How Corporate Emails Can Fight Scammers

Email phishing scams are on the rise in the United States, causing a reported loss of 1.86 billion dollars in 2020.

Although consumer education reduces harm and police investigations help make the cost of running these scams more difficult, some simple systems can be implemented by companies that can make these scams much harder to implement.

One such system is to send time-sensitive One-Time-Passwords (OTPs) instead of links when requesting users to verify sensitive actions to their account.

This, plus improved language in the email will both reduce the effectiveness of phishing attacks over email, as well as train uses to be wary of emails that contain links.

As an added bonus, using OTPs instead of links increases the interoperability between web applications and mobile applications, and helps to keep the user inside a branded experience.

Why It Works

Sending OTPs instead of links trains the user not to click on links in emails. In doing so, users are likely to use Google or other trusted channels to connect with company websites and not click through to phishing websites that can steal their credentials.

How the Scams Work

These scams often work when a scammer emails a victim. The email looks like a legitimate email from a company or government service such as Amazon, Chase Bank, or the Social Security Administration. This email includes:

  1. Branding that resembles the company or service.
  2. A perceived threat, such as a payment or order that is being processed or an unwanted action that will be taken on the account.
  3. A remedy, such as logging in to cancel the action or provide personal information.
  4. A link that routes to a fake website resembling the company or service.

Links in the email bring the user to a web site that looks like the company or government service. The website is fraudulent and steals the sensitive information provided by the user, such as credentials or other sensitive information. The scammers can then use this information to perform any action in the account, such as making purchases, stealing money, downloading spyware, or signing up for other services using the victim’s identity. The website may even instruct the user to download spyware to continue mining the victim’s computer for sensitive information.

Scammers make these these emails and websites look like real company emails and login pages so they can weaponize the trust-building created by years of company branding.

Some Examples of Dangerous Emails

This one from Amazon contains a link that lets a user deny a login attempt and then sign in to their account.

If the user wasn’t trying to log in, they may assume someone is trying to hack their account and provide sensitive information in the process of attempting to protect their account.

Amazon Sign In Attempt

This one is from Instagram, when a user signs in from a new device.

If the user hadn’t logged in from a new device, they may click the “secure your account here” link and enter sensitive login information into a phishing website.

The only other requirement for this scam is for the scammer to create a website that resembles the corresponding company’s login page. If the user enters their login and password or other sensitive information, they may not even know that they’ve compromised their account.

How to Disarm the Scam

The trick to disarming this scam is to train users not to click on links in the email.

Depending on the type of action a company wants the user to take, they can encourage the user to:

  • Enter a One-Time-Password
  • Log In and take a specific action
  • Take no action

The email should contain instructions for logging into the website if necessary, including a text reference to the website for the user to copy or search.

Example: Enter a One-Time-Password

This type of email may be triggered by a sensitive action such as a forget password request or when signing in on a new device, or verifying the user’s account.

It should include:

  • An explanation of the attempted action
  • A time-sensitive code and how to use it
  • What happens if the user takes no action

Here is an example from LinkedIn when signing into a new device:

Email Featuring a One-Time-Password

This email should also include the text “Never share this code with anyone, ever,” to improve security.

Example Text To Discourage Sharing the OTP

Example: Log In and Take a Specific Action

This type of email may be triggered when there is a change to the user’s account or a change to features on the website.

It should include:

  • Instructions for accessing the website
  • What happens if the user takes no action.

Here is an example of such an email:

Example Email Featuring a Login Action

Example: Take No Action

This email is a variation of the Log In Email, but with a default action of no action. This type of email is sent when a user should be alerted to a change to their account that they may want to block or undo.

It should include:

  • Instructions for accessing the website
  • What happens if the user takes no action

Here’s an example of such an email:

Example Take No Action Email

Why This Works

These emails all have something in common. They don’t include a clickable link or button. Users are unable to click a phishing link.

If the user is already logged int and presented with a OTP input, the user must only copy and paste the OTP back into the website without ever leaving branded environment of the website or app. Note that mobile apps must maintain access to the OTP input as the user switches between apps.

If the user must log into the website, the user to copy and paste or search for the company if necessary.

For added measure, these emails could contain the text “Example Company will never ask you to click a link in an email,” to reinforce the idea that clicking email links are not safe.

The more companies that implement these changes, the more likely users will be trained to feel uncomfortable clicking links in their emails. As users begin to distrust links and buttons in their emails, phishing emails will become less effective as users will use trusted channels to access company websites.




Is a technology and branding nerd who can synthesize any business need into a technology solution. Fun projects have included brain imaging tech & mesh routers.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Preserving Data Privacy(Introduction)

The Unsolved Case of Ricky McCormick

{UPDATE} Leaves - Puzzle Game Hack Free Resources Generator

An outlook on data privacy

5 Ways To Improve Your Business Security

When the Cookie Crumbles

MetaDAO Makes Off With $3.2M in Rug Pull

{UPDATE} احلى العاب Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adonis Gaitatzis

Adonis Gaitatzis

Is a technology and branding nerd who can synthesize any business need into a technology solution. Fun projects have included brain imaging tech & mesh routers.

More from Medium

What is binance smartchain?the blockchain guide.

How Banks Can Fight Scammers

Demonstration of how client-side content revisions work in scamming.

How to set up a shared masternode

KCC Academy: How to import your KCC history transactions into a spreadsheet.