Avoiding Email Identity Theft

What is email identity theft? It is the stealing of personal data through the use of scam emails that lead to bogus websites that look like the real thing. Other names for this type of activity are phishing and spoofing.

How Does Email Identity Theft Happen?

Email identity theft or phishing (pronounced "fishing") is one of the biggest problems on the internet today, and has lead countless numbers of people to giving their personal information away to someone with malicious intentions. According to the FBI’s Internet Crime Complaint Center, individuals and businesses have lost more than $3.5 billion through various internet scams. 

Here is how an email scam usually works. A spoofed email is one which appears to be sent from a reputable business, government agency, or person you know, when in fact it has originated from an entirely different source. This is done to trick you into believing that it is a legitimate email from a trusted sender. 

These emails appear to come from companies that you generally do business with, such as your bank, a social networking site, online store, or PayPal. These official looking emails usually request your immediate attention, urging you to login to the main site to verify or update your account information. You may also receiving an email with an order and shipping confirmation (which you know nothing about). Theses types of emails will contain a link for you to carry out the requested action. When you click on the link, it will take you to a site that looks exactly like the official website. Unfortunately, it's a bogus site set up to steal your information.

Skilled hackers build duplicates of popular web sites in order to trick you into logging in. Once they have your password, they can log into your real account and steal your identity or your money. For example, the most popular email identity theft scam involves duplicating PayPal.

Some scammers even send you to the actual website when you click on the email link. Their link code is capable of launching a pop-up window which will harvest your account information. Once they have your account and logon information, hackers can empty your account or conduct more complex scams hiding behind your identity.

How to Spot a phishing scam

In order to avoid being a victim of email identity theft, you should learn about how URLs work. Links that are contained in emails are hyperlinked to website URLs. Phishing emails will show what looks like the official URL, so you should always mouse-over the link. By putting your mouse over a link, it will display the actual URL of the link at the bottom of your browser.

On some phishing emails, the moused-over link is obviously not even close to the original site. On others, it's not so obvious that it's a bogus site. Say that the URL of the official website is YourBank.com. You should check the URL at the bottom of your browser and make sure that it says https://www.YourBank.com followed by a forward slash, followed by whatever information the site requires. If it says something like YourBank.comiaj3k1.org, you can see that it is a false URL that would take you to the comiaj3k1.org website and not your bank. There are also fake sites where the URL has a couple of the letters switched, so pay attention to the spelling in the URL. 

If you really think the email has come from a legitimate site but are worried about clicking the link, you should go to the official website by opening a new browser and typing in the official website address. As an extra precaution, look for the lock symbol in the address bar of your browser and the "https" at the beginning of the website address. From there, you can log into your account and see if there are any updates that are needed.

Another way you might be tricked is when you receive an email from someone you actually know, asking you to click on a link in the email. If it seems unusual, it might be because their email account was hacked. In these types of situations, it's always better to call your friend or family member to see if they actually sent the email. 

Using Phishing Filters and Anti-Virus Programs

In addition to this basic knowledge of URLs, you can also install some sort of software that will keep an eye out for you. Modern browsers such as Firefox and Chrome have built-in phishing protection. These programs run off of a list of reported websites. They also have filters that will look for certain characteristics of the URL and alert you if it appears suspicious. 

Many email and anti-virus programs also offer filtering services that will detect scam emails and put them in a special folder.  It's a good idea to see if the program you use offers this capability. If it does, you should be using it.

How to Avoid Becoming a Victim of Email Identity Theft

Here are some do's and don'ts to help you avoid becoming a victim of a phishing scam:


  • Contact the company or bank directly if you are unsure about your account. Never click the link the the email or call the number listed in the email. Instead, look up the number directly. 
  • Upgrade your browser and use anti-virus software. 
  • Use your email provider's spam filters. 
  • Use two-factor authentication for your online accounts. Two-factor authentication requires both your password and another way to contact you (such as text) to verify your identity. Even if a scammer gets your password, they won't be able to verify the account because they won't have access to your phone. 
  • If you think an email is fraudulent, delete it. 
  • Review your account statements on a regular basis to ensure all charges are correct. 


  • Never click on links in suspicious emails or texts. Open a new browser and visit the website directly. 
  • Never respond to a suspicious email with your account information, social security number, or any other personal information. Legitimate companies won't ask you to confirm sensitive data in an email. 
  • Be aware of your account status so you aren't fooled into thinking your account is in jeopardy. 
  • Beware of amazing deals on merchandise. If a deal is too good to be true, it probably is and clicking on that link may put your identity and accounts at risk. 
  • Don't open attachments from questionable emails. 
  • Don’t use the same passwords for multiple accounts. 
  • Never provide your password over the phone or through an email.

Reporting a Phishing Scam

If you received a questionable email that appears to be from a company you do business with, go to the actual website and use their contact form to report the phishing email and any relevant information. Some commonly targeted companies even have a link where you can report these email identity theft attempts. You can also report phishing email messages by forwarding it to spam@uce.gov  

If you have already disclosed sensitive personal information through a phishing attack, you should contact one of the three main credit bureaus to place a fraud alert on your account. The credit bureau you contact will notify the other two credit bureaus of the fraud alert. Having a fraud alert in place will make it harder for identity thieves to open accounts and loans using your information. You'll also need to notify your financial institution if your account information has been compromised.

Remaining Vigilant

The modern internet has brought us many conveniences, from social media to buying groceries online. But as with anything, some people will try to take unfair advantage of the situation. So while you are enjoying the benefits of technology, you should also keep on the lookout for attempts to steal your personal information. If you get involved in a internet identity theft scam, it can be a real pain to get sorted out.

For more tips on how to prevent identity theft, check out the following articles: 

  1. Home
  2. Identity Theft
  3. Preventing Email Identity Theft