Phishing scams are getting tougher to pull off these days. All those damn email client and browser defences are getting in the way of hardworking phishermen and women going about their daily business. But – dear phisherpeople – you’re also not doing yourselves any favours when it comes to crafting a veneer of decency and honesty in your communications, in fact I propose that you’re missing a significant number of opportunities by neglecting some basics.

So let me share some insight, if you will, into a handful of key techniques you might employ to introduce a little professionalism into your craft. They’re not big things, but they do raise the bar a little on the measure of how foolish you need to be to fall for one of these things in the first place.

1. Get your encodóng right

You see, successful scams are about creating a cadence of credibility and when you can’t even get the encoding of your message right, it’s not a good look:

Incorrect encoding

Yes, yes, I know Obama gets his encoding wrong too, but let’s try and raise the bar a bit and lead by example, ok?

2. Exclamation points – lose them!

I know, I know, it’s all about creating urgency in the hope the poor unsuspecting victim will overlook the stupidity of your email contents but it makes you come across as, well, a little bit desperate:

Exclamation points

Tone it down a little bit, I mean you want the victim to actually like you so don’t come on too strong, ok?


A successful scam requires tender loving grooming and just going right out there and shouting at the victim is likely to get you off on the wrong foot:


Nurture the relationship, dear scammer, be gentle with your victim and don’t “startle the rabbit” with sudden loud noises.

4. Know your customer

This is Hungarian. I am Australian (the one with the kangaroos, not the mountains). It’s hard to scam someone when they don’t understand the language:


Look, I know it’s hard when you’re blatantly spamming the world to narrow down on certain ethnic groups, but consider your ROI; these messages are costing you money so try and refine your targeting a little.

5. Avoid attachments

I know how tempting it is to just attach your malicious payload to the email, after all, what’s better then getting that trojan direct into someone’s inbox:


The problem, of course, is that those bastard email client and antivirus creators are always catching onto these tricks and there’s a good chance you won’t get a foot in the door. Try and host your evil wares somewhere and lure the victim into your lair.

6. Branding – use it

I know its all “left side of the brain” stuff, but a bit of polish on the branding is important, particularly when you’re trying to rip folks off whilst masquerading as a large enterprise:

No branding

Get yourself on over to Google images, do a quick search for “Windows Live Hotmail Logo” and just rip one of those puppies off the site and drop it into the email. Simple professionalism, my friends.

7. Real companies use paragraphs

I know it’s hard when many a scammer has difficulty just spelling their own name, but producing an email which on first glance looks like you dropped both the cat and the dog on the keyboard together really puts you behind the 8-ball:

No paragraphs

Look for the opportunity in your shortcoming; perhaps head on over to some English lessons at night school or even take an online course (you can generally pay for these with stolen credit cards). Treat it as a little self-development exercise.

8. You wont go far if you’re grammar is wrong

Here’s an easy tip; real companies use tools with grammar checking. They also employ people who passed primary school and can properly advise on the appropriate delivery of advice:

Bad grammar

Here’s what you do; grab your pirated version of Microsoft Word, write your spiel up in there, hit “F7” then fix your inane grammar mistakes and badaboom – instant credibility!

9. Be consistent with your language and your encoding

As we saw earlier, encoding can be tricky but if you’re scamming in English, chances are you shouldn’t be encoding in Cyrillic:

Cyrillic encoding

Of course part of the problem is that when you disclose the default encoding of the email client you used to construct the scam, you disclose a little pointer as to where the scam likely originated from. Up until now, nobody had any reason to suspect Eastern Europe of running illegal online activity. Ever.

10. Nobody actually uses fonts that big

I know what you’re thinking – let’s stand out from the crowd, let’s make a real impact and get our message heard. Hey, that’s great for a 5 year olds birthday party invitation but remember we’re aiming for adult-level credibility here:

Large font

You can go a little bit larger on the heading than the body but I’d keep it somewhere within the realm of about 150% of the point size. There’s probably a design rule or something about this but perhaps just start with the rule of “if it looks stupid, don’t do it”.

11. Basic email formatting goes a long way

See what’s gone wrong here? You’ve gone and got your header info all mixed up with your body then it looks like the mail has HTML content but has been set to render just plain text:

Plain text with HTML body

Always format as HTML – always. Without this you’ve got no branding, no imagery and no credibility. I know it’s just a little slipup but that’s all it takes – send out a practice email first if you need to. Remember, those botnets are valuable assets and you really want to maximise the value of the work they’re doing.

12. Tread carefully around the often prickly topic of religion

Oh boy, prickly one, let me try and put this delicately; religion can be polarising:

Our Lord Jesus Christ

I know, I know, a godly scammer can be perceived as more legitimate (he’s down with The Lord – he must be ok!) but you’ve got to be very careful not to pick the wrong god (there’s that audience targeting again) lest you actually upset the recipient.

13. Line breaks
are for
new paragraphs

I get it – line breaks are complicated beasts – but this is an unnecessary faux pas on your part:

Bad line break

Try to do this; when you get to the end of a paragraph, press enter. Don’t be too eager, bide your time and wait for the right moment.

14. Don’t give the game away with dodgy domains

What you need to remember with these scams is that you need to maintain the facade of credibility all the way through:

Bad domain name

You started off well here – the sender address is pure art – but see how the link to the phishing site gives the game away by being totally unrelated to the purported sender? At the very least, try and include the name of the organisation you’re masquerading as in the URL (subdomains make this easy) or even better, register a similar domain name to theirs. If you want to be really tricky, put one of those funky Turkish characters in there which looks like a letter from the Latin alphabet but is really like a uppercase “I” with a dot on it or something. Up here for thinking.

15. Learn some basics about who’s who in the online world

Know your target. Well at least know who you think you’re trying to impersonate in order to carry out your cunning plan:

Microsoft Facebook

Now this may still get you a few bites – there are actually people out there who don’t have a Facebook account (they live in mud huts and don’t have electricity, but I digress) – but you’re going to make a whole bunch of other people let out a big “WTF” on this one. Pick your horse and back it; perhaps do one scam as Microsoft then another as Facebook?

16. Please, oh please, I implore you, don’t beg

It makes you sounds desperate and as you’d be aware from grooming people online, sounding desperate is very often a turnoff (or so I’ve been told):


Better just a “Hey, how are you? Haven’t heard from you for a bit, everything cool?”. Play it smoooooth.

Closing words

I think we’ve learned some valuable lessons here today and the great thing is that none of them are real hard for anyone with a bit of intelligence (you, dear scammer, may also be able to pick some of them up). Most of this comes down to simply taking a bit of pride in your craft – remember, grifting is an art honed over millennia and you, in your nefarious role, are responsible for bringing this heritage into the 21st century.

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals