Have you ever wondered how scammers seem to get hold of thousands of email addresses for nefarious purposes? Here’s an article that explains how.
Cybercriminals collect email addresses to use for phishing scams. In a phishing scam, you might receive an email that appears to be from a legitimate authority, a business (banks, online store, etc.), or a government agency. Usually, asking you to update or verify your personal information by replying to the email or visiting a website.
The web address might look very familiar to you but all is in an attempt to lure you to take action.
If you give them this information, they quickly use to access your funds, Success!
These phishing emails, normally classified as ‘spam’, seem to arrive in every single email account we use, no matter how careful we are. It becomes troubling because these emails frequently arrive in our inbox. Although thanks to Google and Yahoo’s spam protection technology, these spam emails do not enter our main inbox but a spam folder pending when we review them to confirm their legitimacy.
So how do these criminals, these spammers keep getting all our email addresses? And can we do anything to hide our email addresses from spammers?
Unfortunately, there’s not much you can do to prevent spammers from bombarding you with emails. There are some tips that will help protect you, but spammers will probably find your email address eventually.
Leaked Account Databases
The easiest way for spammers to collect large lists of good, active email addresses is via leaked account databases. These password leaks happen with frightening regularity. Organizations as big as Facebook, Twitter, Adobe, LinkedIn, eHarmony, Gawker, Last.fm, Yahoo!, Snapchat and Sony have all been compromised in the past few years.
These leaked databases are normally considered a security threat because they often show account names and passwords. However, they generally show email addresses, too. Spammers can download these leaked databases and add millions of email addresses to their email lists. Spammers know that the majority of these email addresses should be active, so these databases are excellent for them.
Facebook revealed a data breach in September which allowed attackers to harvest millions of phone numbers and email addresses. The company said hackers used 400,000 accounts under their control to gain the access tokens of 30 million Facebook users
This is likely the way most spammers are currently finding email addresses to spam. There’s really not much you can do to protect yourself from a spammer getting your email address in this way.
A site like Have I been pwned? can tell you if your account information might have been leaked, but these sites won’t include every leak. You can protect yourself from password leaks by not re-using the same password everywhere, but you practically have to re-use the same email address everywhere.
Clicking Links or Loading Images in Spam Emails
If you do get spam emails, you should avoid clicking links in the email. If you see an “Unsubscribe” link in an email from a legitimate company, it’s probably safe to click it. A legitimate company doesn’t want to spam you and potentially run afoul of anti-spam laws, so they’ll just remove you from their list.
On the other hand, if you see an “Unsubscribe” link (or, worse yet, a “Buy Now!” link) in a spam email that looks very unprofessional and scammy, the spammer won’t necessarily remove you from their lists. They’ll note your click and their systems will identify your email address as active. They know you’re there, and you may see larger amounts of spam after you click the link.
The same goes for loading images in spam emails. Don’t click the “Load Images” button, or the spammers will know you’ve opened the email. Even if you don’t see an image in the email, there may be a tiny one-pixel tracking bug that allows the spammer to identify you if you load it. This is why most email clients don’t automatically load images.
Scraping the Web for Plain-Text Addresses
Spammers have traditionally harvested email addresses by scraping the web — kind of like Google does — and look for email addresses mentioned on websites. For example, someone may post a comment like “Email me at email@example.com”. The spammer would then add this address to their spam lists. This is why Craigslist provides a temporary email address where you can be reached rather than including your real email address. This technique is probably less common now that spammers have such large leaked account databases to feast on.
Spammers may also try to acquire valid email addresses by looking in other places they’re publicly available, such as whois records for a domain. These records display an email address associated with the person or organization who registered the domain name.
Buying Lists of Email Addresses
Why do the work yourself when other spammers have already built up lists of email addresses for you? Unscrupulous people will sell lists of email addresses to spammers for a low price. These email addresses were often distributed on CDs in the past, and they may still be, but leaked account databases have probably taken some steam out of this marketplace. Spammers may also just trade their lists of email addresses with other spammers, ensuring more spammers will get their hands on your email address once one does.
Legitimate businesses won’t sell or buy lists of email addresses.
Spammers can also get email addresses in other ways — for example, malware could harvest address book data and send it to spammers — but the above methods are some of the most common.
There’s not a lot you can do to avoid having your email address spammed. You can avoid putting your email address on the web in plain-text form and never click a link or load an image in a spam email. But your email address will still end up out there at some point — if only because you signed up to a popular website and their account database was compromised.
Thankfully, we have better spam filters these days. If you’re using an email service with a good spam filter, you shouldn’t need to care about spam beyond clicking the occasional “Report Spam” button when a spam email makes it to your inbox.