How Do Spammers Get Your Email Address?Updated: June 30, 2019
To prevent spammers from getting their hand on your email address, we'll give you the best practices to have in mind.
No matter what email you use, it seems that spammers somehow manage to end up in your inbox.
And not only spam emails are pretty annoying, but they can also be a threat to your online security as many of them contain malicious links that will install malware on your computer once you clicked on them.
How do spammers get your email address? And what can you do to keep your email private from spammers eyes?
There are a few tips that will help you protect against spammers to improve your online privacy and security levels. But unfortunately, there's no guarantee spammers won't find a way to get your email address.
Let's go over the ways spammers get your email address and what you can do about it.
A data breach is an incident where users databases are unintentionally exposed to the public. Data that's being leaked can include usernames, passwords, and emails. This makes data breaches one of the main ways in which spammers get your email address.
Even big organizations such as LinkedIn, Adobe, or Yahoo! have been compromised in the past, so this poses a real threat to online security. For example, in 2008, MySpace suffered a data breach that exposed almost 360 million accounts, being one of the largest breaches ever. More recently, LinkedIn had 164 million email addresses and passwords exposed by a data breach.
When a big organization is hit by a leaked database, cybercriminals get the opportunity to collect millions of email addresses they can use in their spam schemes. Not to mention that most of the leaked emails are probably active, making data breaches a gold mine for hackers.
There's no much you can do to stop spammers from finding your email through data breaches. One best practice is to manage your passwords carefully and not use the same passwords for multiple accounts. In case one of your accounts gets compromised, your other ones will remain safe.
You can check to see if one of your emails have been compromised in a data breach on Have I been pwned?. Mind that this site does not cover all and every leak.
Let's say a cybercriminal managed to get your email address and sent you a spam email. He doesn't know yet if your email address is active or not, but he can find out if you interact with the email.
For example, you probably know that in the emails you receive from companies there's an Unsubscribe link at the end of the email so you can opt out of the mailing list and stop receiving emails from that specific sender. Legitimate companies will stop emailing you if you click on the Unsubscribe link.
In spam emails, on the other hand, the Unsubscribe link has a different role. When you click on it, the spam sender won't remove you from the list. The goal for the link is for the spammer to find out if your email address is active or not. Once you click on it, he'll know you use that email address and start sending you even more spam emails.
Another way for spammers to know if your email address is active or not is through the images in the email. Spammers know if you opened the email if the images will load. That's why it's best practice to not automatically load images (most clients don't automatically load images by default) and to also avoid clicking on "Load Images" if the email looks scammy and unprofessional.
Scraping the web is a traditional way for hackers to collect information. They use programs to scan the web for email addresses. They usually look for the @ symbol since all email addresses have the firstname.lastname@example.org format.
Through this technique, spammers are able to find your email address if you made it public anywhere on the web. This includes places such as social media, comments, forums. If the place where your email is public is accessible through an internet search, scammers can find it and add you to their spam list.
Craigslist, for example, provides you with a disposable email address where buyers or sellers can reach out to you instead of asking you to use your real email address so they protect their users' addresses.
To prevent having your email address harvested through scrapping, don't make your email public anywhere on the web. If you should share your email address online, avoid using the @ symbol to make it harder for scanners to spot it (myemail at client.com).
A common way in which spammers get your email address is by directly buying email lists. Because of the convenience of data breaches, this technique decreased in popularity, but it is still a thing.
One common way companies gather email addresses to further sell to spammers is through sponsoring giveaways. You might have noticed different online contests where all you have to do is provide your information (name, email address, phone) so you become a potential winner. The giveaways might be legitimate, but they use the information they collect by selling the email lists to third parties.
Spammers can also trade email lists between them which means that once a spammer got into your inbox, more might be coming.
To avoid having your email address sold to spammers, use a different email address when you're entering online contests or register on websites you're not sure they can be trusted.
An easy way for spammers to get your email address is by tricking you to hand it over.
Spammers set up spam sites where they ask users to provide their email addresses in return for something else. Usually, it involves winning a small prize. They might even actually hand over that prize to the winner so they can further maintain their act of being legitimate. The prize is a small price for spammers to pay in return for the huge email list database they are able to collect through this scheme.
To avoid falling the victim of this kind of scheme, learn how you can spot fake websites when browsing online. Always keep an eye out for spammy details such as bad grammar, misspellings, sketchy website design, and lack of details about the contest.
Also, avoid providing too many personal information when you are filling online entry forms.
Another reason spam emails might end up in your inbox is if you have a pretty simple username.
Spammers use dedicated programs, also known as brute force programs, that generate alphabetic and numeric combinations of addresses. Most of these email addresses will be incorrect, but given that these programs can generate hundreds of thousands of combinations per hour, there're still be a notable amount of active email addresses to be used for spam.
In this case, there's not much you can do. You could choose an email address that is harder to guess, but this will also make things harder for you when you'll be sharing your address with friends.
What's important is for you to not open the spam email if you should receive one. The spammer has no idea if your email address is active or not, and, if you don't interact with it, the spammer will think it's inactive and stop sending you spam for nothing.
To avoid spammers getting their hand on your email address, these are the best practices:
- Don't make your email address public across the internet, including on social media platforms, in comments, forums.
- If you should share your email address online, use "at" instead of the @ symbol (emailaddress at emailclient.com).
- Don't click on "Unsubscribe" links in emails that seem sketchy.
- Don't automatically load images in emails and avoid clicking on "Load Image" if the email seems suspicious.
- Use a different email when you enter contests online as they might be collecting email addresses to further sell to spammers.
- Use different passwords for all your accounts so you protect the other accounts if one gets compromised.
We've gone over the most common ways in which spammers get your email address and the best practices to avoid having your email address harvested by spammers.
Unfortunately, there's no bulletproof way that will guarantee spammers won't get your email address. Even if you follow these practices, your email can still be on the list of a popular platform that becomes the victim of a data breach and there's nothing you can do about it.
The good news is that email clients nowadays have sophisticated spam filters and it's a more rare occurrence that a spam email ends up in your inbox.
Lastly, keep an eye out for spam emails and don't interact with them. They are not only annoying, but they can also be dangerous to your online security as lots of phishing attacks are conducted through emails.