Jaden Geller is giving up on his Gmail inbox. The 26-year-old security engineer in San Francisco has been battling an explosion of spam to his free email account for months, like mailing lists he never signed up for and obvious scams. He thinks the address has been compromised beyond saving.
Email spam is an old problem that many people may have forgotten about or, at least, made peace with. Thanks to improvements in automatic filters from email providers and third-party services, the early 2000′s onslaught of sketchy Viagra offers and promised contest winnings were mostly kept out of sight. The spam waterfall became a leaky faucet, with just a few iffy emails showing up in our inboxes alongside a bunch of legitimate marketing emails that are, often, our own doing.
But over the course of the pandemic — particularly in the past six months — many people using free-email services have noticed a surge of unwanted scam emails slipping through the filters and landing in their inboxes. Gmail users have been most vocal about the issue, and some are so overwhelmed with spam they’re trying to figure out what they can do about it. Fortunately, the Help Desk is here to help.
What’s the problem?
More spam than usual appears to be getting through the automatic filters on some free email services, particularly Google’s 18-year-old Gmail. According to cybersecurity firm Proofpoint, there has been a 30 percent increase in the volume of spam this past year across services. The company detected 10 billion additional spam messages in December alone.
Free email such as Google’s Gmail, Microsoft’s Outlook and Hotmail, and Yahoo have built-in tools for detecting junk mail and moving them to another location (usually a folder called “Spam” or “Junk”) where you can still see them or ignore them forever. There are paid third-party filtering options for companies that host their own email but not many for the free email services that are used by billions of people around the world. On the other side of the issue is professional criminals and marketers, constantly looking for new ways to outsmart email filters and reach their targets.
“Spam is dynamic, unpredictable, and takes many forms,” said Google’s Bjorn Grubelich, product manager for Gmail Counter-abuses. He says Google uses machine learning models to detect and filter out new threats, and that it blocks more than 99.9 percent of spam, phishing and malware from reaching Gmail users.
What does spam want from me?
The term spam encompasses a variety of annoying emails, mostly out to access your money or information (which in turn can make spammers money).
There are marketing emails that you may or may not have unwittingly opted into after buying boots online or signing up for a newsletter. Companies can also get your information from lists that they buy, signing you up for mailings without your consent. The next tier down is filled with less legitimate operations that are still trying to sell things like unapproved medications. (The pharmaceutical scams largely target the United States, where there is no nationalized health care, says Chester Wisniewski, principal research scientist at security company Sophos.)
Phishing emails are attempts to trick the recipient into handing over sensitive information, like a password or credit card number. Then there are malware emails that want you to download an attachment that will give the sender access to your computer. They aim to gather sensitive financial or personal information, or launch something like a ransomware attack.
In the past, malicious spam focused more on using techniques such as viruses. Now that computers are better at auto-updating to patch security holes, spammers are targeting people with social attacks, using techniques like impersonating real companies or people. They’re exploiting human weaknesses more than computer weaknesses.
“Because the attacks are social, I think they’re worse. There’s nothing I can put on your computer that’s going to help you not be tricked,” Wisniewski said.
What’s behind the spam surge?
Unwanted spam emails have become more profitable than they were in the past, according to Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. Attacks have become more sophisticated and personal during the pandemic, and there has been a rush of spam targeting people working from home, capitalizing on their fears by pushing fake covid treatments, masks and tests.
The vast majority of spam comes from Russia and neighboring countries, say cyber security experts. Groups specialize in different parts of the process so one might just sell email lists, while another will send out an entire blast for a client, figures out ways around spam filters, or handles the money laundering.
“The attackers are getting smarter,” said Jeremy Ventura, a senior security strategist at cybersecurity company Mimecast. “Their tactics and techniques are evolving.”
Proofpoint, which has a product that filters spam messages for companies, says that over the past six months, it has noticed that spammers have been increasingly using Google services like Docs or Drive to host their attacks, surpassing Microsoft, which is also heavily used.
In response, Google’s Grubelich said: “We are deeply committed to protecting our users from phishing abuse across our services, and are continuously working on additional measures to block these types of attacks as methods evolve.” The company says it “may” scan files like Google Docs when they’re shared.
What can you do about it?
Minimizing spam isn’t easy, and getting rid of it completely is likely impossible. The best hope is that the email providers are able to adjust their filters and AI to counter the latest attacks. But here are some steps you can take.
Be security smart: The majority of your spam is likely more annoying than dangerous. Still, use a strong and unique password, and turn on two-factor authentication for your account. If you’re a Google user, do the Google Security Checkup.
Turn off auto-load for images: When spammers get any indication that their email was received (you opened the email or you clicked on a link), you are marked as even more of a target for future spam. Make sure your email settings are set to not load any images from unknown senders automatically, which makes it harder for them to use tracking pixels. There are options for this in most email apps like Apple’s Mail and web-based email like Outlook and Gmail.
Use an alias for online accounts: Every time you sign up for something online with your email address, you risk it (and other information about you) ending up with third party marketers or being exposed in a hack or data breach. One way to keep your email address unknown is not to use it for anything other than personal correspondence or important accounts, like your bank.
You can set up a second email address that’s just for logins and purchases, and let that inbox become a dumpster of marketing emails. Another option is to use an alias. On Gmail you can make emails that are your real address with “+Facebook” or “+Sephora” at the end, to use for specific sites. At least you’ll know who leaked your email if it ends up being sold in a list.
Apple recently added a feature called Hide My Email that takes it one step further, allowing you to sign up for accounts using a unique, anonymous email address it generates for you. It’s for any Apple user accessing a site that works with Sign In With Apple. iCloud+ subscribers can generate more addresses on any site from their iOS device.
Don’t click unsubscribe in the email: Because some malicious spam looks identical to legitimate marketing spam, avoid clicking the “unsubscribe” link in the email unless you’re certain it’s from that company. Instead, you can let your email service unsubscribe for you.
Report spam, if you want: Flag the email as spam. Doing so won’t have an immediate impact on your life — that spammer has already moved on — but it does give your email provider more information to try to stay ahead of them.
Dust off your email detective skills: Trust no email. If it looks like it’s from someone you know personally but seems a little off, text or contact them another way to be sure. If you get any kind of alarming email from a major company saying there’s been a large charge or an update on an order you don’t recall making, be suspicious. On a computer, hover over any links to see where URLs go, and read closely to see if there are typos like “BesttBuy.com.”
See how compromised your email is: Plug your email address into haveibeenpwned.com and see how many breaches it has appeared in. (The site is trusted by the security experts we spoke to.) Consider using a password manager, which can alert you when different passwords appear in hacks and breaches, or even if they’re just easily guessable or overused.
The nuclear option, start from scratch: If your email address is a scammer’s database and every e-commerce companies’ mailing list, you could start fresh with a new address just for personal or work communication. If you use that old address for online accounts, don’t delete it, or you’ll have to go through and update contact information for every single one. If you’re looking for an alternative to Gmail, you could consider Protonmail.com. Outlook.com, Zoho.com or Hey.com.
Help Desk: Making tech work for you
Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.
Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.
Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online
Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android
Ask a question: Send the Help Desk your personal technology questions.