Spam. It’s pink and it’s oval. Spam. I buy it at the Mobil. Spam. It’s made in Chernobyl. Spam.
Ok, not that kind of spam. I quite like that kind actually, especially on a barm with a fried egg. No, I’m talking about one of the biggest scourges on the web, one that has probably been around since the dawn of the Internet itself.
According to cybersecurity company DataProt, about 122 billion spam emails are sent each day, which is about 85% of all email traffic globally. The good news is that it takes about 12,500,000 spam emails to successfully trap one person, which is about one hundredth of one percent (0.01%) of all spam sent each day. Remember, however, that any given day sees 122 billion spam emails sent each day, so even a percentage that small would still result in a large number of cases.
You will likely have received some form of spam, at some point. Thankfully, almost all of it is caught in your email’s spam filters which are constantly learning what constitutes an unwanted email. No filter is perfect – sometimes they can be too lax and let emails slip through the net, and sometimes they can catch legitimate emails instead. Some examples of spam emails are:
- Selling products (typically medication)
- Selling services (typically escort or dating services)
- Offering large windfalls (sometimes called “419 Scams” or “Nigerian Prince scams”)
- False claims from services such as your bank, PayPal, Apple Store, or Amazon. (typically “phishing” scams – designed to trick you into giving over your account information and password by pretending to be a service you use)
Spam costs businesses around $20.5 billion globally, with many of them falling for simple scams, most of which carrying the same hallmarks. If these scams are all similar to one another, though, how can we stop falling for them?
Before I go on ...
At the time I am writing this, the world is still dealing with the COVID-19 pandemic. One of the side effects of this outbreak is that there has been an increase of spam emails focussing on the pandemic, offering "cures" and "tests" and all sorts of things that are blatantly fraudulent or just dangerous. Now, more than ever, watching out for spam emails is going to be important, and it is because of this that I am writing this guide. That said, this guide applies as much today as it does on any other day.
Spam emails are designed and written in a way that allows only a certain kind of person to fall through: one who doesn’t look too closely at the details or will overlook the mistakes without a second thought. While you may feel like you are stupid for falling for something so predictable, you are not. They have been written almost specifically to target you and those like you, so this is not a shortcoming on your side.
As simple as these scams may be, we need to understand the signs to look out for. Understanding the signs is the first step in combatting this global issue. So what should we look out for?
Where is it from?
Quite often, scam emails will not be sent from official addresses. Good scams will be sent from email addresses that bear a vague resemblance to official offices. For example, during tax season in the UK (self-assessments need to be submitted by 31st January each year, so it would be roughly now) emails purportedly from HM Revenue and Customs may appear from “hmcustoms.com” or “hmrcemail.site”. With the new top level domains (TLDs) that are available, having something that looks even remotely official will be much easier. If you have any doubts about their origin, a quick search on your search engine of choice will confirm whether the address is valid.
While some may purport to come from legitimate sources, these emails will be “spoofed” so they look like they come from their alleged sender, but they don’t. Spam filters are more intuitive about these emails and can better sniff them out, but some of them do make it through.
Impersonal greetings
Emails from companies that you know and know you will usually be addressed to you by name, so emails from your bank that speak to “Dear Customer” are not generally to be trusted. Exceptions would be very generalised information that requires almost no action, but if the email suggests that you need to do something, it would be addressed to you by name in line with other communications from them. For example, if your letters are addressed to Mr Hawkes, your emails probably will be as well.
Emails that start “Dear Valued Customer” or “Dear Friend” are commonly scam emails. They are often used in what are termed as “419 scams”, “Nigerian Prince scams”, or “Advanced Fee Scams”. The term “419 scam” refers to section 419 of the Nigerian penal code, which specifically talks about fraud. It is in reference to how many such emails purport to be from a Nigerian prince named His Royal Highness Frederick Malcolm Alexander McQueen von Sherbetbottom de la Frau Farbissina the Fourth. Who has as much likelihood of being a Nigerian Prince as Eddie Murphy.
Although, one of the largest spam tracking organisations – Spamhaus – places the United States as the world’s worst Spam Haven as of February 2022, and Cisco Talos Intelligence suggests that more spam emails originate from the US than any other nation, so you never know …
Poor spelling, grammar, and language
It is common in emails that purport to come from official sources that there will be a number of spelling mistakes or grammatical errors, often in an attempt to sound much more official than they are. There will be overly elaborate content, excessive use of verbose pontification (lots of big words, often misspelt or misused), and a formatting style that wouldn’t be out of place in a governmental handbook. However, these are a ruse to encourage you to trust the sender and believe the content of the email. They are quite often purposefully written with spelling mistakes to filter out the people who wouldn’t be an effective mark.
Oddly impending deadlines
You may – especially when it comes to emails about paying for services or receiving money – be informed of a deadline to submit your payment or your claim for payment. Quite often, that deadline is suspiciously imminent, sometimes even today. They come with a sense of urgency that can be difficult to ignore and pressures you to make decisions that would be more rash than you would normally make.
A client of mine has received a few emails over the years from supposed domain registrars telling her that her domain is due for renewal to the tune of $80-something and payment is due today or else she will lose the domain. There are, however, three problems with these emails:
- Her domain is not with the provider that’s contacting her.
- Her domain costs a little over £10 per year, not $80-something.
- She often gets these emails in the summer, when her domain is due for renewal in the late autumn.
And yet, because the email claims to be from an entity that can remove her from the Internet, and they have a deadline that is immediate, she often forwards the email to me and asks what she needs to do. My response to those is always “Don’t do anything, it’s a scam.” Any legitimate requests would come from recognisable sources and give you enough time – her registrar would normally email her 90 days before a domain expires to invite her to renew.
Should they be asking for this?
It isn’t uncommon for spam emails from someone claiming to be your bank to ask for information, Usually they will claim there was an information breach and your account was compromised, but don’t worry because they stopped it like the good people they are and locked your account from the bad hacker people, and you just need to click this super convenient link right here and verify your username and password and they will unlock your account because they really are nice people, totally not scammers pretending to be your bank.
The truth is, your bank will never, ever, EVER ask for personal information from you by email. They will never ask you for your username or password, and will not ask you to verify your username or password via a link in the email, even in the event of a data breach. They will advise that you change your password through their online banking portal if there is a data breach (and will give you more information thanks to GDPR regulations), but they won’t offer a link to the page in the email since it is assumed that you will know how to access it and will go there yourself.
Speaking of links …
Where are they taking you?
If an email comes and asks for login information, it will likely be spam. But let’s assume that it hasn’t been caught and looks official. Check the links, and see where they go to. This isn’t always easy, especially when using services such as Sparkpost and Mailchimp. Link tracking services tend to forward clicks through their own servers, so it isn’t always easy to tell if they are going to the right destination.
However, services such as online banking, online shopping, or government services – which scammers would usually use to ask for account information – would direct you to a page on their domain rather than forwarding you through a third-party service, so check those links. Hover over the link in question – do not click it – and look at the status bar at the bottom of the window. If you bank with mybank.com and the URL you see is notmybankdotcom.net, then you can tell it’s not a legitimate request and can safely assume that it’s spam. If you cannot tell and you do click it, check the URL that you end up at. If it doesn’t look familiar, close the tab and mark the email as spam.
Do not do what I did ...
Don't submit a login request with a fake email and password. As fun as it may be, and it may waste their time, being on the page may well open your computer to being compromised. The longer you remain there, the more likely it will be that your computer will be compromised.
If you want to experience the fun of wasting their time without the dangers, may I humbly suggest going to YouTube and watching the Scamalot videos from James Veitch?
Check the branding
Spam emails are designed to trick the right people and one way they do that is by looking like official emails, but the templates are often designed en masse and created months in advance. Which sometimes means that the emails use the wrong logos, branding, or colour scheme. It can also be that they are created quickly, so use the wrong branding altogether, mismatched colours, or have stretched logos. Emails and letters from banks and companies usually have a set branding and template, so check against other communication you’ve had from them if you can. If the branding matches, it may well be legit (as long as the other rules have been abided by).
Check the contact information
Are phone numbers accurate? Are company registration details accurate? Are head office addresses accurate? Do the contact links point to the right pages? Do the emails have the right disclaimers? Or is the footer nothing more than an image that looks distorted? It’s a thing that we ignore in legitimate emails, but the footer can hold a number of clues to an email’s legitimacy. Check them against other emails from the company and see just how true to form they are.
So what can we do to stop them?
Stopping spam emails will not happen overnight, and it isn’t always possible to do that anyway. But these simple steps can help to reduce the amount of spam you may well get:
- Be careful who you give your information to. Email addresses can often be sold to other companies, especially from unregulated mailing lists. While banks would not sell your email address, nor would trusted companies, some are not so careful with your information.
If it helps ...
One of the things I have is multiple email addresses, depending on who I give them to. Mailing lists that I rarely need to use have one email address, mailing lists that I use regularly have another. Personal utilities have a different address, business utilities have a work-specific address, and friends have another. While this may seem like a lot of address for one person, each address has a purpose, and if one address is misused, I can usually find where it was misused and how.
- If you need to register for an account, don’t use the same password across multiple accounts, especially when they share a common email address or username. It is recommended that you use longer, more complex passwords – at least 12 characters long and have a mixture of upper and lowercase letters, numbers and symbols. To have a separate password for each account, especially when you have dozens of accounts that you use, may seem excessive, but it is important that no account shares the same password. A useful tool here would be a password manager. Personally, I use Bitwarden, but I recommend any password manager. Also, if you can, use 2FA. I’ll post another thing about account security later.
- Think before you click. Hover over links that sound suspicious, and see where they point to. Be suspicious of any email that asks for you to confirm your ID, especially when you never asked for it (forgotten password emails aside, obviously). And if you do need to manage your account …
- Log into the site directly, not via the links you were sent. If you use the link you were sent, it may well be a phishing site that will record your username and password. Scammers know that people are more than likely to use the same email address and password for other accounts, so by collecting your username and password for one account, they can use it for other accounts such as Facebook, Apple, even online banking. This is why you should have a different password for each site you use.
- If you do click the links, do not, I repeat, do not download anything from the website. If you haven’t requested a service that requires you to download something – like a gift from a mailing list – the download will likely be malicious and will compromise your device.
- Do not reply to spam emails, not for any reason. Replying confirms that your email address is valid and will result in more spam. Again, watch the Spamalot videos if you’re wanting a giggle at scammers having their time wasted.
- If you are in doubt, check with the service directly. Call their customer service office, or log directly onto the service and use whatever support requests you can. If they confirm the email is legitimate, proceed as you would normally.
Just so you're aware ...
If the email appears to be spam, the company may ask you to forward the email to an address that they provide. It will be safe to do so, and they may take action against the scammers on your behalf, as it would be likely they'll have scammed another of their customers. This also applies to SMS messages - networks will ask that you forward spam messages to 7726, which is free across all mobile networks.
- It’s a good rule to follow anyway, but make sure your computer is up to date and has up to date antivirus protection. While this may not filter out all spam any more than your email service will, it will help to prevent most attacks and security holes that could be exploited by scammers. Downloaded files tend to be used for this, and a good antivirus package can detect most viruses, Trojan horses, and other forms of malware that can compromise your system. In addition, keeping your software and your operating system up to date can close any of the security issues the malware would likely try to exploit.
- This is less of an issue than it used to be – contrary to what some adverts claim – but it still pays to be careful while using public WiFi. In the past, people could sit on public, unsecured WiFi and sniff out internet traffic that passed through it, including usernames and passwords that were sent over it. However, as security and privacy have become more a part of the public consciousness, routers have increased their security, and public WiFi companies have increased the security of their routers. Still, you can never be too careful, so you may wish to have a look at using a VPN or Virtual Private Network. These are services that will reroute traffic through servers and will disguise your true destination to those snooping on the line or at the router.
Just to add ...
One of the most common uses of VPNs is to watch Netflix or YouTube videos that have been blocked based on local copyrights. If I am trying to watch a video on, say, YouTube that a copyright holder has determined should only be watched by US viewers, I cannot watch it in the UK. However, if I fire up my VPN and connect to a US server, any website will think I'm connecting from that server instead. That means YouTube will believe that I am connecting to it from the US and will allow me to watch the video without issue.
Now, I won’t claim that these measures will permanently remove all spam from your mailbox in perpetuity. Spam will still find you, but this will reduce how much you receive and the impact of it significantly.
Do you have any tips on how to avoid spam? What were you taught about spam that you didn’t believe? Head on down to the comments and let’s discuss.