I regularly receive emails which are trying to steal my identity. Recently I received an email, pretending to be from the PayPal Review Team.

Here are ten red-flag rules to warn you not to click on anything:

1. They ask you to download or open an attachment. Legitimate websites never ask you to download an attachment. Downloading an attachment allows them to put their malicious software on your computer and behind your firewall.

2. They pretend to be urgent. They have to overcome your suspicion of their email with your worry that something has to be taken care of immediately

3. They feign concern about your security. Since their email may raise unconscious security concerns, they try to direct those concerns toward helping them break into your computer. It is like the scam, “Someone may have broken into the safe, let’s open it and see if everything is still secure.”

4. They pretend to be about something very important: money, legal troubles, etc. They are trying to get you into the mindset that someone has done something and you need to find out what and solve it. They leave the “what” vague because hopefully that way more recipients will fill in the details from their own life and “know” what the email is referring to.

5. They tend to target something that a large percentage of the population is involved with. Paypal, Bank of America, and Social Security are prime targets because a large percentage of the population has accounts at these organizations and will blindly click on the suggested links or download the attachment.

6. If you hover over the links, some of them are a different URL than you would have expected. Not every email reader allows you to hover over a link and view its URL, but it is a feature I find invaluable. Some of the links might be legitimate, but the one they want you to click on might be different. Some might use some shortened version of a URL such as bit.ly or tinyurl.

7. They are asking you to update or verify your information. In truth, they don’t have any of your information. If you were to be so foolish as to “update” your information, they would say, “thank you” and go and use that information on the real website to steal your identity, your cash, and besmirch your good name.

8. The subject line isn’t well thought out. Major companies have entire departments to write well crafted subject lines. Spammers just copy one of these if they are smart and sophisticated. Otherwise they make the subject a vague noun (e.g. “Account Review”) or a terrifying warning (e.g. “Your Account May Have Been HACKED!!!”).

9. They have strange grammar or formatting mistakes. Oddly enough, if they are pretending to be from an individual, having a typo makes them appear more legitimate. I wrote #5 above and ended my first sentence with a preposition. It shows I am human. Other times spammers are trying to avoid spam filter rules by misspelling key words which would have increased their spam score.  Spam pretending to be corporate email needs to look very clean and precise. You may simply notice a paragraph without the same amount of white space around it.

10. The email appears to come from a friend or family member but doesn’t sound like them. They know you are more likely to help friends and family. As a consequence, if they have put a virus on your loved one’s computer the spammer can read their entire email contacts list and send plausible emails to their friends and family. Call your friend and let them know their computer probably has a virus.

Any one of these red flags should cause you to stop and not do anything with the email.

This technique of trying to get your personal information is called “phishing.” It can also happen with unsolicited phone calls.

Legitimate businesses don’t do these practices. I say legitimate businesses, but the same is not true of government agencies. I’ve seen a plethora of government agencies sending emails demanding that I follow this link and update my address and password on their website. Spammers know this and can exactly copy one of these emails and get all of your information. So I give you an eleventh rule:

11. The email appears to come from the government. You should always beware of emails purporting to be from a government agency. In the unlikely event that they are legitimate they are still trying to steal from you.

Here is a sample email not from the government that I received recently. I have annotated the red flags that ought to alert you that this is a fraudulent phishing expedition: