There is no question about it, internet scammers are morons.
On a frequent enough basis to be noticed, I get an email from some scammer trying to get me to click a link, send them money, or send them bitcoin—or anything else that they want me to do. And 9 times out of 10, they are badly worded, trying to sound official, but really have no clue about how English grammar actually works.
And they expect "me" to fall for the scam?
I will grant you that I'm not your typical internet user. I know better. And I know the tricks of the game that your average internet user doesn't know.
But seriously, dudes, you could at least learn how to use MS Word's grammar checker. I know it's not the best, but at least it would deal with the lack of capitalizations in your emails.
While I can spot the scammer a mile away, there will be many unsuspecting people out there who will be gullible enough to fall for the scam. It may be only one in 10,000 people, but it's statistically significant enough for the scammers to keep doing it.
And a scammer's favorite playground is email. Far too many people get emails and blindly click on the links without understanding what they're clicking on.
Of course, the first question that people ask is how did the scammer get your email in the first place. Well, let me tell you exactly how they got it.
The first avenue is through login lists with your email.
Internet-based user databases are only as secure as the last hacker who tried to get into their system. No matter how sophisticated the encryption algorithms are, there will always be a hacker out there who can break into the system.
Even government systems are not 100% secure. They like to profess that they are, but that skilled hacker is just waiting to try their hands at cracking the codes. And the best hackers are often hired by the government to hack into the systems of other governments.
A sobering thought, isn't it?
So, your data is floating around in the internet just ripe for the picking. And we average internet users have a bad habit of making it even easier for the scammers and hackers to get that data by linking various systems together. And for simplicity, we often use the same email for EVERYTHING.
Seriously, folks, using the same email address for every aspect of your life is just asking for trouble. And for the sake of internet security, I highly advise against it.
You should be separating your account administration from your general communications at least.
For writers, I recommend that you have at least five separate email addresses just for your writing-related activities.
The good scammers start with social media.
To have a social media account, you have to have an email address, but on most social media sites, there is a setting that will determine whether your email address is publicly available or not.
Facebook has multiple security settings that guard your email address.
On Facebook, there's a setting that determines whether people can find you through your email. By default, new accounts have this setting turned on. And you have the obvious settings that specify if your email address is public, visible to your friends only, or private. Guess what setting I use.
Two separate settings in different parts of the system. And if you want to keep your email address private, you need to use both of them in tandem.
On LinkedIn, hundreds, if not thousands, of people can see your contact details by default.
On LinkedIn, contact details (emails AND phone numbers) are made public within your network by default. That might seem innocent until you learn what a network really is.
According to LinkedIn, a network is up to three degrees of separation from your connections.
Let's say that you have five connections. That's five people that you have befriended on the platform. Now, let's say each of those five connections has five connections of their own. And let's say each of those five connections has five connections of their own. And those five connections have five connections of their own. If you do the math, just on the number five, that's 625 people who have access to your contact details through LinkedIn.
But of course, most people don't have just five connections. Some people can have hundreds of connections. That is a lot of people who have access to your email address and phone number by default.
I had no idea that this quirk of LinkedIn existed until 2015, shortly after I had set up Black Wolf Editorial Services with its own custom domain email address. I had received a random email from someone who saw my photo on LinkedIn—and was trying to send me a "pickup" email.
When I got that first email, the first question that went through my mind was how did this complete stranger get my email address. And it wasn't just any random email address that I know has been floating around the internet for some time. It was my business email address—the one I had only just set up. The email address in question had only been in existence for about a month, and I didn't have it listed on my website. The only place it was listed was on LinkedIn, but I thought my contact details were only visible to those I chose to connect with on the platform. Nope… I was totally wrong about that.
The scammer who inadvertently brought the security issue to my attention became incredibly insistent, and I eventually had to blacklist the guy's email address, but it was an education.
It turns out that you can elect to have your contact details made private on LinkedIn, but now that I know the danger is there, I am able to make the informed decision about keeping my contact details as public on the platform. It is the ONLY social media site that I'm connected to that uses that particular email address. And every time LinkedIn insists that I also add my phone number to my profile, I tell the system to bugger off.
If I was to input my phone number, my phone number would become just as publicly visible as my business email address. I can appreciate how some people are happy with this, but I'm not. So, I continue to ignore LinkedIn's demands about my phone number. That is one detail I still want to control.
But this is the heart of the situation. If you understand what the dangers are, then you are equipped to make an informed decision on how to manage the risks.
LinkedIn and Facebook are not the only sites that make things public without you necessarily knowing it. Instagram is just as guilty.
Instagram business accounts are worse.
This one is yet another setting that I found quite by accident.
I had signed up for Instagram, because my daughter had decided that she wanted to join the platform herself. But of course, if I was signing up for Instagram account, I was going integrate it into my online platform as a writer.
Not long after I signed up for Instagram, I got these messages asking me if I wanted to change my Instagram account to a business account. The advantage of having a business account is that you can run ads. I can see how this would be advantageous in the future, so of course I said okay. Then I saw what it did.
My email address connected to my Instagram account and my phone number were suddenly public.
I was in a panic. I hunted through the system to find the settings required to turn it off. But nope, if you have a business account on Instagram, there is nothing you can do about it. Those emails and phone numbers are out there in the world.
On Facebook, you can have a separate email address listed on your business pages—different from your login email—but this is NOT the case on Instagram.
Needless to say, my Instagram account was quickly reverted back to a personal one. Who needs to run Instagram ads, anyway?
So, getting email addresses off of social media, if you know what you're looking for, is not that hard. This is how most scammers find your loving email address to send you something. But for those of us with websites, there are other strategies that the scammers employ.
The Scrapper Bots
Scrapper bots are automated programs that go through an entire website and pull out every email address listed on that site. That includes email addresses that are hidden behind contact forms.
It has gotten to the point that if you use a contact form and you haven't used reCaptcha or something similar, the email address attached to those contact forms can be quickly loaded with spam.
But that doesn't stop the scammers. As long as they can scrape your email address, you can be scammed via email.
Scammers are idiots if they think they can scam me.
Many scams that find my inbox involve an email address that a scrapper bot got from one of my websites. And here is just one of the scams that came my way.
The email said that my website had been suspended because my domain was no longer active. Because I knew that my domain was coming up for renewal, I looked at the email trying to figure out what was going on.
And I knew the moment I opened the email that it was a fraud.
There were several things that were wrong with it.
- It went to an enquiries email address. All enquiry email addresses that I have connected on any of the websites I run are for the sole purposes of enquiries. When I respond to those emails, I respond from a different email address, leaving the enquiry emails for the bots who decide they want to scrape an email address from my website.
- It went to an enquiries email address. I know this is a repeat of point 1, but you should know that ALL administration of my websites are handled through a specially chosen email address for the sole purposes of administration with service providers. I do this to protect my systems from hackers. My communications emails are publicly known. If any of those become compromised, by using "secret squirrel" emails, my websites and domains are protected.
- The email came from someone who was not my hosting provider. My domain had nothing to do with the company involved.
- The date that my domain supposedly expired was wrong. If the scammers had bothered to do their homework properly, they would've been able to work out that my domain didn't come up for renewal until August, not July.
Of course, because I'm the type of person I am, and because I write stories where the bad guy uses the internet to play havoc on his victims, I decided to do a little snooping.
A WHOIS search is your privacy friend!
There is a tool that is openly available to the public called WHOIS. Go to WHOIS.com, and enter any domain and see what comes up.
Government sites are locked down, with registration information hidden from the public, but even if the information is not available in the WHOIS search, you can still see if the domain is active or not.
For privately owned domains, if the person who owns the domain uses privacy protection, then the information retrieved in a WHOIS search will consist of when the domain was first registered, when it was last updated, when it comes up for renewal, and who the domain was registered through. Depending on a few other settings, you might also find information about whom to contact if there is an issue with the domain.
So, when I did the WHOIS search for the scammers' domain, I learnt that the domain had been registered through GoDaddy only a week prior to receiving that email.
Why on earth would I register my domain, a domain that has been in existence since 2015, with the company whose own domain was a week old?
I'm on to you, buddy.
Don't take everything that comes into your email at face value.
I suppose this is a given, but the number of people who blindly click on links is still insane. Taking some minor precautions can go a long way in protecting yourself from the scammers.