For digital nomads, spam is a bad word. Who wants to be associated with spam? Marketers and salespeople do their best to personalize their outreach and write intentional emails. Email service providers install complex systems to prevent spam from finding its way into their users’ inboxes. But somehow, spam is alive and well. Moreover, digital spam is on the rise, and its threat may cost companies hundreds of thousands of dollars in financial losses.
But what about the spam that is actually landing in our spam folders — can it harm us by its very existence? Let’s look into the matter and answer the most pressing questions about unsolicited bulk email, aka spam:
- What exactly is email spam?
- Why do scammers send spam?
- How can spam hurt you?
- How can you protect your inbox against spam messages?
Spam definition: What does spam stand for?
Many have long associated the word “spam” with unwanted junk email, but a mere five decades ago, everyone knew it only as a respectful brand of processed meat owned by Hormel Foods. The company itself was never known for its loud advertising campaigns. The term emerged from a Monty Python skit featuring Spam as a ubiquitous foot item on the restaurant menu against the backdrop of Vikings chanting “Spam! Spam! Spam!” at increasing volumes.
That image of something loud drowning out all the rest came to signify the endless influx of unsolicited commercial emails and unwanted communication sent to the email inboxes, social media DMs, and texting apps of unsuspecting users.
Common types of spam
Most people are familiar with spam messages that are legitimate advertisements sent to the wrong person. But there are more types of unsolicited email spam out there, and they can be a major inconvenience. They most often come as some kind of fraud disguised as a good cause or a solution to a tech problem. Here are a few you should be aware of.
Marketing and commercial messages
These are the least harmful types of email spam regulated by the CAN-SPAM Act. Normally businesses are required to send commercial messages only to those who voluntarily give out their email addresses. In this regard, double opt-in is the best way to ensure your recipients not only have signed up for your newsletter but also have confirmed that they want to receive future correspondence.
Although the CAN-SPAM Act has no opt-in requirement, commercial emails go through spam filters easily if an email service provider (ESP) gets a sense that this message is solicited. As a user, you protect yourself from unsolicited commercial messages by hitting the unsubscribe or report spam button.
Malware spam messages
Spammers send out spam messages with malicious links, attachments, and applications to trick users into clicking some type of malware or divulging sensitive information, like passwords. Antivirus warnings are a subgroup of malicious spam where users get a message about a “cyber threat” in their computer system and a “solution” to fix it. When unsuspecting users click on the embedded link, they give the scammer access to their computer.
When in doubt, always use legitimate software to scan for issues rather than random email links that somehow land in your inbox.
Frauds and scams
Email spam is abundant, and the frauds-and-scams group is vast. Those who have been internet users for ages must remember the Nigerian prince scam that emerged back in the 1990s. An email allegedly from a Nigerian prince would find its way into your inbox and ask for a reasonable bank processing fee to unlock big inheritance money that he would share with you once the funds became accessible. Needless to say, once you paid, he stopped responding.
Money scams now include ill or distant relatives in dire circumstances. Current-event scams get your attention by referring to hot topics, such as Covid-19, unemployment, financial relief, etc. Scammers’ only goal is to get your contact information and bank account details. Other subgroups of email scams invite users to click on a link and collect their prize from a competition they never entered.
The same recommendation stands for these types of spam messages: Don’t click on unfamiliar links or interact with unknown senders.
Email spoofing and phishing emails
In common usage, spoofing and phishing are used interchangeably as terms for spam tactics. But even though both email spoofing and phishing emails are based on misrepresentation, they are different at the core. The major difference is that phishing emails impersonate trusted sources to convince users to provide their sensitive information, whereas spoofing emails actually assume the trusted source’s identity.
Phishing is a wider concept of tricking the victim into entering the net of sensitive information disclosure. What are cyber scammers after? Anything they can use to access people’s money: bank account details, credit card numbers, social security numbers, medical insurance account numbers, and corporate logins. How do they trick people into sharing sensitive information? They send phishing emails disguised as official communication, complete with brand logos and important details like the name of an actual executive. You think you got an email from your online payment processor informing you that the last payment did not go through, but in reality, it is a phishing attempt to get you to reenter your password.
Phishing emails can look as sophisticated as it gets. You click on the link in the email and see the company’s usual website, logo, and formatting. However, it’s just a masterful replica of legitimate communication. If you check the sender, you will likely see a public domain. If you examine the company’s logo and headings, you will notice odd misspellings. Email content will scream urgency. The cumulative effect of these factors prompts you to quickly hit the link, which is exactly what scammers want. Yet if you spend some time verifying their email addresses and unfamiliar links, you won’t fall prey to phishing emails.
Email spoofing is one aspect of phishing that is used mostly for identity theft. The goal is to pretend scammers are someone else and obtain whatever it is they want. For example, spammers can hijack your email account (your email address in particular) and modify the From and Reply-To fields as if you are the one sending the spam emails. This way, they can grab reputable email addresses, easily bypass your contacts’ spam filters and end up directly in their inboxes. As a result, they get fewer bounces and improve their email deliverability and domain reputation.
How does spam work?
How come salespeople go to great lengths to get their emails into their prospects’ inboxes, whereas spammers waltz through users’ spam filters like they haven’t a care in the world?
Spammers, also known as botmasters or botlords, collect a net of bots to control and command on HTTP or IRC communication protocols and server-client centralized topology or P2P. Bots are infected computers that botlords gained control over through email spoofing and phishing. Spammers use botnets to run their illegal activities such as spam generation, phishing, computer system infection, and DDoS attacks.
Botmasters use bots to hunt for email login credentials through phishing, email spoofing, and other email-hacking techniques. They spot vulnerable email addresses, pull up email lists, and send out bulk email. Spammers also deliver viruses, trojans, ransomware, etc. to users’ devices and wait for an unsuspecting simpleton to open an attachment or hit a link. Those who do give cybercriminals access to their devices and sensitive data.
Why do spammers send out spam messages?
Commercial spam messages are pestering yet innocent. And though they have notoriously low conversion rates, businesses keep using them because the cost of spam messages is so low that even a fraction of response from a million emails can yield a hefty profit. With that sort of cost-to-revenue ratio, no wonder spam email is still used for marketing purposes.
Opulent “Nigerian princes” likewise hook very few people. Yet scaled to millions of junk emails sent in a single stroke, they make enough money to keep scamming.
Not surprisingly, phishing and email spoofing attacks are on the rise. First, their success rate is higher than in marketing spam emails. Living in constant stress and hurry, people simply don’t take time to make sure that the sender’s email address is legitimate or that the link is familiar.
Second, due to the increased use of the internet and smart devices, phishing and spoofing campaigns will keep rising. In the 2020 Threat Report, ESET researchers showed that each quarter brought a 9% rise in malicious email detection. Of course, not every phishing attempt is successful, but more than three-quarters of companies in the U.S. report a successful phishing attack. According to the FBI’s 2020 Internet Crime Report, 37% of organizations reported 11 to 50 phishing attempts, while 12% say they were attacked over 100 times in 2019 alone.
Are spam messages dangerous?
Spam problems are real. If you inadvertently help malware infect your devices, you can lose data, waste time, and end up with financial losses.
According to Proofpoint’s 2021 State of the Phish report, successful phishing and spoofing campaigns result in data loss for 60% of companies, compromised credentials or accounts for 52% of companies, malware and ransomware infection for 29% to 47% of companies, and financial losses for 18% of businesses.
Financial losses can be spelled out as a drop in stock price (Verizon saw its stock price fall by 5% over the course of six months after a data breach), the average wire-transfer loss, remediation-associated expenses, legal fees, lost revenue, lost intellectual property, damaged reputation, etc.
What can you do to prevent spam from affecting you?
From innocuous marketing messages to deceptive phishing attacks, you can protect your email and computer systems from malicious and unsolicited intrusions. You and your employees should report spam, use two-factor authentication (2FA), learn to spot phishing and install good cybersecurity software. Let’s take a look at these steps in greater detail.
Step one is choosing a reliable ESP that carefully filters messages, letting through only the valid ones. No matter how great your ESP is, though, some spam will make it through. That’s where you start using your right to block the sender and report spam. Reporting spam is a great function of ESPs as it informs marketers and salespeople that their generalized approach isn’t working.
That is why professionals engaged in email outreach know that it is in their best interest to make the unsubscribe button more visible than the report spam option so that irritated recipients will not hit the spam button out of frustration and tank the sender’s reputation. Reporting spam is a healthy way to let your ESP know what spam is for you, and it is a loud signal to marketers to monitor their feedback loops.
The main thing to remember is to mark the message as spam without clicking any attached files or links.
Use two-factor authentication (2FA)
Use an extra layer of protection that will secure your email accounts and devices against cyberattacks. Usually, phishing campaigns cannot get past login and password if your account requires a verification code sent via text message to your phone.
When anyone tries to log into your work account from an unknown location (even if it is you working remotely), identity proof is required. This is often not only your password but also a one-time code sent to your phone. Scammers cannot access both your password and your phone, so they cannot wreak havoc on your email account.
The use of 2FA is not a silver bullet, though, as cybercriminals will inevitably find other ways to hijack users’ credentials and log into their bank accounts or corporate systems. That’s why reliable cybersecurity software is a must.
We all need to know how to spot phishing. Run a webinar and educate employees on what to look for in an email, text, or call to avoid being duped into revealing sensitive information. Cybercriminals improve their phishing methods all the time. It is human to hit a nasty link without thinking twice. However, it’s always a good idea to train yourself to inspect subject lines, senders’ names, attachments, and links before clicking Reply or Open.
Here’s a quick rundown of the most common signs that an email is more than just an innocent marketing message.
Sender’s email address — Spoofing attempts impersonate legitimate senders, like banks, state governmental organizations, the IRS, etc., and famous brands. For example, Microsoft is featured in 43% of all brand phishing attempts globally. If you get an email from Microsoft requesting your personal details, at the very least check out if the sender’s email address matches the company’s domain. Sophisticated spoofers don’t use blatantly fake accounts like [email protected] Instead, they slightly tweak the company’s legitimate domain name to have something like [email protected] .com instead of [email protected].
Urgent subject lines — Phishing messages create a sense of urgency to plunge people into emotional turmoil. The top five subject lines for phishing attempts include urgent, request, important, payment, and attention. Many phishing attacks are based on supposed valuable prizes or cash wins. If a message sounds too good to be true, it probably is.
Lack of personal information — When you get an email from an organization you know, they will know more than just your name. Make sure there is a personal greeting with a correctly spelled name. If a phishing attempt claims that your bank account has been blocked, most people will click a link to find out more, which is exactly what phishers want. Take a step back and inspect the message more closely before proceeding.
Links — The easiest way to protect yourself from malicious links is to always check your account statements, messages, etc. from the company website, not via email links.
Attachments — Don’t open attachments if you were not expecting any in advance. Full stop. Install anti-malware software to scan all expected files before downloading them.
Grammatically incorrect language — Getting an email with grammatical errors from a serious company is always a red flag.
Install cybersecurity software
People should not be responsible for security breaches. Instead, companies should rely on AI-powered software to secure their data against scammers and phishing attacks. The better your cybersecurity software, the more protected your company. Good cybersecurity software works magic even when employees hit the link and let the malware into the corporate system.
Equipped against spam now?
Keep in mind that spam problems are more than an inbox crammed with emails from fake Nigerian princes. In recent years, we’ve seen an unprecedented influx of spam and phishing attacks with no expectation of dialing down. With companies protecting their data and ESPs intensifying their defenses, it’s getting more difficult for marketing and sales to do their jobs and run outbound campaigns. Fighting against spam filters can be exhausting. That’s why an email spam test is always helpful before starting a marketing campaign. Make sure your emails won’t be seen as spam messages – pesky and annoying. Get only solicited correspondence, and let your emails always be personalized and fun.