OK, let’s go through this, step by step. If some of y’all understand how scams work, hopefully we can help folks avoid scams.
First: consider that ANY email address you may have provided to order food online, or to sign up to a web forum. Or for social media. Or for insurance or a bank…consider ANY of those email addresses to be compromised and available on lists that are regularly traded and purchased out there. No one specifically tried to “get” your email address. Your email address was likely on al ist captured from a data breach over the last 5-15 years ago. Also: the longer you’ve been using an address, the more certain it is that your address is compromised.
“Compromised” here is a bit of a loaded term, too. I have three email addresses – one for work, one for personal and friends and family and REALLY important stuff, and one I use for Steam and Amazon and signing on to social media, etc. At least two of those are “compromised”, and I know that fully well…and I’m OK with it. It just means my spam folders get a little bit of a workout, and I need to be at least a little familiar with phishing scams. So let’s continue.
The first thing that a scamming operation that knows its business will do is to figure out which of the hundreds of thousands – if not millions – of addresses on a list they just bought or traded for is valid. They’ll send out shitty, obvious spam and scam emails for nonsense that are barely legible. The kind of spam we all laugh at.
Realize this: some of those are autogenerated nonsense. But a decent number of those are sent out just to check to see if the email address they’re sent to bounces the email back because the address is no longer in use. If the email is old and not valid any more, off the list it goes. If it does go through – even to a spam folder – it’s on to the next stage.
In that next stage, they step up the game, but only mildly. Now they’re going to start using an email program that will return to the scammer two things: whether an email was opened, and whether something in the email was clicked. That is why – and I cannot state this in big enough or bold enough font – NEVER OPEN AN EMAIL THAT LOOKS SUSPICIOUS WITHOUT HOVERING OVER THE EMAIL ADDRESS LISTED FROM THE SENDER TO SEE THE ACTUAL EMAIL ADDRESS.
Once you’ve opened an email from a phishing operation, they know you’re worth proceeding with, and you move on to the next stage.
In that next stage, they’re going to start hitting you up with emails from specific businesses. Banks usually, but anything will do. Now they’re pinging to see if you’ll open another email, but they’re using specific businesses to not only find out which fake business fronts you’re opening an email from, but also your location – not all businesses and banks operate in all areas of the country. And they may have another list of names, addresses, and even phone numbers and they’re trying to associate that information with a specific email if they can. They’re going to start paying attention to which emails you open.
And from there, it’s going to be a series of scammers using their most effective email addresses and their most effective scam come-ons, in increasing levels. The vast majority of folks who get baited into opening an email never get baited into a full-on scam, thankfully. But they’re the target group, and that’s how.
So. To defend yourself:
-
Don’t egage. At all. They don’t care if you send an email back saying “Haha, this is a scam, you dummies.” They’re trying to find out if you’re the kind of person who opens emails from people they don’t know. Because that fits the profile of people who can be scammed. Don’t open any email that looks sus, without first hovering the email address. Block and spamify suspicious texts.
-
Know your own financials. It’s free to sign up for Experian or Creditwise or similar sites. Many credit card companies offer credit monitoring for free (Capital One, for instance, operates Creditwise) You should be doing weekly/monthly checks of your credit rating if you think you’ve even been adjacent to a scam or accidentally opened an email.
-
Keep your credit frozen until you need it unfrozen. It’s easy to freeze and unfreeze credit. It doesn’t affect your score. Do it.
-
It’s easy to get flustered within the moment, but take some time and think through the scam email situation. For instance, stop and think about an instant oil change service in the original post. No instant oil change service place on the planet is going to let you drive off of their lot and send you an invoice via email. Not now, not ever. Like I said, it’s easy to get flustered in the moment and let your guard down. You can’t do that, though.