Beware! There are many email scams and they are always evolving. The major reasons that email is attractive to scammers are:
- it is insanely cheap to spam millions or even billions of accounts,
- it is easy to pretend to be someone else (although this is getting harder), and
- it is easy to hide your tracks by using burner or subverted email infrastructure.
How Do I Recognise a Scam?
Scams are the same online and offline. The scammer wants to take something valuable from you. Some key tells are:
- demanding money (including virtual currencies),
- creating a sense of urgency or panic,
- attempting to embarrass or blackmail you,
- asking for or using your personal information (including passwords!), and
- making promises too good to be true.
Note that sophisicated scams try to convince you they know everything about you. They use your email address. They may know a password from some other site that has been breached.
What Should I Do?
In most cases, the best thing to do is ignore the email. Your address was probably mass generated by the spammer or bought from a data leak on some other site to whom you gave your address. Don't worry. Your email address is not a secret and there is no security implication to it being public.
Don't try and reply to the scam. The sender's address is probably fake or misappropriated. If you somehow succeed, you are just guaranteeing more spam.
Thinking About Passwords
You really don't want a scammer breaking into your email account. For one, they will use your account to hurt others. Worse still, they may use information in your account against you in a targeted attack. These are not nice people.
The most effective things you can do are:
- Choose hard to guess passwords. Random and long is good.
- Only generate passwords locally. Don't trust online services that offer to this.
- Use a different password for each account. You don't want to lose everything becuase some lousy social networking site got breached.
Modern browsers can generate and remember passwords so you don't have to.