How cybercriminals get hold of your email

Examples

Software bots that collect emails from the web

The usage of email harvesting via software bots has been one of the more common methods of email harvesting in recent years. Like less sophisticated versions of Google’s search spiders, the bots scan web sites, forums etc. automatically in search of email addresses. Once the harvest bots have collected the mail addresses of one site they move on to the next. Depending on how advanced the software is up to thousands of email addresses can be harvested per day. The keyword here is quantity over quality, which goes hand in hand with the purpose of the harvesting in the first place: spam, phishing or using the list as a commodity.

How to protect yourself:  The only way of protecting on self from this type of email harvesting is to either refrain from writing e-mail addresses in the open on the web altogether or by typing them in a way so that a computer won’t be able to understand that is an e-mail address, e.g. john.doe(at)example.com. In this case the “@” is written in letters (at) and hence a computer will not be able to understand that it’s “reading” an email address.

Your email has been a part of a insider leak

News about employees leaking or selling their companies customer data is fairly common. One of the most reascent cases that made the news involved an incident where an employee at Amazon had leaked customer email addresses to a third party. The motive for employees leaking data of course differs. In some cases, it can be for financial gain and in others out of spite. However, in many cases there is no motive at all. It simply comes down to human error. Unfortunately, the motives behind the leaking of data is only superficially relevant for the people who get their data leaked since it has the same risk of ending up in the hands of people with malice intent.

How to protect yourself: The only thing that protects the common man from getting their data leaked or sold by companies is laws and regulations, meaning that you personally really can’t do more than trust that the company you submit your personal data to keeps it safe. However, no matter how rigorous the laws are or how rigorously a company protects their customers data it is impossible to guarantee that no one employee will not, for whatever reason, leak it.

More examples

Your email has been a part of a company data breach

In contrast to a company selling or leaking your data they can also get breached, which in contrast from leaked data means that someone from outside the company finds a way to steal the data. Since customer data is big business there are many people out there who are highly motivated in infiltrating data sources and extracting the confidential information they find. Consequently, data breaches happen on an almost daily basis where a single breach can result in anything from tens of thousands of people’s personal information getting stolen to millions (this of course also goes for leaks).

How to protect yourself: All you really can do is hope that the companies with whom you share your personal information have taken appropriate IT-security measures to keep hackers at bay and that they follow protocol when it comes to your personal information. Although, even if a company does everything by the book there is still a risk that they will get hacked or make a mistake that will expose their customers data in the open for people who know where to look. Linkedin, Ebay, Adobe and Zynga are just a few examples of major and leading companies who have gotten hacked and had their user data stolen. If companies like this can get their user data stolen, we must imagine that all companies are at risk.

Social media phishing

What all phishing has in common is that it masquerades as coming from a trusted source like someone you know a well-known company etc. Phishing comes in a lot of forms where e-mail phishing is probably the most well-known. But this article is about how cyber-criminals get a hold of your email in the first place, so let us look at a type of phishing that can be used to get a hold of email addresses – social media phishing. One method to lure you into giving away your information include inbox messages on Facebook from people in your friends list - whose had their account compromised - saying e.g. “Oh my god! Is this you in this photo?” with a link attached in bottom of the message. Another phishing scam that was widely spread on Facebooks was claims – seemly coming from Facebook themselves – that you could install account extensions that would make you be able to see who has visited your personal Facebook page. In both examples the person following the link provided in the messages were linked either to fake login-pages which is used to steal your login-information or surveys to collect your personal data (including your email).

How to protect yourself: Be cautious whenever you’re asked to enter sensitive information, don’t click suspicious links and last but not least: always check if the URL looks correct if you are directed to a new login-page that claims to be from the social media platform that you are currently logged in to.