Let’s take a look at some common methods that spammers use to obtain email addresses — and how to protect yourself from junk mail.
Many web services and mobile apps require an email address for signing up. When you create an account, your email goes into a list. Companies know how to send mass emails — they use this list for notifications and marketing materials. Then, data breaches happen, the entire contact lists with other personal data end up on sale. Finally, spammers use these lists to send malicious emails.
Even large corporations suffer from security breaches that may affect millions of people. For example, Ticketmaster recently confirmed “unauthorized activity”. The consequences of such breaches are way worse than receiving a bunch of annoying emails — if you’ve ever used Ticketmaster, hackers have your payment information as well.
No one can prevent such breaches, and the only way to protect yourself from them is to never sign up anywhere or use a temporary email service — and that’s not always possible. However, if you suddenly started receiving spam emails, checking if it’s because of a data breach can be useful. For example, you can change your password in a certain service or start treating incoming messages more prudently.
There are many websites and apps that check if your personal data has been compromised. Have I Been Pwned? is one of the most popular. It works like a search engine — just enter your email address and the service will look for a match in its database of exposed data. If your address was found in a breach, you’ll get a message along with the list of incidents.
Data breaches are not the only source for spam mail. Spammers use publicly available information that users expose themselves on social media and forums.For example, you wrote something like “Contact me at [email protected]” or made your address available for other users on a job search website — online activities like these make you a target for email harvesting.
Even if you absolutely need to publish your email address online, you still can prevent self-exposure and loads of spam in your inbox. Here are some ways to do this:
Sometimes spam emails have an unsubscribe link — like this one:
Clicking on this usually barely noticeable link won’t lead you to less spam — if anything, you’ll get more spam in return. Spammers use fake unsubscribe links to verify that your email account is active. It’s often done as a part of dictionary attacks — spammers basically guess which addresses exist and send emails for a ping. By clicking an unsubscribe link in a spam email, you’re basically saying “Hey, this address is real and I’m using it actively, please send me more emails!”. This information will go further, and you’ll get spam bombed. Such links may also lead to compromised websites used for phishing or installing dangerous software on your device.
Long story short, clicking on unsubscribe links in spam emails or responding to them is dangerous. That’s why if you come across a suspicious email, just delete it from your inbox. You can also flag such emails as spam if the filter didn’t catch them — this will protect you from receiving more emails from the same address.
In December 2023, spam emails accounted for 46% of total email traffic — and most of it is malicious like phishing, malware or ransomware. Junk mail is not only annoying — interacting with these emails results in financial losses and identity theft.
We’ve picked 10 most popular email fraud schemes you can find in your inbox. Some of them are old, others are relatively recent.
These fake emails from Apple ask you to verify your account because it was put on hold for various reasons. But it’s a phishing attempt. If you click the link, you will be redirected to a fake Apple website that will steal your account information.
In this case, the generic greeting is what gives the scam away. Legit emails from businesses always start with your name or the moniker you used for the account.
This phishing scheme has been quite popular for a long time. I remember getting dozens of those in my spam folder pretty well, both in English and in my native language (poorly translated via Google, obviously). The general gist is the following: someone claims that you either inherited a lot of money or you’re entitled to the money from an unknown beneficiary fund. Then, they’ll ask you for personal data — but not for sending you the money. Yet another “too good to be true” scheme, classic.
It’s another type of phishing scam. These spam emails claim that your payment was declined, and you need to update the billing information — otherwise, your account will be disabled. But once you click the link in the email, you’ll be redirected to a phishing website.
Here’s a textbook example of this type of spam emails — looks pretty legit, by the way, we’re impressed! The only giveaway is slightly odd phrasing, and maybe one lowercase letter after a full stop.
In this phishing scheme, spammers convince you that your account was suspended or limited for security-related reasons. To reactivate your account, you need to log in again using the link from the email. Then, like in other similar scams, spammers will steal your money or identity.
Scammers who use this scheme can impersonate various services — here’s an example of a fake Amazon email:
You can tell it’s not a legitimate email because of the email address — a legit email from Amazon would be sent from the @amazon.com domain. The email design is also a giveaway: Amazon emails are not entirely plain-text and contain the company logo and buttons instead of hyperlinks.
This is a less popular phishing scam but it’s still good to know about — even tech-savvy users can fall for it. The scammers adopting this scheme send you emails pretending to be your boss or the CEO of your company, asking you to buy one or several gift cards for different purposes. Then, they’ll ask you for codes, PINs, and other data that will let them use the cards. The scammers may promise that they’ll pay you back — but they obviously won’t.
Here’s a relatively fresh example I found on Reddit:
One of the recent phishing schemes that gained popularity in 2023 is emails impersonating McAfee — yes, the antivirus. These usually imitate transactional emails that notify about buying or renewing a subscription, except you’ve never ordered anything. In these emails, there will be a helpline number or a hyperlink to cancel the alleged transaction… And this is how scammers will lure you into giving away the credit card information.
This phishing scheme involves sending fake government emails that promise you a tax return. The link in the email redirects you to a website that seems to be legitimate but steals your personal and financial information.
Fake tax refund emails can look like this:
If you received a tax refund email like this, take a look at the email address first. For example, this email pretends to be the one from IRS, which is a legit organization in the United States. However, the real IRS domain is @irs.gov — and what is this “irs-support” domain? You guessed it, a scam.
Fake emails from the HR department are a part of a relatively new phishing scheme that became a trend in 2023. The scheme involves sending email notifications from HR departments — to sound more convincing, scammers may use LinkedIn to find out where you’re currently working. In these emails, the fake HR will often ask you to update or verify the employee data, and give you a link where you can do so. However, this is a phishing link. Even worse, since you’ll probably use the work email and password for “verification”, such emails also threaten the organization, not just individuals.
Here’s a great example I found on PCRisk, a cybersecurity resource updating users on recent threats, including current email scams.
This email scam is one of the oldest, and it’s still relevant in 2024. It usually involves a scammer describing certain incriminating activities they saw and recorded you doing, and asking you for money (usually bitcoin) in exchange for keeping the videos in secret. To sound more legit and frightening, scammers may include your personal information like your real social media accounts and so on.
This year, a new “leitmotif” in sextortion emails appeared — scammers started mentioning Pegasus, the military software for iOS and Android mostly used for spying on independent journalists and opposition activists. The baseline plot is still the same though, just with an extra detail that the scammer obtained the incriminating media via Pegasus. Here’s an example:
Although Pegasus is not an urban legend and such emails can be downright terrifying, here’s a thing to remember — you’re not that big of a target to get your phone infected by military spyware. And if you are, let’s say, an activist, and you actually got infected, the people who did it would be more interested in your message history than watching you touch yourself. They wouldn’t notify you about the infection as well.
This phishing scheme has emerged during the COVID-19 pandemic and remains relevant to this day. Spammers send fake emails from delivery services like FedEx or UPS — like the one below:
Of course you shouldn’t click the link to “update” your address — you’ll become the victim of phishing.
Here’s another variation of the scam — instead of a “failed delivery” notification, you may receive an almost legit email that looks like this:
We didn’t cover all the possible email fraud schemes — we listed 10 most common spam and phishing emails. But what if you received an email that doesn’t fall under any of these categories?
Modern email apps have spam filters. For example, Gmail uses a neural net system that learns to separate junk mail from regular emails. But even AI is not infallible. Sometimes Gmail mistakes social media notifications or just emails with links and attachments for spam — and vice versa. That’s why we give you these key features of junk mail to look for.
Pay attention to any unfamiliar addresses in your inbox. But just because you don’t know it doesn’t mean it’s a spam email. Here’s the list of red flags in email addresses:
But some spammers learned how to plausibly imitate corporate emails — or, even worse, use legit addresses of different organizations to send spam.
That’s a relatively new trick spammers use. I started noticing the first instances of such spam in early 2023, and, by May 2024, most of my spam folder content looks like this:
Here’s how it works: spammers sign up for newsletters or leave requests at legit business helpdesks, and put a phishing link and a message (usually about winning a lottery) instead of a username or a message. Spammers will also use your email address as the contact info. So, it will look like you received a regular transactional email or a newsletter issue from a real organization — except you’ve never subscribed to this service or requested help at this helpdesk.
In 2023, the method was so effective that these emails didn’t even end up in spam — they showed up in the primary inbox. Now, the filters adapted to the method, and such emails do end up in spam. However, if they don’t, pay attention to transactional or marketing messages from brands you’ve never interacted with: chances are, these are spam.
This feature is related to the previous one. Quite often, those spammers sending emails via other companies’ newsletters and support systems use random companies that don’t even reside in your country. For example, they may use Japanese businesses while targeting English-speaking victims.
Spam filters in Gmail are actually trained to discover messages in mixed languages or languages you yourself don’t usually communicate in. However, if one of these slipped in your primary inbox, think of this: if the company was actually talking to you, would it use the language you can’t understand without Google Translate?
But okay, let’s say, none of the above describe your email in question — what about the content itself? One reason to get suspicious is requests for personal information.
Many businesses deal with personal data such as credit card information. For example, this is an email from Benchmark about cybersecurity concerns:
An important detail here is that Benchmark doesn’t ask the client to reply with personal data. Instead, the sender asks them to fill in the necessary information on the company’s website — unlike spammers:
This example is an obvious scam and “Douglas” asks for relatively harmless data. But some spammers will ask you for credit card information or passwords. Keep in mind that, for example, bank employees will never ask you for the CVV code. That’s why any personal data request, even as innocent as the one above, is a major red flag.
Creating a sense of urgency and appealing to FOMO is a common manipulation tactic in advertising. For example, take a look at this last chance email from Barnes & Noble:
In this email, Barnes & Noble offers a personalized book selection and a 15% discount that is active for a short time period. They use urgency since the offer is limited — but not like this:
This spam email uses an indefinite time period instead of the precise expiration date to create the sense of urgency, all caps, multiple exclamation marks, and too many words like “limited” and “offer”. Such messages usually have clickbait email headers with the same words written in all caps and with excessive punctuation. Legit companies don’t introduce clients to limited offers using such blunt techniques.
But there’s one more sketchy detail — poor grammar at the end of the email. It brings us to the next junk mail feature — bad writing.
When it comes to poor writing in spam emails, most people recall the infamous Nigerian scam. It started before the internet — people received letters from Nigerian royals or businessmen that asked for help with transferring money. Later it switched to digital and became more inventive with plots — for example, Nigerian princes turned into Russian entrepreneurs.
Take a look at this classic Nigerian scam email:
Nigerian scam emails were poorly written to look more convincing — their senders didn’t speak English as their first language. But other email scammers also write with typos, extra blank spaces, and odd phrasing — for different reasons:
There is a different way of tricking spam filters though, which involves sending you an email that is basically a pile of word and number vomit. This trick is called Bayesian poisoning — spammers “confuse” probability-based filters so they start labeling innocent words as spam and letting their emails right into the primary inbox.
Need I say, you shouldn’t open the attachment?
According to Campaign Monitor, personalized emails increase sales by 20%. And personalization is not only about data-driven customization of offers — it’s also about the language. Businesses include clients’ names even in formal notification emails — like this one from Amazon:
Spammers can imitate such notification emails in a pretty convincing way — except for one small detail. Compare our previous example to this fake Amazon email:
Even if fake emails imitate notifications from large companies, they have generic greetings like “Dear Customer/Client” or “Dear Sir/Madam”. But this, like the features we mentioned earlier, doesn’t have a lot to do with the email content itself. What about it?
Some spam emails will promise you a reward for clicking a link, downloading an attachment, or sending personal information. It can be a ridiculous amount of money or any other bonus from a company or even a celebrity. But the thing is, if it’s too good to be true, it’s likely a lie. For example, this email is definitely not from Mark Zuckerberg.
These are the most prominent features of junk mail. If you come across any of these in the new email, do the following:
Spam emails might seem funny and clumsy but they are dangerous — phishing leads to loss of money and possible identity theft. Scammers get more inventive with their schemes — that’s why it’s important to know the key features of junk mail and never interact with such emails for the sake of your safety.
Some of the common spam emails are:
