Spam, or junk, emails are often sent out in bulk from compromised computers connected to the internet.
They usually either try to make you visit a website by enticing you to buy products, eg pharmaceuticals or beauty products, try to redirect you to sites that are set up to steal your personal data (this is called 'phishing'), or get you to open an attachment to infect your computer or device with malicious software (malware).
Junk email is the electronic version of direct mail you get through your front door, leaflets inside magazines or flyers handed out on the street. Some of these emails will be from genuine companies offering services, but some may not be.
You always have the option of deleting emails without acting on them. They can be annoying, but unless you do something with them, they are harmless.
However, if you do click on a link or open an attachment, then you are likely to be a victim of phishing or malware.
What is phishing?
Phishing is a scam where internet fraudsters pose as reputable organisations or as someone from your own organisation or contacts list, and trick you into sharing personal or financial information with them.
What should I look out for?
You should be suspicious of any emails containing links asking you to update or verify your personal details and including statements such as:
- “We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
- “If you don’t respond within 48 hours your account will be closed.”
- “Your account has been or will be, suspended.”
- “Your email account has been locked or is over its size limit.”
Phishing emails may appear to come from your bank, a company you regularly do business with, or a social networking site. They may include official-looking logos or convincing personal details which the scammers have found on your social networking pages. They might also appear to be from someone you know.
They can include links to spoofed websites where you are asked to enter personal information. They might ask you to make a phone call, where a person or an automated system waits to take your account number, personal identification number, password or other valuable personal data.
How do I avoid becoming a phishing victim?
If you get an email or pop-up message that asks for personal or financial information, do not reply to the email or click on any links.
Never email personal or financial information, as email is not secure enough. Only provide this information to an organisation through their website – and look for indicators that it is secure (like a URL beginning with https – the 's' stands for secure).
Use antivirus and anti-spyware software, as well as a firewall, and update them all regularly.
Review credit card and bank account statements as soon as you receive them to check for unauthorised charges. If your statement is late, call your credit card company or bank to confirm your billing address and account balances.
Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
Some emails can look very convincing, with accurate replicas of real companies' style and good spelling and grammar. But you should always be wary of any unexpected request to take action, whoever it claims to be from. There are still things you can check even in very plausible looking emails.
- Look at the email address the email has been sent from. For example, "[email protected]". This email appears to be sent by British Airways (BA) and this email is in the correct format for a BA online ticket reservation, but the email address has been forged
- Look at links within the email. For example, links may look as if they go to a legitimate site, like britishairways.com, but they will actually take you to a hacked website as another link has been masked within this text. It is easy to mask URLs in this way, so always hover your cursor over the address to see the true url in the bottom of your browser window.
If you are still not certain, get in touch the company using the contact information on their website to find out whether they really sent the email.
What is malware?
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.
It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. It can perform different kinds of attacks on your computer or be used to disrupt or gain control over a computer or network.
It may be stealthy, installing trojans which can steal your personal information or spy on your activity for an extended period without your knowledge, or it may be designed to cause harm, such as ransomware designed to sabotage or to extort payment from you.
What should I look out for?
Malware delivery often follows a similar pattern to phishing, so watch out for suspicious emails and attachments, especially unexpected ones and those that end in .zip .exe or .cab.
How do I avoid becoming a malware victim?
As malware often arrives in email similar to phishing emails, following the advice above on phishing can help protect you from malware too. In addition, you can:
- Check the email address. Is the sender familiar to you and were you expecting an email from them?
- Check that the subject line makes sense
- If the attachment is a .zip file, it should arouse suspicion. Don't open attachments that look suspicious or that you were not expecting
- Check whether the contents of the email are very generic. Emails that contain very short, generic text like 'Check this out!' along with a file or link are likely to be harmful.
If you do open a malware attachment, it will launch a program which will probably do something bad to your computer. It may, for instance, encrypt all of your files and demand payment from you to provide the decryption keys, so you can access your data again. This is called ransomware, and you could be greeted with a pop-up on your screen, giving you a deadline to send the payment.
What should I do if I've been a victim of phishing or malware?
It is always better to avoid becoming a victim by being vigilant and aware, but if you believe you’ve been scammed, lost money, or had your computer infected then you can report this to Action Fraud.