Wonderful Spam!

How I Learned to Stop Worrying & Live With Spam

 
— The Vikings at the Green Midget Cafe
Monty Python’s Flying Circus · 1970

Spam, Spam, Spam, Spam,
Spam, Spam, Lovely Spam!
Wonderful Spam!
 

Junk email — Spam — is detested by everyone…

except those who make their living from it.

Spam is the most common form of social engineering — attempting to trick us all into giving up enough information to access our accounts and assets, either by phishing for our login credentials, enticing us to help some cash-poor multi-millionaire, or installing malware that scoops up our passwords or extorts us with ransomware.

Spam’s ultimate goal is to get our money.
[All money not in one's personal possession as physical cash is accessible digitally with the right credentials. Even if we do not setup online banking ourselves, financial institutions use online digital systems to manage our accounts.]

I have a few simple guidelines for dealing with all of your email without worry.

But first, let’s answer that age-old question: What is Spam really made of?

Spam's main ingredients are:

• Spoofing
• Phishing
• Attachments
• Malware

SPOOFING
Spoofing is a common part of most Spam. It is simply the custom-encoding of an email message so that it appears to come from a different address than the one that actually sent it. Two types of spoofing are common:

• Business Name Spoofing — where email appears to come from a place that you already deal with, such as a specific bank or even from Apple Support.
• Contact Spoofing — where the email appears to come from one of your regular contacts. This can happen when a hacker gets access to someone’s Contacts or Address Book containing your email address. You then receive emails appearing to be from the person who listed you as a Contact. Once a spammer has someone’s Contacts, they need not hack their email account — just spoof it.

The point of Spoofing is to get us to open, read, and respond as if the Spam came from someone that we know or trust.

Some spoofing is obvious and can be trashed without further consideration, such as emails claiming to be from a bank where you don't have accounts, a foreigner who has money they are eager to share with you or sending you a purchase order, or a relative or friend who needs money immediately for their bail, emergency room treatment, car towing, or some other can't-wait-just-do-it crisis.

PHISHING
Phishing is the process of emailing vast numbers of people at once with a message intended to trick them into taking the bait — whether it's clicking a lin (URL), opening an attachment, or sending personal data in a response. It may try to lure you to a fake login page where your login credentials for an account can be captured by hackers. With phishing emails sent to millions of recipients, some percentage of them will bite, compromising their own account information. Even a really tiny percent being tricked can result in lots of loot for the hacker and a significant loss for each victim.

Spear-phishing is highly targeted phishing of a small group or just one person  — The Whale — whose credentials are especially valuable due to their high level of access to a specific data system. Spear-phishing is often carefully crafted, incorporating researched personal information to be more believable. Though more work to setup, the payoff can be access to all of the accounts in a system rather than just the account of the person who was fooled. One harpooned whale can expose all of the accounts of a business, bank, brokerage, or retirement fund, or all of a social network's user accounts. Spear-phishing often combines emails, texts, and phone calls to convince The Whale of the urgency for a quick response.

ATTACHMENTS
Attachments can be boobytrapped to run programming scripts, connect to websites, or install malware when opened. Common types of rigged attachments include: PDFs, Microsoft Word docs, and image files, though there are many others. Any type of document that can be attached to emails can be boobytrapped by a skilled hacker. Opening it triggers actions over which we have no further control, such as installing malware or running system-level scripts which give a hacker access to all of our device's content. When used with Spoofing, Spam attachments often are opened based solely sender's trusted-but-spoofed address and name recognition.

MALWARE
Malware is malicious software which can do a myriad of nasty things to your computing devices — stealing credentials from your password manager, keylogging, changing settings, connecting to rogue servers to download more malware or upload copies of your personal files and data, even erase or lock your disc as part of a ransomware attack. It's all malware — malicious code to mess with, steal, or encrypt your data to demand a ransom or get money from your online accounts. Hackers hope to run malware on your computing device if you open a boobytrapped attachment or follow links to malware sites.

Time-tested Recipies Make Spam Easy to Swallow

You would think that all of the fake stuff used in Spam would make it smell a bit whiffy, but enough people bite on phishing lures to make the work of hackers pay off. Here's how they bait their hooks…

Buttons & Links
Phishing emails often include links or buttons purporting to take you to a login page for your account. Spam links often don’t go where they say they will! Even if a visible URL spells out the full website path, that may not be the address it will go to if you click it (i.e., try this button link to ). Buttons and links are just a label that does whatever its maker wants it to do, like taking you to a fake login page or triggers an action like installing malware.
Don’t click on any stuff in suspicious emails.

Phone Numbers
Phone Numbers in emails may not have anything to do with the supposed sender. Don’t call them. If you need to phone someone in response to an email, go to your Contacts record for that person or business and use their real phone number you previously stored. Spammers might actually look forward to getting your call — letting them grab your phone number to go with your email.
Say it with me… Spam, Junk Texts & Robocalls, Oh My!

Email Addresses
Senders’ emails and addresses within the body or signature lines of an email should not be used to reply to unverified senders. Responding in any manner to Spam is likely to increase the amount of Spam you receive because any response tells the hacker that you read and respond to Spam. Also a “reply” to the spoofed account, which didn’t actually send you the email, only increasing the confusion by bringing the spoofed account owner into the middle of the exchange.
Don’t reply to Spam unless you want more Spam.

Unsubscribe Links
Unsubscribe options in Spam will not remove you from any Spam lists; using these links may make you a prime Spam target by verifying that you both open and read Spam and even click on links in the email, making your email more valuable to hackers. Or, that unsubscribe button might trigger a malware installation.
Never try to unsubscribe from Spam. You can’t.

Artificial Intelligence
A.I. has added to both the quality and danger of Spam since early 2023, when public availability of programs such as chatGPT put the power of Generative A.I. into the hands of hackers worldwide. Those who once produced awkwardly-worded emails with poorly-crafted buttons and graphics, could suddenly use A.I. to create flawlessly worded emails in English with buttons and logos matching the businesses and websites they are immitating. A.I. could even write any required code, so recipients get something which looks just like the real thing, including the phony web landing pages of spoofed sites that now match the authentic websites.
Expect A.I. to keep advancing to make Spam more convincing.

Triage All Emails

All incoming email can be quickly identified as 1 of 3 classes:

1. Obvious Spam — If it’s obviously Spam, don’t open it. Delete it immediately.
2. Suspicious Emails — those you aren’t sure whether to Open or Delete.
3. Trusted Emails — those that appear to come from trusted contacts, tempting you to open them without further caution.

Let’s consider how best to approach each.

We’ve already dealt with Obvious Spam — delete it!

But what about those Suspicious or even your Trusted emails?

Coping with a Suspicious Email

There are several precautions to take when you receive a suspicious, unsolicited, or unexpected email:

1. View only the Preview (the default list view in iPhone’s Mail app).
   On iPhones you can press down on the preview lines to get a popup-preview of more content without fully opening it.
2. If an email gets opened, don’t click links or download or open attachments.
   On iPhones you can press down on link or button to get a popup-preview of the taget content without activating it. This often revieals the URL it will go to. (Even if it looks good, don't use this link!) If the URL is invalid, the email should be treated as Spam.
3. Determine whether or not you would act on this email if it were legitimate.
   Do not try to figure out if it’s legit or not, but rather, if you assumed it was legit, would you take any action in response to it?
4. If you would act, use Safari Bookmarks or Favorites, or a website URL in Contacts or your password manager to go to the official website to log in. Don’t use buttons or links in email. When done, file or delete the email.
5. If you would not act on it even if it were legit, move or delete it immediately.

Dealing with Trusted Email

Take these steps when you receive email you assume is perfectly legit:

• The same steps listed above for Suspicious Emails — yes, exactly the same.

Consider these questions before treating any email differently than Spam:

• Did I expect to hear from this sender? Is it predictable and on schedule?
• Does it look, feel, or sound like previous communications with this sender?
• Did my Mail App match the sender's email address with one of my Contacts?
• Do I want to read it?

If you answer enough of those questions YES to still feel confident about it, then go ahead with appropriate action:

• If a trusted contact regularly sends links to news, jokes, or online meetings you attend, follow their links when you feel it’s appropriate. (You might still try long-pressing on the link to be sure it's going where you expected.)
• If Apple Inc. sends a receipt for your monthly iCloud storage payment, or for a Music or App Store purchase, file it in an appropriate mailbox (not your inbox).
• If Apple Support or your email provider surprises you with email urging you to login to your account due to recent problems, refer back to Coping with a Suspicious Email. Login to their official site from a saved bookmark or contact record to check that all is okay.
• If your bank says your monthly statement is ready and provides a button to view it, go back to Coping with a Suspicious Email. Use the bookmark you saved in Safari or Contacts to open the bank’s official login webpage to see your statement instead of trusting any email button. If you haven’t yet saved that bookmark, do a web search for the official website of the bank or business and bookmark the login page for later.

Spam-Worry-Free and Loving It

Not needing to identify Spam is liberating. I can triage all my email in seconds from just the Preview lines without needing to figure out which are Spam because that won’t affect how I respond to it.

Only two questions matter:

1. Would I act on this email if it were legit?
   If yes, take that action without using links or buttons within the email.
   If no, move on to Question 2.
2. Would I save this email if it were legit?
   If yes, file it in your appropriate mailbox.
   If no, delete it right away.

You need not decide whether or not you think an email is Spam or legitimate. It won’t matter if you don’t use any documents or links within that email should you choose to act on it.

Most emails can be deleted or filed immediately.

Either way, it’s out of your inbox, and you’re done with it.