With an estimated 400 billion messages every day, spam makes up the majority of internet email traffic. But because today's spam filters are so effective—blocking more than 99 percent of junk messages—few actually make it to your in-box.
So cybercriminals are changing tactics to steal your money and identity. Rather than blasting out tens of millions of identical pleas from Nigerian kings and sellers of cut-rate Viagra, they're moving to smaller batches of better crafted come-ons that claim to be from companies and people you know and trust. I'm talking about your bank, insurance company and medical provider—and people like your boss, family members and longtime friends.
How it works
Known as "artisanal" spam, these emails go to only a few thousand recipients, which gives them a leg up in making it to your in-box. "The more emails sent by a particular party, the better chance they are blocked by spam filters," explains John Wilson of cybersecurity firm Agari. "With artisanal spam there are fewer targets, but the likelihood of any one victim falling for it is much greater."
That's because recipients are carefully courted with personalized traps. Often the information comes from data breaches—hacks into corporate computer systems to steal customer lists. "People who went to a certain medical clinic, for instance, may get a bill with their names, account numbers and dates of treatment," Wilson says. "And that money goes to criminals' accounts."
In another variation, crooks use special software to collect personal details from LinkedIn and other social networking sites. Or they send you malware-infected links in emails that seem to come from Facebook friends. "Once you click that link," Wilson says, "every keystroke typed is sent to the criminal—including when you go to your online accounts and enter your name and password."
Corporate email systems are also targets. Employees may get messages claiming to be from HR telling them to update their login credentials, which gives crooks access to company databases. The FBI estimates that companies have lost at least $2.3 billion through scam emails sent to employees—allegedly from the CEO—with instructions to pay fake vendors.
Here's how to Protect yourself
Don't be fooled by the name displayed as the sender. Inspect the address that the message came from—a long series of letters or words after ".com" suggests it was sent by a spammer.
Be suspicious of links. When legitimate companies offer to remedy problems or ask to update information, the email typically doesn't include links; instead the companies direct you to their website.
Verify. If you get an email with a link along with a message from a friend saying "check this out," call to find out if they really sent it.
Parse the credit card number. Emails pretending to be from credit card companies often cite the beginning numbers of an account; legitimate messages more likely cite the last few numbers. Reason: Like phone numbers, many credit cards start with the same digits.
Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.