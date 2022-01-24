During the pandemic, many people using free email services have noticed a wave of unwanted messages with scams.

Spam messages are an old known problem that many people have perhaps forgotten about or at least made peace with. Thanks to improvements in automatic filters from email providers and third-party services, the massive onslaught of poorly diagrammed Viagra offers and prizes offered in contests from the early 2000s have been kept out of sight. The flood of spam has turned into a minor leak, with only a few dubious emails appearing in our inboxes alongside a bunch of legitimate marketing emails that are often our own fault.

But during the pandemic—particularly in the last six months—many people using free email services have noticed a wave of unwanted scam emails going through filters and into their inboxes. Gmail users are the most vocal about the problem, and some are so overwhelmed by it that they’re trying to figure out what they can do about it. Fortunately, the Help Desk is here to help.

What is the problem?

More spam than usual seems to be getting through the automatic filters of some free email services, most notably Gmail, offered 18 years ago by Google. According to cybersecurity firm Proofpoint, there was a 30% increase in spam volume in 2021 across all services. The company detected 10 billion more spam messages in December alone.

Free emails like Google’s Gmail, Microsoft’s Outlook and Hotmail, and Yahoo have built-in tools to detect junk email and move messages to another location (usually a folder called “Spam” or “Junk” ) where you can still check them or ignore them forever. There are paid filter options for companies that host their own emails, but not many for the free email services that are used by billions of people around the world. On the other side of the problem are professional criminals and marketers, constantly looking for new ways to evade email filters and reach their targets.

“Spam is dynamic, unpredictable and takes many forms,” said Bjorn Grubelich, Google’s product manager for curbing abuse in Gmail. He said the company uses machine learning models to detect and filter new threats and that this prevents more than 99.9% of spam messages, phishing attempts and types of malware from reaching Gmail users.

What is spam targeting?

The term spam encompasses a variety of annoying emails, mostly to gain access to your money or data (which in turn can generate money for the sender).

There are marketing emails that you may or may not have unintentionally chosen to receive after making an online purchase or subscribing to a newsletter. Companies can also get your email address from lists they buy by putting you on a broadcast list without your consent. After that, the next level is littered with less legitimate activities that are still trying to sell you things like unapproved drugs. (Pharmaceutical scams are primarily targeted at the United States, where there is no public national healthcare system, says Chester Wisniewski, principal researcher at security firm Sophos.)

E-mails with phishing attempts are intended to trick the user into revealing sensitive data such as passwords or credit card number. Then there are the malware emails, which ask you to download an attachment that will give the sender access to your computer. They aim to collect sensitive personal or financial data, or carry out something like a ransomware attack.

In the past, malicious spam focused more on using techniques such as viruses. Now that computers are better at automatically updating to fix security flaws, those who send spam messages are using human-interactive attacks, using techniques such as impersonating real companies or people. Targeting human weaknesses more than computer weaknesses.

“As the attacks are with interactions, I think they are worse. There’s nothing I can put on your computer to help you not get scammed,” said Wisniewski.

What’s Behind the Spam Wave?

Unwanted spam emails are now more profitable than they were in the past, according to Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. Attacks have become more sophisticated and personal during the pandemic, and there have been an abundance of spam messages targeting people who work from home, capitalizing on their fears by promoting fake Covid-19 treatments, masks and tests.

The vast majority of spam comes from Russia and neighboring countries, cybersecurity experts say. The groups specialize in different process tasks so that one can just sell mailing lists, while another will send a large amount of messages to a customer, figure out ways to bypass spam filters, or be responsible for money laundering.

“Criminals are getting smarter,” said Jeremy Ventura, senior security strategist at cybersecurity firm Mimecast. “Their tactics and techniques are evolving.”

According to Proofpoint, which has a product that filters spam messages for companies, in the last six months there has been an increasing use of Google services, such as Docs or Drive, by those who send spam messages, to host its attacks, surpassing Microsoft, whose services are also heavily used.

In response, Grubelich, Product Manager at Google, said: “We are deeply committed to protecting our users from phishing attempts on our services and are continually working on additional measures to prevent these types of attacks as methods evolve.” The company says it “can” scan files like Google Docs when they are shared.

What can you do about it?

Reducing spam isn’t easy, and getting rid of it completely may be impossible. The best hope is that email providers will be able to adjust their filters and artificial intelligence to combat the latest attacks. However, here are some steps you can take.

Be smart about your security: most of your spam is probably more annoying than dangerous. Even so, use a strong, one-time password and enable two-factor authentication for your account. If you are a Google user, do the security verification offered by the company.

Disable automatic image loading: when those who send spam receive any sign that the email they sent was received (you opened the email or clicked on a link), you are identified as an even more interesting target for receiving spam in the future. Make sure your email settings are set to not automatically load images from unknown senders, which makes it difficult for them to use tracking pixels. There are options for this in most email apps like Apple’s Apple Mail and in network based emails like Outlook and Gmail.

Use a pseudonym for online accounts: every time you sign up for something on the internet with your email, you run the risk of it (and other information about you) ending up in the hands of third-party marketers or being exposed in a hacker attack or breach of data. One way to keep your email address little known is to only use it for your personal correspondence or important accounts like your bank.

You can create another email just for logins and purchases and let that inbox become a trash can for marketing emails. Another option is to use a pseudonym. In Gmail you can create emails that are your real address with “+Facebook” or “+Sephora” at the end, to use on specific websites. At least you’ll know who leaked your email if it ends up being sold around.

Apple recently started offering a feature called “Hide my email” that goes a step further and lets you create unique, anonymous, randomly generated emails. It is available to any Apple user who accesses a working website with the “Sign in with Apple” option. iCloud+ subscribers can create more emails on any website with their iOS devices.

Do not click “cancel your subscription” in the email: as some malicious spam looks identical to real marketing messages, avoid clicking the “unsubscribe” link in the email unless you are sure the message was sent by a particular company. Instead, you can click “unsubscribe”, which is usually next to the sender address, and let your email service do it for you.

If you want, report spam: Identify the email as spam. Doing so won’t have an immediate impact on your life – that person who sent the email is already eyeing their next target – but it will give your email provider more information to try to get rid of them.

Activate the distrustometer: Do not trust any emails. If it looks like it was sent by someone you know personally, but it’s a little weird, send a cell phone text message or contact us some other way to be sure. If you get some sort of troubling email from a big company saying there’s a charge or an update on an order you don’t remember placing, be suspicious. On a computer, hover over the links to see where the URLs lead and read carefully to check for typos.

Check how compromised your email is: enter your email address at haveibeenpwned.com and see how many leaks it showed up in. (According to the security experts we spoke with, the site is trustworthy.) Consider maybe using a password manager, which can alert you when different passwords show up in hacker attacks and data breaches, or even if they are easily guessed or overused.

More drastic option, start from scratch: If your email is already in the scammers database and widely sold email lists by e-commerce companies, you can start from scratch with a new email address for personal communication or professional. If you use the old email for online accounts, don’t delete it or you will have to update the contact information for each one. If you’re looking for an alternative to Gmail, consider Protonmail.com, Outlook.com, Zoho.com, or Hey.com./ TRANSLATION OF ROMINA CACIA