A beginner's guide to detecting malicious emails

Evelyne Pintado
Escroquerie Internet scam IT Security Awareness Phishing Sensibilisation à la sécurité IT
Cybersecurity Blog

Here is a new example of scam, and our analysis will this time be based on the emails exchanged between the victim and the scammers.

We would like to draw the general public's attention to some elements that should help them detect malicious messages, frauds or scams.

How it all started...

As is often the case, this particular scam started in a classifieds site - in this instance, a well-known platform in Switzerland. Unfortunately, a website's good reputation does not save it from disreputable visitors as these may appear under false and constantly changing identities.

An antique sofa-bed was being put up for sale. A few hours before the sales closed down (a strategic moment) a "buyer" going by the name of Christa Schubiger contacted the seller with a message in broken German (click on images to enlarge).

Further to her request, the seller sent Christa a few photos. She answered in hesitant French.

Classical approach: Christa was interested in the furniture on offer, but she did not live in the country. Scammers often use to their advantage the complications triggered by international money transfers and furniture shipping.

It should be noted that, even though her writing style seemed unusual, Christa had not so far sent any malicious information. She even provided the seller with a link to PayPal's legitimate website so that he could open an account. The validity of the link can be checked by simply hovering over it with the mouse.

However, and this should have been a source of concern, Christa required not only the PayPal identity of the seller, but also his associated email address. The seller, who had no prior experience of PayPal, provided the required information.

Shortly afterwards, the seller received a first message, supposedly sent by PayPal, announcing that Christa had settled the required amount. However, this good news should have rang alarm bells for at least four reasons:

  1. The mail did not come directly from PayPal, it was forwarded by Christa, although the message it conveyed was meant for the seller.
  2. The sender's email address appeared as This email address is being protected from spambots. You need JavaScript enabled to view it.,">paypal@transferintls.com. "transferintls.com" is definitely not one of PayPal's legitimate domain names and should therefore be distrusted. It should be noted that it is not always easy to recognise PayPal's legitimate addresses since the company uses different extensions in different countries. Besides, a legitimate email address can be faked. In this particular instance, however, the scammer did not put much effort in pretending to be PayPal.
  3. New element: the seller was now required to foot the shipping bill for the furniture before the transaction could be finalised.
  4. Very high shipping costs, which were not part of the original agreement, were to be deducted from the total amount of the transaction.

The scene being now set, the scammers started to put pressure on the seller, who received the following mail a few hours later. Again, five elements should have raised his suspicions to peak level:

  1. The mail supposedly sent by PayPal was again forwarded by Christa
  2. It used the same pseudo-address paypal@transferintls.com
  3. The fonts and layout looked weird in some places. The line mentioning Christa Schubiger seemed to have been added on top of an existing text. Moreover, the seller was informed that he was to pay for shipping costs himself through a third-party (outside PayPal) if he wanted to get Christa's payment.
  4. External banking details were provided
  5. In this paragraph, information seemed to have been added on top of an existing text (uneven fonts) And the writing style was strange, using patched-up bits of sentences.

At this stage, the pressure put on the seller got even stronger and the emails got more frequent. The seller was informed by "PayPal", still through Christa, that the transaction would not take place before he had paid CHF 850 directly to the shipping company.

However, the payment address had now changed.

Immediately afterwards, the seller received another message. This time, Christa wrote in lieu of PayPal and sent payment instructions herself, which should have raised a few questions:

The seller was surprised by these unanticipated demands and by the change in payment details. He asked for clarifications but, of course, did not get any answer.

Two days later, not having received any payment, the scammer started to fret. He sent a new message, this time directly from "PayPal". The payment address had changed again.

A few hours later, as the seller still had not paid, the scammer tried his hand at explicit threats: the FBI (!) had supposedly been contacted, the seller's life was at risk and he should pay within 24 hours, or else...

In short: it was all very creative.

To conclude the story...

Fortunately, it all ended well. Having understood in time that he was being scammed, the seller had dropped the transaction. But he could have avoided a lot of unnecessary trouble and worry if he had been able to detect at least some of the elements we just pointed out, which should be looked for in any online transaction or in email exchanges in general:

  1. Always check the legitimacy and syntax of the senders' email address(es)
  2. Never click on a link you receive by email before checking that it really is what it claims to be.
  3. Do not trust email attachments
  4. Do not willingly provide sensitive personal information such as full PayPal address, logins or passwords, even to people that are supposedly reliable
  5. Look out for spelling, layout and syntax errors in the emails you receive. In relation with other suspicious elements, they can be most meaningful hints.
  6. Take your time reading emails, think carefully and do not give in to pressure.
  7. Be extra cautious whenever money is involved in internet transactions.

Providing fail proof protective advice against malicious emails is difficult because they can involve a great many possible variations. However, converging circumstantial evidence such as that listed above should make you most suspicious. Be careful at all times!

Further information

  • Take a look at this slideshow. It summarises in pictures some of the risks that can be avoided with proper precautions.
  • Why not do some field work and see if YOU can recognise malicious emails ? Take our quiz!!

Other interesting reads: