Yes, the volume of junk email is down — dramatically. Symantec, which makes Norton antivirus software, estimates that spam peaked in July 2010 with an average 225 billion messages sent each day, compared with less than 50 billion a year later.
Photo by Corbis
Some of the credit goes to law enforcement and corporate cyber-cops for busting major criminal networks that were sending the stuff out through "botnets," home or business computers that have been stealthily linked to forward spam.
In April, the FBI helped seize control of one botnet, called Coreflood, and scrubbed 19,000 computers infected with its spam-sending software. And in the same month, Microsoft managed to dismantle the infamous Rustock botnet, which once distributed nearly half of all spam.
But there's another reason for the drop: The crooks are narrowing their targets.
Rather than sending out masses and masses of generic, one-size-fits-all messages and hoping to hear back from just a tiny fraction of recipients, they are shifting to lower-volume but more personalized attacks. Their emails are addressed to you alone and appear to come from people you know.
The new tactic is called "spearphishing." And its personal touch pays off.
Between June 2010 and June 2011, according to a report by the network company Cisco (pdf), money that spearphishers squeezed out of victims quadrupled from $50 million to $200 million. During the same period, money made from traditional spam dropped from $1 billion to $500 million.
Scammers realize that these days you're likely to ignore a "Dear Friend" request asking for your bank account number. But when the same request comes in an email purportedly from your bank — and addresses you by name — the odds greatly increase that you'll give the sender the hoped-for response.
The same applies to a "Dear Mr. [your name here]" letter asking for your credit card number because of an alleged problem with a recent purchase and noting details of that transaction. It's much more credible than one that's addressed "Dear Customer" and that contains no personal details.
How do spearphishers get your particulars? Sometimes, the info is collected on social networks such as Facebook or Twitter, which, in addition to revealing your friends and family, could include posts about that new camera you purchased at the mall last weekend. Or maybe your employer's website lists your name and those of coworkers.
Other personal information can come from data breaches — the hacking of big institutional computers — and from the cyber-crime black market that has a wealth of information about you and companies with which you do business.
Five ways to avoid spearphishing
- Always maintain a healthy dose of suspicion about email that names you, just as you should with generic come-ons. This is rule number one for preventing the "friendly fraud" of spearphishing scams.
- Keep in mind that banks, government agencies and legitimate businesses don't send emails demanding that you update personal information or provide financial account or Social Security numbers.
- If an email appears to come from a friend and suggests you click on a link, a quick phone call to that friend makes for easy verification.
- Be less social on social networks. Don't easily accept new "friends" or readily post potentially exploitable details of your life or those of your family and friends.
- Watch for "scammer grammar." Spam has changed, but tone and style haven't. Spearphishers often operate from overseas and aren't native speakers of English, so look for frequent misspellings and word misuse, the giveaways of old-line spam.
Also of interest: Fraud alert or credit freeze to fight identity theft? >>
Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.