How do spammers get our email addresses?
There's two main types of spam:
- Excessive marketing emails from companies we already know;
- Emails from unknown senders advertising questionable goods & services.
For the first of these it's often the case that we've given the company our email address at some point in the past. We may not remember doing so, or we may have thought we'd opted out of marketing, but at least (for reputable companies) we can still unsubscribe from these.
It's the emails from unknown senders that can be more puzzling. Almost no one would ever willingly give out their email address to receive offers of viagra or fake university degrees, so how do spammers get hold of our email addresses?
- Website hacks: One motive criminals have for hacking companies is to get hold of customer databases, including email addresses. These can be sold on the 'dark web' for large sums of money to other unscrupulous individuals, who'll then use them to send spam or phishing emails.
- Marketing lists: When a company signs us up to marketing emails, they'll sometimes include an option for "selected third parties". This is because your email address can earn them extra money by selling it on.
- Whilst good companies will only sell addresses to other good companies, that company may in turn sell it on again, and so on & so on. Eventually your email address will reach a less-than-reputable company who'll simply sell it to anyone who'll pay.
- Screen scraping: Another way to find email addresses is to just search the web. Many automated tools (called 'bots') exist that continuously search for email addresses. These will then be read (or 'screen scraped') and collated into a database.
Common tips to reduce spam
Some of these may sound obvious but they're worth repeating:
1. Be careful what you sign up to
Think about who you're giving your email address to. Most websites give you the option of whether you want to receive marketing emails from them or not; be careful to read options carefully and check whether any tick boxes are opt-in or opt-out.
2. Use a throwaway email account
One popular way of avoiding spam is to create different email accounts for different things. Use your main account exclusively for friends & family, another for reputable companies (such as your bank or major retailers), and a third 'throwaway' address for all those websites you rarely deal with but which insist on having an address.
Doing this can help you keep your main email account clear of spam by controlling who knows your address.
3. Configure your junk mail settings
Almost all email providers have junk or spam filters to help spot & filter out unwanted emails. They use a range of different techniques to determine whether an email is junk or not, such as the sender, the subject line, or clues from the body of the email.
If you look in the junk email settings for your account you'll often see different levels of filtering available, ranging from "Basic" to "Aggressive", and all the way to "Exclusive" where only emails from known contacts will reach your inbox.
If you get regular spam from the same sender then look for a "Blocked Senders" option; this allows you to permanently block any emails from specific email addresses.
Have a play around and see what works best - make sure you strike the right balance between catching spam and ensuring that genuine emails are still delivered.
Should I click "Unsubscribe"?
On many marketing emails you'll see an "Unsubscribe" option at the bottom. When an email has come from a known reputable company then it should be quite safe to click this. You'll often be taken to a page asking why you want to unsubscibe and to confirm your request, and then (hopefully) you won't receive any more emails from them again.
Where this "Unsubscribe" feature can create problems though is when it's used maliciously by spammers to verify 'live' email addresses. If a user clicks the unsubscribe link in spam then the spammer knows that emails to that address are being read, making it more valuable.
- For emails from known legitimate companies, you should be able to safely click "Unsubscribe"
- For emails from unknown senders then avoid clicking "Unsubscribe" - you might only be encouraging further spam.
Advanced tricks - unique email addresses
If spam is a real problem for you, despite the tricks above, then using multiple unique email addresses might be the answer. By using a different email address for every company then, if any start being used for spam, you can create an Inbox rule based on the "To" address to simply delete them.
And as well as blocking spam, using different email addresses becomes a really quick and effective way of helping to seperate phishing emails from genuine ones. If you get a convincing sounding email from your bank - but which wasn't sent to the email address you use for your bank - then straight away you know it's not genuine. Easy!
Here's 2 methods for doing this:
Method 1) Use an email provider that allows email address variations
Some email providers, including Gmail and Outlook.com, allow you to customise your email address. You can then have unlimited email addresses with just a single account!
To make use of this feature simply add a + sign followed by anything you want, just to the left of the @ symbol in your email address. You don't need to configure any email settings to begin using this - just start giving these email addresses out and they'll work!
With this trick you can filter any emails received based on the To address. So if your email address was firstname.lastname@example.org or email@example.com, you could use:
- firstname.lastname@example.org - for work emails
- email@example.com - for your Facebook account
- firstname.lastname@example.org - for your bank account with HSBC
- email@example.com - for all family emails
Whilst this method is easy, it does reveal your actual email address to spammers who could simply remove the '+' element if they wanted.
A trickier-to-setup - but much more robust - method is to buy your own domain name and set up a "Catch All" rule for all emails sent to it, as we describe next.
Method 2) Get a catch-all domain name
A further (but advanced) trick is to purchase your own web address and set it up to forward everything to your actual email account, giving you an unlimited number of email addresses.
You might for example choose to use firstname.lastname@example.org as your main email address for friends and family, whilst giving out email@example.com whenever you need a throwaway address. You could also use different addresses for each company you deal with, such as:
- firstname.lastname@example.org - for your account with Amazon
- email@example.com - for your account with Citibank
- firstname.lastname@example.org - for your account with the Herald Sun newspaper
If you're interested in this technique you'll need a technically knowledgeable friend to buy a domain and set it up. But once done it just works without any further input needed!
Note that one downside to consider is that any replies you send will come from your actual email account (revealing your real email address) and not the address used in the original email. This can be overcome if it's an issue but it can take a lot of configuration to do so.