Surge in spam email since pandemic

Heather Kelly explains why your email inbox might be flooded right now.



Stuff NZ Newspapers


Jaden Geller is giving up on his Gmail inbox. The 26-yearold security engineer in San Francisco has been battling an explosion of spam to his free email account for months, such as mailing lists he never signed up for and obvious scams. He thinks the address has been compromised beyond saving. ‘‘I was better about actually deleting spam messages at first, but then it became unmanageable,’’ Geller said. ‘‘I used to archive every single message. Now that’s too much of a hassle. I’m checking my inbox less frequently, not looking at everything, and leaving it in a messy state.’’ Email spam is an old problem that many people may have forgotten about or, at least, made peace with. Thanks to improvements in automatic filters from email providers and third-party services, the early 2000s’ onslaught of sketchy Viagra offers and promised contest winnings were mostly kept out of sight. The spam waterfall became a leaky faucet, with just a few iffy emails showing up in our inboxes alongside a bunch of legitimate marketing emails that are, often, our own doing. But over the course of the pandemic – particularly in the past six months – many people using free email services have noticed a surge of unwanted scam emails slipping through the filters and landing in their inboxes. Gmail users have been most vocal about the issue, and some are so overwhelmed with spam that they’re trying to figure out what they can do about it. What’s the problem? More spam than usual appears to be getting through the automatic filters on some free email services, particularly Google’s 18-year-old Gmail. According to cybersecurity firm Proofpoint, there has been a 30 per cent increase in the volume of spam this past year across services. The company detected 10 billion additional spam messages in December alone. Free email such as Google’s Gmail, Microsoft’s Outlook and Hotmail, and Yahoo have built-in tools for detecting junkmail and moving them to another location (usually a folder called ‘‘Spam’’ or ‘‘Junk’’) where you can still see them or ignore them forever. There are paid third-party filtering options for companies that host their own email but not many for the free email services that are used by billions of people around the world. On the other side of the issue is professional criminals and marketers, constantly looking for new ways to outsmart email filters and reach their targets. ‘‘Spam is dynamic, unpredictable, and takes many forms,’’ said Google’s Bjorn Grubelich, a product manager for Gmail Counter-abuses. He says Google uses machine learningmodels to detect and filter out new threats, and that it blocks more than 99.9 per cent of spam, phishing and malware from reaching Gmail users. What does spam want from us? The term spam encompasses a variety of annoying emails, mostly out to access your money or information (which in turn can make spammers money). There are marketing emails that you may or may not have unwittingly opted into after buying boots online or signing up for a newsletter. Companies can also get your information from lists that they buy, signing you up for mailings without your consent. The next tier down is filled with less legitimate operations that are still trying to sell things like unapprovedmedications. (The pharmaceutical scams largely target the United States, where there is no nationalised healthcare, says Chester Wisniewski, principal research scientist at security company Sophos.) Phishing emails are attempts to trick the recipient into handing over sensitive information, like a password or credit card number. Then there are malware emails that want you to download an attachment that will give the sender access to your computer. They aim to gather sensitive financial or personal information, or launch something like a ransomware attack. In the past, malicious spam focused more on using techniques such as viruses. Now that computers are better at auto-updating to patch security holes, spammers are targeting people with social attacks, using techniques such as impersonating real companies or people. They’re exploiting human weaknesses more than computer weaknesses. ‘‘Because the attacks are social, I think they’re worse. There’s nothing I can put on your computer that’s going to help you not be tricked,’’ Wisniewski said. What’s behind the spam surge? Unwanted spam emails have become more profitable than they were in the past, according to Ryan Kalember, the executive vicepresident of cybersecurity strategy at Proofpoint. Attacks have become more sophisticated and personal during the pandemic, and there has been a rush of spam targeting people working from home, capitalising on their fears by pushing fake Covid treatments, masks and tests. The vast majority of spam comes from Russia and neighbouring countries, say cyber security experts. Groups specialise in different parts of the process so one might just sell email lists, while another sends out an entire blast for a client, figures out ways around spam filters, or handles the money laundering. ‘‘The attackers are getting smarter,’’ said Jeremy Ventura, a senior security strategist at cybersecurity company Mimecast. ‘‘Their tactics and techniques are evolving.’’ Proofpoint, which has a product that filters spam messages for companies, says that over the past six months, it has noticed that spammers have been increasingly using Google services such as Docs or Drive to host their attacks, surpassing Microsoft, which is also heavily used. In response, Google’s Grubelich said: ‘‘We are deeply committed to protecting our users from phishing abuse across our services and are continuously working on additional measures to block these types of attacks asmethods evolve.’’ The company says it ‘‘may’’ scan files such as Google Docs when they are shared. What can be done about it? Minimising spam isn’t easy, and getting rid of it completely is likely impossible. The best hope is that the email providers are able to adjust their filters and artificial intelligence to counter the latest attacks. But here are some steps you can take. Be security smart: The majority of your spam is probably more annoying than dangerous. Still, use a strong and unique password, and turn on two-factor authentication for your account. If you’re a Google user, do the Google Security Checkup. Turn off auto-load for images: When spammers get any indication that their email was received (you opened the email or you clicked on a link), you are marked as even more of a target for future spam. Make sure your email settings are set to not load any images from unknown senders automatically, which makes it harder for them to use tracking pixels. There are options for this in most email apps like Apple’s Mail and web-based email like Outlook and Gmail. Use an alias for online accounts: Every time you sign up for something online with your email address, you risk it (and other details about you) ending up with third-party marketers or being exposed in a data breach. One way to keep your email address unknown is not to use it for anything other than personal correspondence or important accounts, like your bank. You can set up a second email address that’s just for logins and purchases, and let that inbox become a dumpster of marketing emails. Another option is to use an alias. On Gmail you canmake emails that are your real address with ‘‘+Facebook’’ or ‘‘+Sephora’’ at the end, to use for specific sites. At least you’ll know who leaked your email if it ends up being sold in a list. Apple recently added a feature called HideMy Email that takes it one step further, allowing you to sign up for accounts using a unique, anonymous email address it generates for you. It’s for any Apple user accessing a site that workswith Sign In With Apple. iCloud+ subscribers can generate more addresses on any site from their iOS device. Don’t click unsubscribe in the email: Because some malicious spam looks identical to legitimate marketing spam, avoid clicking the ‘‘unsubscribe’’ link in the email unless you’re certain it’s from that company. Instead, you can let your email service unsubscribe for you. Report spam, if you want: Flag the email as spam. Doing so won’t have an immediate impact on your life – that spammer has already moved on – but it does give your email providermore information to try to stay ahead of them. Dust off your email detective skills: Trust no email. If it looks like it’s from someone you know personally but seems a little off, text or contact them another way to be sure. If you get any kind of alarming email from amajor company saying there’s been a large charge or an update on an order you don’t recall making, be suspicious. On a computer, hover over any links to see where URLs go, and read closely to see if there are typos like ‘‘’’. See how compromised your email is: Plug your email address into and see how many breaches it has appeared in. (The site is trusted by the security experts we spoke to.) Consider using a password manager, which can alert you when different passwords appear in hacks and breaches, or even if they’re just easily guessable or overused. The nuclear option – start from scratch: If your email address is in a scammer’s database and every e-commerce company’s mailing list, you could start fresh with a new address just for personal or work communication. If you use that old address for online accounts, don’t delete it, or you’ll have to update contact information for every single one. If you want an alternative to Gmail, you could consider,, –