Damn.

The scammers tried to deceive me again. And once again, their sophisticated methods surprised me, me who sniffs out scams to make a living.

I received an email claiming to be from a bank. This is the same bank that holds my mortgage, and my husband also has a credit card with the bank.

I’m not naming the bank because in reality this could happen with any bank. Let’s call it ABC Bank for now.

Legitimate notifications from this bank come to me via email, so I took a look. It was sent from “[email protected]”.

This one had a subject line that said: “Activity Alert – See details of your recent activity.”

The message, along with the bank logo, indicated that a new address had been posted on my credit report.

My address? It sent shivers down my spine.

Two years ago, someone changed my mailing address so that all my mail will be forwarded to an out of state address. Imagine the bounty a scammer could receive if the Postal Service provided them with my financial account statements.

We were lucky. Really, really lucky.

First, most of my statements do not come to me by mail, but rather electronically. My mailbox is therefore generally not a treasure trove for thieves. I am also registered with Informed delivery, so I receive a daily email from the US Postal Service detailing the mail items I should expect to receive each day.

Informed Delivery told me a personal letter and gas bill were coming, so when they didn’t arrive I realized something was wrong. A visit to the post office revealed that someone, somehow, had actually asked the postal service to send my mail elsewhere.

We informed the Postal Inspection Service, who opened an investigation, and our mail was redirected to our home.

And just in time.

We received an unexpected debit card for a new bank account which was opened in my husband’s name.

Fortunately, it was delivered to us rather than to the crook. We were able to cancel everything without negative consequences on our credit.

Back to this email which said our address had been changed.

Rather than clicking on the link provided in the email – which you should never do – I logged into our mortgage account to see if there were any changes. Nothing had changed.

My husband had to call to check the credit card account. Nothing had changed there either.

Okay, so this was an attempted scam.

But what about the email address? There were no spelling errors. It was clearly “@BankABC.com”.

It turns out that hovering your mouse over an email address isn’t always enough to reveal the real sender, said David Opderbeck, a law professor and co-director of the Gibbons Institute of Law, Science & Technology at Seton Hall University.

“Internet protocols do not provide mechanisms to confirm that visible content is consistent with hidden routing information,” Opderbeck said. “For this reason, it is easy to forge a visible ‘from’ line that is not actually the domain the email originated from.

He said cybercriminals can do this on a large scale for large batches of phishing, spearfishing and spoofed emails.

But, he added, most email programs let you view hidden metadata so you can confirm the authenticity of an email, but you need to know where to look and what to do, which doesn’t work. This may not be feasible for everyone.

Instead, you can use additional protections provided by some email services.

Gmail, for example, offers “Improved option to scan messages before delivery.” So when Gmail detects suspicious content, “delivery of the message is slightly delayed so that Gmail can perform additional security checks on the message,” its help site says. But it’s not automatic. As a user, you will need to enable the feature.

Some email services and companies offering anti-malware and anti-spam services offer similar functions, Opderbeck said.

But nothing is foolproof and fraudsters are always looking for ways to up their games and defeat protection technologies.

That’s why the best prevention is education and vigilance, Opderbeck said.

“Understand that service providers such as banks and medical providers will not send unsolicited emails asking for personal information,” he said. “If you have any doubts about the authenticity of an email, call the alleged sender before opening it or clicking on a link.”

Good advice.

The day after writing this column, I received another email with the same bank logo.

This time it alerted me to a shortage of mortgage deposits.

The “from” address was less convincing than the first spoofed email: [email protected].

But the scary part? It showed the last four digits of our mortgage account number. He also indicated that he had made a property tax payment to my current city, and he indicated the date and amount.

It was a lot of detail. So I logged back into my online account. Interestingly, our filing history showed that a different amount had been paid to the city for several quarters, but a payment made nine months ago matched the exact amount stated in that email.

Scary, indeed.