What comes to mind when you think of spam? Miracle pills from Internet pharmacies, requests for money from “princes” of other countries, or perhaps the food, Spam? This article is all about spam with a lowercase “s.” While many people enjoy the food Spam, no one wants to be tricked into losing money or downloading malware because of the other kind of spam.
Spam is annoying, but it’s also a threat. While many of us might think we’re savvy enough to recognize any form of it, spammers regularly update their methods and messages to trick potential victims. The reality is that we’re all constantly under attack from cybercriminals and the proof is in your inbox.
So read on to learn what spam is, how to recognize it, and how to protect yourself against it.
Spam is any kind of unwanted, unsolicited digital communication that gets sent out in bulk. Often spam is sent via email, but it can also be distributed via text messages, phone calls, or social media.
What does spam stand for?
Spam is not an acronym for a computer threat, although some have been proposed (stupid pointless annoying malware, for instance). The inspiration for using the term “spam” to describe mass unwanted messages is a Monty Python skit in which the actors declare that everyone must eat the food Spam, whether they want it or not. Similarly, everyone with an email address must unfortunately be bothered by spam messages, whether we like it or not.
If you’re interested in the origins of spam in greater detail, see the history of spam section below.
Types of spam
Spammers use many forms of communication to bulk-send their unwanted messages. Some of these are marketing messages peddling unsolicited goods. Other types of spam messages can spread malware, trick you into divulging personal information, or scare you into thinking you need to pay to get out of trouble.
Email spam filters catch many of these types of messages, and phone carriers often warn you of a “spam risk” from unknown callers. Whether via email, text, phone, or social media, some spam messages do get through, and you want to be able to recognize them and avoid these threats. Below are several types of spam to look out for.
Phishing emails are a type of spam cybercriminals send to many people, hoping to “hook” a few people. Phishing emails trick victims into giving up sensitive information like website logins or credit card information.
Adam Kujawa, Director of Malwarebytes Labs, says of phishing emails: “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”
Spoofed emails mimic, or spoof, an email from a legitimate sender, and ask you to take some sort of action. Well-executed spoofs will contain familiar branding and content, often from a large well-known company such as PayPal or Apple. Common email spoofing spam messages include:
- A request for payment of an outstanding invoice
- A request to reset your password or verify your account
- Verification of purchases you didn’t make
- Request for updated billing information
Tech support scams
In a tech support scam, the spam message indicates that you have a technical problem and you should contact tech support by calling the phone number or clicking a link in the message. Like email spoofing, these types of spam often say they are from a large technology company like Microsoft or a cybersecurity company like Malwarebytes.
If you think you have a technical issue or malware on your computer, tablet, or smartphone, you should always go to the official website of the company you want to call for tech support to find the legitimate contact information. Remote tech support often involves remote access to your computer to help you, and you don’t want to accidentally give that access to a tech support scammer.
Current event scams
Hot topics in the news can be used in spam messages to get your attention. In 2020 when the world was facing the Covid-19 pandemic and there was an increase in work-from-home jobs, some scammers sent spam messages promising remote jobs that paid in Bitcoin. During the same year, another popular spam topic was related to offering financial relief for small businesses, but the scammers ultimately asked for bank account details. News headlines can be catchy, but beware of them in regards to potential spam messages.
This type of spam is likely familiar to anyone who has been using email since the 90s or 2000s. Sometimes called “Nigerian prince” emails as that was the purported message sender for many years, this type of spam promises a financial reward if you first provide a cash advance. The sender typically indicates that this cash advance is some sort of processing fee or earnest money to unlock the larger sum, but once you pay, they disappear. To make it more personal, a similar type of scam involves the sender pretending to be a family member that is in trouble and needs money, but if you pay, unfortunately the outcome is the same.
Short for “malware spam” or “malicious spam,” malspam is a spam message that delivers malware to your device. Unsuspecting readers who click on a link or open an email attachment end up with some type of malware including ransomware, Trojans, bots, info-stealers, cryptominers, spyware, and keyloggers. A common delivery method is to include malicious scripts in an attachment of a familiar type like a Word document, PDF file, or PowerPoint presentation. Once the attachment is opened, the scripts run and retrieve the malware payload.
Spam calls and spam texts
Have you ever received a robocall? That’s call spam. A text message from an unknown sender urging you to click an unknown link? That’s referred to as text message spam or “smishing,” a combination of SMS and phishing.
If you’re receiving spam calls and texts on your Android or iPhone, most major carriers give you an option to report spam. Blocking numbers is another way to combat mobile spam. In the US, you can add your phone number to the National Do Not Call Registry to try to cut down on the amount of unwanted sales calls you receive, but you should still be alert to scammers who ignore the list.
How can I stop spam?
While it may not be possible to avoid spam altogether, there are steps you can take to help protect yourself against falling for a scam or getting phished from a spam message:
Learn to spot phishing
All of us can fall victim to phishing attacks. We may be in a rush and click a malicious link without realizing. If a new type of phishing attack comes out, we may not readily recognize it. To protect yourself, learn to check for some key signs that a spam message isn’t just annoying—it’s a phishing attempt:
- Sender’s email address: If an email from a company is legitimate, the sender’s email address should match the domain for the company they claim to represent. Sometimes these are obvious, like email@example.com, but other times the changes are less noticeable, like firstname.lastname@example.org instead of paypal.com.
- Missing personal information: If you are a customer, the company should have your information and will likely address you by your first name. A missing personal greeting alone isn’t enough to spot a phishing email, but it’s one thing to look for, especially in messages that say they are from a company with whom you do business. Receiving an email that says your account has been locked or you owe money is cause to worry, and sometimes we rush to click a link in order to fix the problem. If it’s phishing, that’s exactly what the sender wants, so be careful and check if the email is generic or addressed specifically to you.
- Links: Beware of all links, including buttons in an email. If you get a message from a company with whom you have an account, it’s wise to log in to your account to see if there is a message there rather than just clicking the link in the message without verifying first. You can contact the company to ask if a suspicious message is legitimate or not. If you have any doubts about a message, don’t click any links.
- Grammatical errors: We all make them, but a company sending out legitimate messages probably won’t have a lot of punctuation errors, poor grammar, and spelling mistakes. These can be another red flag to indicate that the email could be suspect.
- Too-good-to-be-true offers: Many phishing messages pretend to be from large, well-known companies, hoping to ensnare readers who happen to do business with the company. Other phishing attempts offer something for free like cash or a desirable prize. The saying is often true that if something sounds too good to be true it probably is, and this can be a warning that a spam message is trying to get something from you, rather than give you something.
- Attachments: Unless you are expecting an email with attachments, always be wary before opening or downloading them. Using anti-malware software can help by scanning files that you download for malware.
You can read even more about phishing emails and how to spot them on the Malwarebytes Labs blog.
Email providers have gotten pretty good at filtering out spam, but when messages make it through to your inbox, you can report them. This is true for spam calls and text messages, as many carriers give you the ability to report spam as well. You can also choose to block the sender, often in the same step as reporting the message.
Reporting spam can help your email provider or phone service carrier get better at detecting spam. If legitimate emails get sent to your spam filter, you can report that they should not be marked as spam, and that also provides useful information on what should not be filtered. Another helpful step is to add senders you want to hear from to your contacts list proactively.
Use two factor-authentication (2FA)
With two-factor or multi-factor authentication, even if your username and password are compromised via a phishing attack, cybercriminals won’t be able to get around the additional authentication requirements tied to your account. Additional authentication factors include secret questions or verification codes sent to your phone via text message.
In the event that you click a bad link or download malware sent to you via spam, good cybersecurity software will recognize the malware and shut it down before it can do any damage to your system or network. With products for home and business, Malwarebytes has got you covered wherever technology takes you.
Recent news on spam
- Royal Mail scam says your parcel is waiting for delivery
- “I have full control of your device”: Sextortion scam rears its ugly head in time for 2021
- November spam roundup: Stalkers, property tips, porn, stern words and PayPal
- Coronavirus Bitcoin scam promises “millions” working from home
- SBA phishing scams: from malware to advanced social engineering
- A month of giveaway spam on Twitter
- Instagram story spam claims free Apple Watch
- Facebook spammers making things worse
History of spam
The history of spam starts in 1864, over a hundred years before the Internet, with a telegram sent en masse to a number of British politicians. In a prescient sign of things to come, the telegram was an advertisement for teeth whitening.
The first example of an unsolicited email dates back to 1978 and the precursor to the Internet—ARPANET. This proto-Internet spam was an advertisement for a new model of computer from Digital Equipment Corporation. It worked—people bought the computers.
By the 1980s, people came together on regional online communities, called bulletin boards (BBSes), run by hobbyists on their home servers. On a typical BBS, users were able to share files, post notices, and exchange messages. During heated online exchanges, users would type the word “spam” over and over again to drown each other out. This was done in reference to a Monty Python sketch from 1970 in which a husband and wife eating at a working-class café find that almost everything on the menu contains Spam. As the wife argues with the waitress over the preponderance of Spam on the menu, a chorus of Vikings drowns out the conversation with a song about Spam.
The use of the word “spam” in this context, i.e. loud annoying messaging, caught on—to the chagrin of Hormel Foods, the maker of Spam.
Over on Usenet, a precursor to the Internet that functions much like today’s Internet forums, “spam” was used to refer to excessive multiple posting across multiple forums and threads. The earliest Usenet spam included a fundamentalist religious tract, a political rant about the Armenian Genocide, and an advertisement for green card legal services.
Spam didn’t start in earnest until the rise of the Internet and instant email communication in the early 90s. Spam reached epidemic proportions with hundreds of billions of spam emails overwhelming our inboxes.
In 1999, Melissa, the first virus that spread via macro-enabled Word documents attached to emails was let loose upon the digital world. It spread by ransacking victims’ contact lists and spamming itself to everyone the victim knew. In the end, Melissa caused $80 million in damages, according to the FBI.
Without any anti-spam legislation in place, professional spammers rose to prominence, including the self-proclaimed “Spam King” Sanford Wallace. True to his nickname, Wallace was at one time the biggest sender of spam emails and social media spam on sites like Myspace and Facebook.
It wasn’t until the early 2000s that governments around the world started to get serious about regulating spam. Notably, all member countries of the European Union and the United Kingdom have laws in place that restrict spam. Likewise, in 2003 the United States put a set of laws in place cheekily called the CAN-SPAM Act (once again, Hormel just can’t get a break). These laws, in the US and abroad, place restrictions on the content, sending behavior, and unsubscribe compliance of all email.
At the same time, top email providers Microsoft and Google worked hard to improve spam filtering technology. Bill Gates famously predicted spam would disappear by 2006.
Under these laws a rogue’s gallery of spammers, including the Spam King, were arrested, prosecuted and jailed for foisting penny stocks, fake watches and questionable drugs on us. In 2016 Sanford Wallace was convicted, sentenced to 30 months in prison, and ordered to pay hundreds of thousands in restitution for sending millions of spam messages on Facebook.
And yet spam is still a thing. Sorry, Bill.
In spite of the best efforts of legislators, law enforcement and technology companies, we’re still fighting the scourge of unwanted, malicious email and other digital communication. The fact of the matter is that the business of spam requires little effort on behalf of spammers, few spammers actually go to jail, and there’s lots of money to be made.
In a joint study on spam between University of California, Berkeley, and University of California, San Diego, researchers observed a zombie botnet in action and found the operators of the botnet sent out 350 million emails over the course of a month. Out of these hundreds of millions of emails the spammers netted 28 sales. This a conversion rate of .00001 percent. That being said, if the spammers continued to send out spam at that rate, they would pull in 3.5 million dollars in the span of a year.
So what, exactly, are the types of spam that continue to fill our inboxes to the brim and what can we do about it?