Some messages from friends, family and co-workers. Some offers from companies that you’ve done business with before. The miracle emails related to Dr. Oz, Rachel Ray, Oprah, diabetes, weight loss and sexual performance.
Annoying, but obviously spam.
Then there are the fake emails that attempt to sound as if they’re from companies you do business with — phishing emails — that try to lure you into clicking. If you do, you may end up downloading a virus or releasing a program that tries to steal your personal information. Or just as dangerous, you may be brought to an authentic-looking web site that asks you for your private data.
Reader Rita Allen’s email box gets more than its fair share of junk. She wrote to Bamboozled to share some recent phishing emails she received, and to ask the big question: “How do they get my email address?”
Allen knew the emails she received were fakes.
One, supposedly from her bank, referred to problems with her online statement.
It said there “has been a problem processing your statement data,” and if Allen didn’t update her information, “service may be discontinued.”
“But I neither bank online nor view my bank statement online,” Allen said. “The message began, `Unfortunately.’ Period. Another giveaway was this word: `re qu ir ements.'”
Then she received one alleging to be from her internet provider, warning that her “Email Account will be suspended… as your spam quota has become full.”
Allen knew her email account had no “spam quota.”
Next there was one from Amazon.com.
“They were thoughtfully warning me about something or other, something dire that would happen to me unless I clicked on their link,” Allen said.
Yet another told her to click so she could resolve a problem with a credit card she no longer has.
“How do they get my email address? Do they hack into these institutions?” Allen asked in an email. “I think that there are so many ways they can find me that I believe it impossible to totally prevent this.”
YOUR EMAIL ADDRESS
Allen is correct.
If you plan to be online, hackers, scammers, spammers, phishers and other ne’er-do-wells will get hold of your email address and try to trick you into clicking.
There are lots of ways these bad guys can get your email address.
One that you’ve heard a lot about lately is stolen or leaked databases. When you hear of a data hack at a large company, customer information gets into the hands of scammers. These lists often include email addresses, and hackers make these lists available on a black market of sorts.
Then there are plain guesses, often called “dictionary attacks.” If you use a free email address, you share your domain name — @gmail.com, @aol.com, @yahoo.com, @hotmail.com, etc. — with millions of other users. Many of these users choose simple names, such as email@example.com. Those are pretty easy for hackers to make random guesses with, and they can do it on a large scale.
You’re also at risk with ‘bot’ attacks, short for robotic attacks, which are spawned from programs that automatically search for email addresses on web sites of all kinds. These programs will look for words with “@” in the middle, and it’s a pretty good guess that it’s an email address. (That’s why you’ll often see public email addresses with spaces or hyphens around the “@” symbol.)
When scammers collect all these email addresses, they actually put them up for sale. We’re not going to promote the web sites where these lists are available, but online security expert Brian Krebs of KrebsOnSecurity.com said email lists, if purchased in bulk, can cost merely a penny for 1,000 addresses. Krebs said that there are specific targeted lists — for people with certain interests — that cost a buyer more, or non-specific lists can be purchased for less, such as 50 million AOL addresses for $500 or 30 million Hotmail addresses for $450.
Once your email address gets on a spammer’s list, there’s little you can do to stop the fake emails from coming.
To limit the number of fake emails you receive, check with your email provider to see what “junk mail” services it provides, and then use them.
Don’t put your email out there for public consumption. If you add yours to a chat board or other communal spot online, it will be easy for the ‘bots’ to find.
Consider using two email addresses — one for your private communications that you only share with family and friends, and a second for business- or company-related emails.
If you create a new email address for your online life, make it hard for the ‘bots’ to replicate. Use combinations of letters and numbers that don’t spell any common words or phrases.**
The best protection? Never open any email or click on a link in an email unless you’re absolutely positive it’s the real thing. This can be hard because sophisticated phishers will make their emails as authentic-looking as possible, including having a seemingly real “from” email address and directing you to web sites that look like the real thing.
If you’re not sure, delete the email and phone the company directly to see if some kind of action needs to be taken on your part.
You can report spam emails to the Federal Trade Commission at firstname.lastname@example.org. The FTC also recommends you report it to your email provider, and also to the spammer’s email provider, which will want to cut off spammers’ use of its service.
** The original version of this column wrongly said to use upper and lower case letters for your email address. Upper and lower case won’t make a difference, but adding numbers will. Upper and lower case will help with passwords, though.
Have you been Bamboozled? Reach Karin Price Mueller at Bamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. Find Bamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com.