Signs an Email is SPAM

SPAM518675585We all get email. We all get junk email. The term that we use is SPAM email. In modern usage, we think of this as the punch line of a “Monty Python” routine. No, I will not sing the “Spam” song for you. The reality is that the term comes from an incident related to the so-called “Robert Morris” worm of 1988. Imagine a piece of Hormel canned meat thrown at the blades of a fan. What comes out the other side?

So, you get an email message. It looks odd, off or perhaps unprofessional. But we get them all the time. So now, you receive a message and it might be legitimate. How can you tell? For example, in the last 54 years, my little brother has not learned to use punctuation or capitalization. That’s how he writes. We’ll look at five telltale signs and then, as a bonus, we’ll add five more that don’t show up well in a blog.

All of the emails that we’ll talk about are actual messages I’ve received. So, let’s look at our first message:

Dear Customer,
Your parcel has arrived at August 28th. Courier was unable to deliver the 
parcel to you.
To receive your parcel, print this label and go to the nearest office.

Underneath the message, there’s a button to click that says “Get Shipment Label”.

This email appears to be from “FedEx International Economy <>” with a subject of “Shipment status ID#00830920”.

Here are five signs that the email might be SPAM:

  1. The salutation isn’t addressed to you personally. When sending personal messages, they almost always name you in the greeting: “Dear Mr. Jones,” or “Mr. Don Jones:” In this case, it is addressed to “Dear Customer.” SPAM email is generated in bulk. Hundreds of thousands of messages are sent in one campaign. Spammers will create generic messages along with generic greetings hoping to lure in the unsuspecting. Another version of this message starts “Dear USPS Customer.” The goal is to catch someone who has just sent or is expecting a parcel. This rule isn’t universally true because legitimate companies will send generically addressed messages — my health insurance company is guilty of this — and in “spear-phishing” each message may be individually addressed. For the latter, one telltale sign is that the addressee is an email address rather than a person’s name.
  2. The message isn’t written in what we would call Standard English. “Your parcel has arrived at August 28th.” Parcels arrive at your home or business. They’re “delivered on” a date and they may “arrive at” your door. If a sentence sounds clumsy, such as “Your parcel has arrived at … ,” it is probably part of a SPAM email. Besides, if the parcel “has arrived,” why are they telling you that there is a problem?
  3. There are grammatical, spelling, or punctuation errors in the email. When we speak, we converse in our “natural” language or languages. Each family of natural languages has its own “layout.” For example, in English, we usually say an adjective before a noun, such as “the red coat.” In French, this is reversed and someone might say “le portemanteaux rouge,” where “rouge” is the color and it comes after the object rather than before, as in English. To understand why the grammar may appear poor, we need to understand that there are two ways of going between languages. When someone translates between languages, not only do they use the words of the new language, but also its format. Transliteration, on the other hand, only replaces the words, but not their order. If I were to transliterate “le portemanteaux rouge” back into English, it would say “the coat red.” To see how this works, spend some time with either Google or Bing online “Translate” services, take phrases in English, change them into another language, and then change them back. Speakers in other languages also tend to use pronouns and other connecting words differently. A good example in our sample SPAM email is the sentence that begins with “Courier was unable … ” where the pronoun “The” is missing. While the grammar of the sentences in the messages may have been correct in the author’s native language, it appears wrong when transliterated to English.
  4. The email directs you to click on a link or attachment to find out more about the problem or service. Admittedly, there may be legitimate times when a message may have you click on a link, such as “to track the status of your order, click here … ” but it is highly unusual to direct you to open an attachment in the email message. In our sample email message it says, “To receive your parcel, print this label and go to the nearest office.” But wait a moment. If I were sending a package, I might need a mailing label. When I’m expecting a package, I might need a shipping receipt or tracking information from the sender … not a label. As a final note, the email tells me to go to my nearest [FedEx] office, but not what to do there? The message implies that my parcel would be waiting for me there, but it actually doesn’t say so.
  5. The wording of the email message uses implied or direct threats. In this case, if I don’t click on the link, print the label and go to my nearest office, I won’t get my parcel.

There are five more signs that a message is SPAM, but they are hard to demonstrate in a blog, so I’ll just list them for you:

  1. When you look at the “To” line of the email, there are multiple recipients to whom the message is being sent. This is either a common mistake on the part of the Spammers or simply laziness, but if the message is addressed to you because FedEx couldn’t deliver your parcel, why are other people getting the same message?
  2. The email address in the “From” line doesn’t match the name of the sender and links in the message point to odd locations. In the case of our sample message, the sender claimed to be “FedEx International Economy” but my email reader showed the actual address as “” Likewise, when I gently move the mouse over the button to print the label (we call this hovering), it shows a web link to a site, in this case a server in Estonia.
  3. The SPAM email asks you to include personal information that wouldn’t need to be included in the normal course of business. For example, the message may ask you to include a credit card number along with its expiration and security number (we call that the CVV or Customer Verification Value). Or it may ask you for your postal address or Social Security Number. Always be suspicions if an unsolicited email demands this information.
  4. The email message contains just a link or a link with a single line message such as “Hey Check this out.” Most often, when I’ve received these messages, they appear to be from someone I know. But if I carefully examine the “From” line of the message, I see that it doesn’t originate from that actual email address and someone is just spoofing a name that they hope I’ll recognize.
  5. The email simply contains “Empty” boxes. To avoid many of these pitfalls, Spammers may send messages with just images and no next. Most email readers will leave placeholders where the images should be. Then, using the email reader, you can specifically choose to download the images only if you recognize and trust the source. Spammers will send messages without any text in them — just pictures. Because the victim doesn’t see any text, they may be enticed to download the images to view the actual message. However, there are two problems. First, the images may be laced with malware such as viruses or Trojan Horse programs or other spyware. Downloading the images may download the malicious software to your PC. Second, the Spammers will track when images are downloaded from their servers and this tells the cybercriminal that your email address is valid.

Bonus advice: Finally, never click the “Remove Me” link in a suspect message. All this does is tell the Spammer that you read the message and that they have a good email. This will allow the Spammer to sell your address and will invite more SPAM. Instead, use your email reader to mark the message as SPAM or junk. Don’t forget to periodically check your junk or SPAM folders for messages that were accidentally flagged and moved there. Also, most email readers (including web-based services such as Gmail) have the ability to set up “rules” for your messages. Simply create a rule that deletes the junk mail that you never want to see again.

In Global Knowledge’s Cybersecurity Foundations class, we have an entire chapter dedicated to social engineering and SPAM email attacks. In that lesson, we go in-depth to analyze these email attacks and other tricks cybercriminals use including hacking through social networks.

With these telltale signs, we can easily spot SPAM email messages. Try your hand at another message by reviewing and applying these rules to test your skills:

Re: Your Payment Update.
Attention: Beneficiary,
The auditors have handed over your payment authorization file to Mr. George of 
the debt settlement commission in Nigeria, they have been instructed to release 
your unclaimed US$1.5million inheritance/lottery funds to you via an ATM card 
for easy delivery to you with an agreement that you shall ONLY pay the ATM card 
courier fee which must not be more than $60 as stipulated by the auditors.

You are to reconfirm your full names, residential address, age, ID and 
direct telephone numbers to Mr. J. E. George for the delivery of your 
US$1.5million ATM card to you. Send your information's to Mr. George'S EMAIL 
as stated below:

Contact person: Mr. J. E. George ( Debt Settlement Officer)
Contact Emails: ( )

Do let us know once you receive your US$1.5million payment from Mr. George for 
the Updating of our record.

Yours faithfully.
Janet Michael.
Payment Coordinator.

So, how well did you do at spotting the telltale signs that this message is SPAM?

Related Courses
Cybersecurity Foundations
Fundamentals of Information Systems Security
Social Media Security Professional (SMSP) Prep Course

In this article

Join the Conversation