The Most Convincing Email Scam I’ve Ever Received

How to stay safe as spam gets smarter

Photo by Tianyi Ma on Unsplash

I didn’t get a lot of sleep last night. I was already getting into bed just before sunrise, and as my head hit the pillow I figured one last round through my email accounts for the day would help lull my mind to sleep. The very last account I checked, after my personal and writing emails, was the address for a private music class I teach on Thursdays. Admittedly, I don’t check this email very often, as I’ve closed new enrollment for the pandemic and I don’t go out of my way to promote the class online. The inbox was mostly a string of requests and receipts for my Cox Internet, but under them, a more personal message stood out:

New Form Entry: Contact Form

“Huh, can’t believe someone found this site.”

I opened the email. It was about twenty days old and claimed to be from a photographer named Mel Roybal. Mel Roybal was very upset with me.

“Hi there! This is Melinda and I am a licensed photographer.”

This should have been the first hint something fishy was afoot, considering that most photographers don’t need licenses, but alas, I was reading this at 5 am.

“I was surprised, mildly speaking, when I found my images on your website. If you use a copyrighted image without an owner’s consent, you should know that you could be sued by the copyright owner.”

So far, not a great start. Legal trouble is one of my greatest fears and Mel had already sent my brain into overdrive.

The rest of the email was both detailed and angry. She laid out threats to file complaints with my domain provider if I didn’t respond within days and remove the images from the site.

“And if that doesn’t work, you may be pretty damn sure I am going to take it to court! And I will not bother myself to let you know of it in advance!”

She left a link to a Google Drive file containing what she said were her images. Fortunately, even in my early morning stupor, I didn’t click it. I knew what that homepage looked like, and the only images I didn’t create myself were photos of the church the class was hosted in, taken by a member of the congregation.

Though I thought it odd for a parishioner to exercise intellectual property rights this aggressively, my internal spam-meter hadn’t considered the possibility of a phishing attack. I’m used to getting scam messages through my guitar lesson request forms, but they’re generally pretty easy to spot. They’re full of broken English. They request an absurd number of lessons per week, and they sign-off with “Doald O’McRonalsen” and other hilarious approximations of English names.

Most of us have a spam-sense like this, and scammers take notice. Gone are the days where bank fraud and computer viruses spread through faux Nigerian royalty, fake love letters, and enticing workplace memos. In the modern era, it’s less common for scams to target only the elderly and the most gullible tiny fraction of society. Through social engineering, email scams are more complicated and compelling than ever; this one even came with a phone number and several paragraphs in a believable tone. Going forward, we have to readjust our lens and know what to look out for to keep our data and our hardware safe.

Read With Scrutiny, Research if Uncertain

Mel’s email had a few noticeable quirks. First was the “licensed photographer” salutation, but the one that was most noticeable when I became fully awake was her aggression and sense of urgency. Had I been a photographer trolling Google image searches for my pictures, if I spotted a small business infringing on my copyright, I would offer to sell photo licenses and ask respectfully for a takedown if they’re uninterested before threatening any kind of legal action. Lord knows life in the arts is hard, but the copyright courts are harder, more expensive, and more time-consuming. This just isn’t how small artists deal with these kinds of issues.

Reflecting on this, I almost have some respect for how well the shadowed figure behind Mel toed the line between intimidation and believability. The writer in me just has to appreciate a well-executed emotional appeal, even if it’s used for evil.

Another thing that broke the illusion was Mel’s link attachment, which supposedly provided examples of the copyrighted image. In my half-asleep state, it made some sense, but because the images that weren’t my own creations were the only photographs on the page, they weren’t necessary to include at all.

Fraudulent messages like these can be very hard to identify at first glance. One of the quickest ways to tell is to Google the text of the email. The internet’s pretty good at keeping up with all of these, and even more obscure and strange spam calls I’ve gotten are identifiable with a quick google search (All except a creepy recurring call from a prophetic Robo-preacher, what’s up with that?)

Mel also even provided a phone number with a Manhattan area code, which I called with my own number hidden later in the day out of curiosity. The number wasn’t connected to anyone, and searches for “Melinda Roybal Photography” and “Melinda Roybal NYC” returned no results. If there’s a photographer named Mel Roybal, she’s not doing a very good job promoting her work.

Don’t Trust the Authorities, and Check Links Carefully

Many of us who grew up in the early 2000s have likely at some point put our family computers in a sketchy situation through URL typos like “yuutube.com.” There’s even a name for this practice, typosquatting, and email phishers pretending to be everyone from social networks to obscure software developers take advantage of this.

A Phishing Email imitating YouTube. Notice the call to action and short time limit. Screenshot by Dan Thomas

These phishers study the sites carefully and build nearly identical versions of them. From here they can steal your password when you log in. Worse yet, some of these sites redirect to download links, which if not caught by your browser or antivirus can infect your computer, mining passwords and bank information, or even encrypting your files and selling them back to you.

Always check hyperlinks before clicking them. Look for missing dots, shortened domain endings like .cm and .co, as well as typos. This is a trap that’s easy to fall into just by not paying attention, but noticing the details can save your computer and your identity.

One of the most common ways that scammers can steal information through typosquatting is by inciting panic via utility bills. A few years ago, my dad received an automated call from the power company that they were going to cut the lights at his office at noon if their bill wasn’t paid. After canceling work, and after spending hours trying to get a human on the line to find where the mystery charges came from, online research into the call showed that it was a scam. Thankfully, my parents caught on before they betrayed their bank numbers, but these attacks can be even more convincing than regular robocalls if they set up a convincing website.

Learn a Little Social Engineering

Though about 92% of malware is shared through email phishing, you can still catch viruses and lose privacy through scams on social networks, even those with security teams and automated anti-spam algorithms. Getting into the mind of a cyber-criminal is the most reliable way to take safety precautions across all platforms.

Use Tinder regularly? You’ve probably received suspicious messages from lovesick bots trying to “verify your identity” through their link.

Facebook addict? Maybe you’ve had an article or game link you to a typosquatted Facebook clone, which you mysteriously aren’t logged in to.

Common scams on Instagram and Twitter look nearly identical, with accounts promising thousands of followers or a verification check for free by clicking their link.

Here are a few things I’ve noticed about people:

- We’re terrified of losing business or stability

- We desperately desire affection and fear rejection

- We crave social status and validation

- We run on autopilot through sites we’re familiar with

Each of these can be manipulated and flipped on its head by a cybercriminal. Mel took advantage of the first factor, as did the electricity scammer. Everyone from typosquatters to TikTok scammers will seek to profit from these human vulnerabilities. Looking for those exploitations is our base-level of security, no matter where we go online.

People like Mel have been around since the beginning of the internet, and they’ll be here until the end. As long as there is money to be made in human exploitation, that money will be made, and the more comfortable we get existing on platforms with dark sides, the more we’ll brush off their attempts. Mel’s gonna have to get a lot smarter.

Based in New Orleans. Contributing stories about culture, media, news, LGBT+ topics, and internet rabbit holes. (She/Her)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store