I write about cybersecurity and online scams daily, so my inbox is always filled with a healthy mix of story pitches from public relations professionals, scam messages, and phishing attempts. Unfortunately, it’s not always easy to tell them apart.
Recently, I received a PR pitch about romance scammers, and I’ll admit, on first glance, it seemed like the basis for a great story. However, after I paused to read the message again, all I saw were red flags. Let’s read the email together and identify all the signs of a possible scam in progress.
The Anatomy of a Scam Email: What to Watch For
Hover over the dots on the image below to see each possible scam indicator:
Now, let’s dissect the red flags that brought my morning inbox scroll to a halt.
A Free, Generic Email Address
First, the email address is a last name + first name address from Gmail. Although I occasionally receive emails from work contacts’ free personal accounts, most PR professionals make their initial contact using an email address with a corporate domain, which immediately raises my suspicions.
Suspicious-Looking Social Media
Next, I examined the sender’s social media presence. The X account in the email hasn’t posted publicly since 2021. The last replies were in 2023, asking journalists for their email addresses. Typically, PR professionals do not include inactive social media accounts in their email signatures.
An anemic online presence alone isn’t cause for suspicion (I shut down my personal social media account a couple of years ago). Maybe the sender simply wanted to receive fewer scam calls and texts from criminals trawling the public web for potential victims. That said, my suspicions escalated when I scrolled through their Twitter profile and discovered that it had been posting spammy-looking links to Minecraft giveaways since 2016.
(Credit: X/UserVoice/PCMag)
Unlike most PR professionals, the sender (who has a very unusual name) doesn’t have an online presence beyond a single Quora answer from several years ago, a comment on a dating app support site advertising a profile unblocking app, and the aforementioned defunct Twitter profile. For privacy, I’ve redacted the name and contact information of the sender, as well as any pictures from the sender’s social media accounts. Although I’m fairly certain this is a scam email, I wouldn’t be surprised if a real person’s account had been hijacked a long time ago and turned into a zombie account, designed to collect email addresses and distribute scam links.
If you’re unfamiliar with zombie social media profiles, they show up when scammers pay hackers (or obtain breached credentials that still work) to take over abandoned social media accounts with long posting histories. Once the scammer has access to one of these accounts, they post links to scam websites or, in this case, repeatedly reach out to journalists to request their email addresses.
No Links
I’ve warned readers for years about the dangers of clicking on links in emails without hesitation, but experience has taught me that the absence of a URL in a pitch email is a significant red flag. PR professionals want journalists to have easy access to all the tools they need to highlight their clients, so it’s unlikely they wouldn’t send me a link to the website discussed in the email.
I typed the service’s name into Google, and the top result was a real website, which settled my fears, but not for long. As I clicked through the generic-looking website (which was decorated with free stock art), I couldn’t find any information about the company or the humans who created the website.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The service’s reviews on TrustPilot also failed to instill confidence in me, as the company’s rating was classified as “Poor.” Most customers on the review site stated that the service was a scam because, despite entering photos and paying for a subscription, they received nothing in return.
A Very Lax Privacy Policy
I read the company’s privacy policy, which stated that the company will retain any photos you upload to the site indefinitely and share them with third parties “as needed.” The terms of service document and the privacy policy lack information about the company behind the website, including a consistent company name (the name of the company changes several times throughout the policy), a physical address, or any indication of the company’s country of origin or legal jurisdiction.
Missing Key Information
While the premise of the romance scam prevention pitch was intriguing, important information was left out. Take a look at the quote from the chief marketing officer (CMO)—the person’s last name is not provided, and there’s no mention of this person or any other individuals who work at the company on the website.
Recommended by Our Editors
I suspect that this email and the story pitch are generated by AI. To test my theory, I entered the following prompt into Google Gemini: “Please create an appealing pitch for a consumer tech publication article about romance scammers reusing deepfaked photos. Create supporting survey results, and offer an interview with an executive.”
Google Gemini created a link-free story pitch that requires only minor customization tweaks before it’s ready to pitch to a journalist or two. The chatbot generated entirely fake research, too, and even offered a fictional expert (with a complete name) for an interview:
(Credit: Google Gemini/PCMag)
(Credit: Google Gemini/PCMag)
My experiment does not confirm that the sender used AI to generate the email or the research. However, it shows that AI can create a message with a similar tone and structure and will fabricate research and entire people if you ask. I’m fairly certain that scammers do.
I did not call the phone number in the sender’s email signature because, although it appears to be a valid Polish phone number, the rest of the email contains enough red flags for me not to engage with the sender further.
What to Do When You Receive a Scammy-Looking Email
So, if you receive an email that lacks the hallmarks of a scam or phishing message but still triggers your mental alarms, I suggest not responding and not engaging with it. I didn’t call the phone number, reach out to the sender on another platform, or try to upload photos to the website. Instead, I marked the email as a possible scam or phishing attempt from my inbox.
This action triggers a report that is sent to my company’s IT department, and they will examine the contents of the message to determine whether it’s legitimate or not. The suspicious email will reside in my Spam folder until it is automatically deleted, along with all less sophisticated scam attempts, at the end of the week.
If you find yourself in a similar situation, report the scam immediately. If you’re unsure how, check out my article on how to report scams. In short, you should consider informing the FTC, logging a complaint with the Internet Crime Complaint Center, or contacting the Consumer Financial Protection Bureau for assistance.
About Our Expert
Kim Key
Senior Writer, Security
Experience
I review privacy tools like hardware security keys, password managers, private messaging apps and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.
In addition to the below categories, I also exclusively cover adblockers, authenticator apps, hardware security keys, and private messaging apps.
This article was published by WTVG on 2025-10-10 08:00:00
View Original Post
