7 minute read
YOU'VE GOT SPAM
By Beth Lawton
The first email — and hint that something was seriously wrong — rolled into my email inbox at Alexandria Living Magazine at 8:49 a.m. on a Monday in January.
The email’s subject line was Re: Electric Companies HAT This Efficient Heater.
The person who sent that 8:49 a.m. email, named Teresa, had hit the ‘reply’ button on an email advertising an ultra-efficient space heater — one that electric companies supposedly HAT. (We’ll assume the sender meant “hate.”) Teresa asked us to unsubscribe her from our email list.
The problem: Teresa had never been on our email list. We had no idea who Teresa was, and we certainly had not sent anyone an email advertising a space heater.
Then, a similar email came in from a person named Manuel. Then Luis, Ida, Victor, Mike, Terry, James, Juanita. All of them had that same subject line and essentially said the same thing:
“Stop!”
“UNSUBSCRIBE!”
“**** you!”
We responded to each email individually, stating that we had not sent the offending email and we were looking into the matter.
What happened?
Anyone who has had an email address for more than a day has probably received unwanted emails, commonly referred to as “spam.”
Companies that operate according to the law only send emails to people who have opted (sometimes inadvertently) to receive those emails. Sometimes, companies buy emails from other companies in the hopes of increasing sales simply by increasing the volume of emails they send out — similar to how businesses buy mailing addresses to send out advertisements. This is also legal as long as the company abides by certain requirements, like promptly honoring unsubscribe requests and being honest about their identity.
But, sometimes, companies “spoof” emails, making it appear as though the emails have come from a trusted, reliable business. That’s what happened to us.
“Calling it electronic mail is not a coincidence,” said Dan Ross, an engineer at Envision Consulting, a local company that provides proactive and managed IT services across a variety of sectors. “The way it typically works is that you have a virtual envelope that contains your email, and there’s a 'to' field and a 'from' field. So, you just change the 'from' email and drop it in the mailbox.” It’s almost as easy as sending a fraudulent letter through the U.S. Postal Service. There was next to nothing we could have done to prevent this.
What shocked Ross was how brazen the heater company was in doing this. Normally, companies make concerted efforts to hide their digital tracks when sending out emails that seem to violate federal laws. In this case, Ross said, “It was like stealing your neighbor’s car and then parking it in your driveway.”
Within minutes of the unsubscribe request from Teresa, we logged into our email campaign system, looking for any evidence that someone had sent the email directly from our account. There was none. We changed our password, anyway. We also changed our email account passwords for safety.
‘Cease and desist’
Because we were able to identify the heater company that sent the email, we had options to possibly prevent this type of thing from happening again.
The link in the heater advertisement email led to a webpage offering 50 percent off the space heater. The bottom of the email showed a company address at a warehouse in Jackson, New Jersey. Further research showed the company also had a business address in nearby Union City.
We found the heater’s trademark is owned by a company that sells a variety of “cutting-edge products.” That company is based in California; it has almost universally bad reviews from customers and a failing grade from the California Better Business Bureau.
We called the company’s toll-free number. The customer-support person was unable to connect us to their legal department and said the company does not send emails.
Our next move was to send a “cease and desist” message to the email listed on the heater company’s website. We sent the same message through the “contact us” form on the website. For good measure, we threatened legal action should they fail to respond.
To their credit, we got a response from the company within an hour assuring us that our message was forwarded “to the relevant department.” (We never heard from that department.)
Meanwhile, the requests to unsubscribe and demands that we stop sending emails continued to flow into our inbox.
Reporting to the FTC
Still frustrated, we went to the Federal Trade Commission website to file a complaint there. The FTC is the federal government agency with the mission of “protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity.”
The complaint form was easy enough to submit and took less than five minutes, but the message we got after submitting the form was a letdown. The FTC does not investigate and resolve individual complaints like ours, but rather uses the complaints to look for patterns that can lead them to uncover illegal activity.
It seemed that our complaint would only matter if a lot of other business owners made a similar complaint against the same company. To put that in perspective, the FTC reported it received more than 2.8 million consumer complaints in 2021, the most recent year for which data is available. More than 700,000 of those complaints were for “imposter scams.”
Ross suggested that the company may have made the gamble that the FTC wouldn’t bother to take any enforcement action against them. Further, many businesses probably wouldn’t have thought to report them or known how to do so.
About that ‘unsubscribe’ button…
We have no idea how many people in Alexandria or Northern Virginia received the email from the heater manufacturer, and there was no way for us to find out. Our internal email tracking system revealed that Teresa and Manuel were in Nebraska, Luis was in Pennsylvania and James was in California.
We confirmed that the “unsubscribe” link at the bottom of the email did not work.
Even if the unsubscribe link did work, clicking it can come with risks, according to computer security firm McAfee.
“While attempting to reduce the load in your inbox, you might actually increase the amount of spam you receive, and in the worst case you could be infecting your system with malware by clicking that link,” according to McAfee.
A legitimate company sending emails will honor unsubscribe requests. Doing so is required by federal law. Unfortunately, if the company is unethical, clicking the unsubscribe link will prove to them that your email address is valid and active, and the company can sell your email address to other companies at a higher price. (Replying to the email with a request to unsubscribe can have the same effect.)
Worse, clicking the unsubscribe link could lead to a website that puts a virus on your computer or phone.
Instead, security experts recommend doing one of two things: Ignore the email entirely (don’t even open it!), or block that email address from sending you messages and then delete the email.
Either way, it’s important for consumers to use an email service provider that has a strong spam filter attached.
“The way spam filters work is that they look at the ‘to’ and the ‘from’ field and they try to match the sender’s Internet Protocol (IP) address to the domain,” Ross said, to verify the legitimacy of the email.
“The problem spam filters run into is that there are legitimate reasons for spoofing. SurveyMonkey or Constant Contact — any of those mass-emailing services — they’re spoofing your domain to send mail on your behalf. The challenge is authenticating that a company is really sending this on your behalf,” he said.
Some businesses invest in stronger, customizable spam filters for their employees’ corporate email addresses, but those can be expensive and they are typically available as enterprise solutions, not for individuals.
“From a consumer point of view, you are a little bit at the mercy of the email platform you are using,” Ross said.
How can you tell if It’s a legitimate email?
Unfortunately, sometimes legitimate emails get trapped by spam filters and some spam emails get through the filter.
In our case, the email was from a real company
Why is it called ‘SPAM’?
Why is unwanted digital marketing called “spam”?
You can thank Monty Python.
The comedy troupe in 1970 released a sketch about a restaurant where every single menu option included the canned meat Spam, which the diner did not want to eat.
The first documented email spam was sent out to the users of ARPANET in 1978, about 25 years before Congress passed the CAN-SPAM Act. In that context, SPAM is part of a much longer acronym: the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $46,517, according to the FTC.
selling a real product, but it could have been a scam to get customers to send money for a product that would never arrive.
There are a few ways to tell a real email from one that’s nefarious.
• Check for typos or sentences that seem like they were very poorly translated.
• Look to see if the ‘from’ name seems to match the email address the message comes from. (In our case, the ‘from’ name was the heater company but the email address had alexandrialivingmagazine.com at the end.)
• Be very careful with emails that ask for personal or company information — particularly financial information. If you receive an email asking for financial information at work, check with your human resources department before replying to the email.
Plus, ask yourself the following questions:
• Have you heard of this company before (outside of emails from them)?
• Does the company seem to have a real address? (Do not click on a link in the email, but you can open your web browser and do a search for the company to look for red flags.)
• Does the email pass the “sniff test”? If it seems like an offer that’s too good to be true, like a miracle cure or an easy way to make money fast, don’t fall for it.
