Have you ever been browsing a website and later received an email from them even though you had not provided your email address? Or maybe you added items to your cart on a website but decided not to follow through with the purchase and later received a message “did you forget to complete your purchase” or a similar notification?
Email Retargeting
One way this can happen is if the website uses an email retargeting company. These companies harvest information about users who visit website such as email addresses, items they may have added to their cart, links they clicked on and other actions they performed while on the website. They then use this information to target you with email messages and popups.
It is a shady practice, but it is legal and once they get your email address you will start to receive spam and marketing email messages.
Email Harvesting
Spammers also use email harvesting software to collect email addresses from websites. They use harvesting bots/harvesters to compile lists of email addresses.
Dictionary Attack
Another tactic they use is called a dictionary attack. This can be used to guess email addresses and passwords. It is normally done by a program that guesses email addresses by using variants of common names. Then the spammers will send email messages to those names using the guessed email addresses. If the email does not bounce back with an error, they assume that the address is valid and that it is an active email account.
One thing you can do to prevent your inbox from being flooded with spam is to use a separate email address for anything you do online such as shopping, signing up for newsletters and message boards or anything else that requires you to register with an email address. You can use a secondary or disposable email address in these situations. Keep your personal email as private as possible.
Similarly, they use the dictionary attack to guess passwords. Many people select their own passwords instead of using a random password generator to create a secure password and many times the person chooses a common word or phrase as their password. This makes it much easier to guess. The hackers use a program that searches for words in the dictionary and variations of these words to try to find a user’s password. They can then use it to access the persons accounts.
Brute Force Attack
Instead of using words from the dictionary a brute force attack just uses a program to automatically enter random letters, numbers, and symbols to try to hack into a user’s account.
The best way to prevent your password from being hacked is to use a random password generator to create a long password, at least 8 characters and that uses a combination of upper- and lower-case letters, numbers, and symbols. Never use the same password for more than one website. Choose a unique password for each site you visit.
Here are a few sites you can use to generate a password.
You should also use a password manager on your computer, tablet, and smartphone to store and manage your usernames, passwords and website information. Many of the password managers have a built-in password generator.
CC vs BCC Email
Another way spammers can obtain your email address is when someone uses CC (carbon copy) instead of BCC (blind carbon copy) when addressing an email message to a group of people. When you send a message, and you include all of the recipients in the CC field all others that receive the message can view those email addresses. The email can be forwarded again and again exposing your email address. Instead of using CC use BCC when sending a message to a group. None of the others receiving the message will see the email addresses in the BCC field.
Selling and Leaking
Companies can leak or sell email addresses. Whether it is online or in person, when you provide your email address to a company you are at their mercy as far as privacy is concerned. They can do what they want with your information. As I stated previously it is best to use a disposable or secondary email address when you must provide your address to a company.
Phishing
Spammers use phishing to harvest email addresses as well. There are many ways they do this, they may pose as banks, financial institutions, government agencies or companies you do business with tricking you into providing your email address. They may also ask you to provide personal information.
Often, they try to get you to respond by creating a sense of urgency. Take the time to carefully read the message. Any email that makes you feel pressured is almost always fake.
Giveaways & Sweepstakes
Avoid entering sweepstakes and giveaways. If you do enter, use a disposable or secondary email address. There are some companies that offer legitimate giveaways and sweepstakes but often they use the information you provide when signing up to generate income for themselves by selling the email addresses they receive. Scammers buy these lists and then target you with spam and unwanted email.
Read the privacy policy before registering. If there is no privacy policy or it does not specifically state that your information will be kept private and not shared with others don’t sign up.
Social Media
Sites like Facebook, Twitter, Instagram, Tik Tok, Tumblr, Snap Chat, LinkedIn, and others are convenient for connecting with others, but they can also be very dangerous. These sites allow you to share information with a large audience, but you should ask yourself just because you can share something do you really want to?
Scammers scan these sites and harvest the information they find, and many people tend to overshare providing too much personal information. Don’t do this. Limit what you share and adjust your privacy settings so that your accounts are as secure and as private as possible. Not only do scammers get your email address they can obtain a lot of other personal information from these sites that can lead to identity theft and even physical theft or harm. Be careful.
Data Breaches
Unfortunately, data breaches are becoming more and more common. Once a hacker gains access to a company’s database they can gather not only email addresses but all kinds of other information as well such as name, home address, phone number, Social Security number, banking and other financial information, health information, usernames, and passwords and more. The information they harvest can be used for identity and financial theft and other malicious purposes. It is difficult to protect yourself in these situations.
Steps You Can Take to Protect Yourself from a Data Breach
Give companies as little information as possible.
Shred documents before throwing them in the trash.
Use secure websites.
Don’t give your Social Security number to anyone.
Don’t save your payment information on websites when you make a purchase or pay a bill.
Keep your username and password private. Use a unique password for each site you visit and change your password and security questions regularly.
Use multi-factor authentication when you have that option. Doing so allows access to a site only after you have provided two or more pieces of information such as a password, PIN number, something in your possession such as a smartphone that a code can be sent to, or something you have on you such as your fingerprint or voice.
Never use a debit card for online purchases. Instead use a credit card which offers more protection and less liability than a debit card and it is not tied to your bank account. Most credit card companies offer protection if your card information is stolen. Consider getting a separate credit card strictly for online shopping.
Watch for scams. If you receive a notification about a data breach do not respond to an email or text. Instead call the company directly at a number you know to be true to validate that it is legitimate.
Freeze your credit with the three major credit bureaus. Equifax, TransUnion and Experian. Freezing your credit prevents a thief from opening an account in your name. You can freeze your credit online at each one of the credit bureaus or you can call them on the phone or do it through the mail. It takes just a few minutes to do this, and it is one of the most important steps you can take to protect yourself. And be sure to monitor your credit file. Under the Fair & Accurate Credit Transaction Act, you are permitted to receive one free annual credit report from each of the credit bureaus. Go to AnnualCreditReport.com (1-877-322-8228). To request your report.
Equifax: 800-766-0008 or Equifax
Experian: 888-397-3742 or Experian
TransUnion: 888-909-8872 or Transunion
You can also setup a fraud alert with each of the credit bureaus and for your credit card and bank account as well. And enable transaction notifications so that you receive an email alert or text message of any activity on your accounts.
Register for an account at Credit Karma Credit Karma
And Credit Sesame Credit Sesame
Both are free and they allow you to monitor your credit score.
Steps To Take if You Are a Victim of Identity Theft or Involved in a Data Breach
Find out if your information was exposed. Call the company directly to confirm. And find out what type of data was stolen. You can obtain a new debit and credit card but if your Social Security number was stolen that is a larger problem, and you would want to contact the Social Security Department right away. If your driver’s license number was stolen, you will need to contact your local Division of Motor Vehicles. The DMV may suggest you get a replacement, or they may flag your number to catch anyone trying to use it. Once you find out what data was stolen contact each organization involved.
File a complaint with the FTC (Federal Trade Commission)
1-877-438-4338 FTC (Federal Trade Commission)
Also file a report with your local police department. Keep a copy of all records related to the case.
Go to identitytheft.gov To report identity theft and get a recovery plan.
Call your credit card company, bank, credit union and any other financial institution you do business with to make them aware of the breach. Cancel your credit card and debit card and obtain a new one. And work with them to prevent or dispute any fraudulent charges.
Change your password and security questions for any site that was involved in the breach.
File your taxes early before the thief can file a fraudulent tax return in your name. And contact the IRS to report the crime.
Watch your mail for anything that is unfamiliar, bills you do not recognize or letters allegedly coming from the IRS.
Log into your bank accounts, credit card accounts and any other financial accounts to be sure there is nothing unusual going on. Monitor all of your accounts regularly.
Many times, if you have been involved in a data breach the company will contact you but not always and you many hear about it on the news or read about it.
You can check to see if your phone number or email address have been involved in a data breach by visiting the website “have i been pwned”
Always be on guard when it comes to email. Carefully read and consider each message before you respond. Stay alert online and don’t share personal information freely.
The Tech Minimalist 