that you might be looking for can be found for a reasonable cost in the course of normal business. Trusting someone whose tactics don’t vary much from scammers might mean that they’re not very well established, but even by that measure, there’s likely a better option to get better results. Ultimately, the old saying doesn’t need an update: if it looks too good to be true, it probably is.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team