Do You Know the Preferred Tool of Online Criminals?

Category: Email

It's been 45 years since the first spam email was sent, and it's still the favorite tool of crooks and criminals online. A report from security group F-Secure says that spam is the most common method used to distribute malware, phishing attacks, malicious URLs, and scams. Read on to learn the tell-tale indicators of malicious emails, and the true origin of spam...

Spam: Still Number One With Crooks

You've got software to protect your computer from viruses, spyware, ransomware, and rogue websites. You're careful to keep all your software up to date. Your identity theft spider sense tingles with every suspicious phone call. But then that innocent-looking email pops into your inbox. It appears to be from your friend, your bank, or your favorite online store.

I got one recently that said “A user has just logged into your Facebook account from a Samsung S10 device. We are sending you this email to verify that it is you. Thank you, Facebook Team.” It looks very much like the actual account warnings that Facebook does send out. The subject line says “Please respond immediately.”

So you click, and you've been had. Because of the sense of urgency created by this message, one might ignore the fact that it was sent from “” (clearly not Facebook HQ) and that there were 50-odd sketchy addresses in the Reply-to header.

Spam: The Most  Common Attack Vector for Cyber-Criminals

Spam is still the most effective attack vector for hackers and online criminals, according to research from F-Secure. They reported that phishing, spam, and other email threats were the source of 51% of all attempted malware infections. Hopefully you were not in the 51% Club.

Cybercriminals capitalized on fear and confusion during the Covid-19 pandemic, and continue to use malicious email attachments containing infostealers – malware that steals passwords and other sensitive information. Facebook, Chase Bank, Microsoft, PayPal, and Bank of America were the most frequently spoofed brands. As usual, cybercriminals are taking their cue from water -- by traveling along the path of least resistance.

Here are some of my tips for staying safe from phishing attacks. First, see my article How Hackable is Your Password? to learn how to maintain strong, unique passwords for all accounts and change them regularly. Enable two-factor authentication wherever possible. See [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts. And keep your software and systems up to date by following my advice in Keep Your Software Updated (or else...).

F-Secure says these phishing campaigns are effective because users are already accustomed
to receiving notifications... failure of delivery emails, alerts for hitting storage limits, requests for reactivation, or package delivery notfications, and ‘update your password’ emails.

Keep in mind that spam and phishing can take the form of text messages as well as email. I wrote about bogus "account services" and package delivery scams in [SCAM ALERT] Smishing is Getting Worse (what you need to know and do).

As software vulnerabilities are closed and anti-malware suites grow more capable, spam becomes relatively more effective compared to hacking and exploitation of software vulnerabilities. Spam still is infinitely scalable, too; it costs nearly nothing to blast out millions of spam emails from a compromised machine, and spambot networks of thousands of slave machines are commonplace.

While success still depends on spewing out millions of spam emails to get a handful of “bites,” spammers are constantly refining their techniques and improving their batting averages.

Why Do People Click?

According to F-Secure, here are some clues as to what makes phishing spam successful:

  • The probability of a recipient opening an email increases 12% if the email claims to come from a known individual
  • Having a subject line free from errors improves spam’s success rate by 4.5%
  • A phishing email that explicitly states in its call to action that it is very urgent gets less traction than when the urgency is implied

Most users have finally learned not to click on email attachments sent by strangers, or any attachment that comes unexpectedly. So more phishing emails include URLs instead; people are still conditioned to click on links to see where they go, especially if the link says “click on this link...”

The link often does not lead directly to a malicious site, but to an innocuous site that redirects traffic to a malicious site. That way, the bad guy avoids detection by automated analysis software that previews links and compares them to known malicious URLs.

Here are some of the most common phishing tactics:

  • The Fake Tech Support scam: An email arrives with a warning that your computer has been compromised with malware, and directs you to click a Norton or McAfee link to scan your computer, or call a bogus Microsoft Tech Support phone number.

  • The Suspicious Activity scam: An email claiming to be from your bank says there is suspicious or unusual activity on your account. It may ask you to respond with your username and password.

  • The HR/IT scam: You get an email that appears to be from your employer's Human Resources or IT department. You may be directed to update employee information, or download an app.

  • The UPS/Fedex/USPS scam: An email or text advises you that a package cannot be delivered due to incorrect shipping information. You are urgently advised to click a link or your package will be returned or discarded.

  • The Amazon/Apple scam: A message informs you that you've ordered some expensive item from either Amazon or Apple, and asks you to login and confirm the purchase.

In every case, a careful examination of the sending address, or a phone call to verify the sender will reveal that it's unwise to continue. Never trust the phone number or email address provided in the message.

Another technique I've seen lately is a quick email asking "Sorry to bother you, do you order from Amazo n?" If you engage with this scammer, he or she will spin a tale of how they had a problem buying an Amazon gift card for a sick friend's birthday, and ask if you would kindly do so, with a promise that you'll be reimbursed. I can't imagine who would fall for that obvious scam, but apparently there really is a sucker born every minute.

A BIT OF HISTORY: I mentioned in the opening of this article that the first spam message was sent over 45 years ago. That happened in May 1978 when a marketing executive for Digital Equipment Corporation sent an unsolicited email to 397 ARPAnet addresses, with an invitation to a product demonstration. The term "spam" was not applied to unsolicited messages until April 1993, and according to Wikipedia, is thought to derive from a Monty Python comedy sketch "in which a group of Vikings sing SPAM, SPAM, SPAM... at increasing volumes." It was adopted to refer to "unsolicited commercial electronic mail sent to a large number of addresses, in what was seen as drowning out normal communication on the internet." So now you know.

F-secure includes tips for security-conscious people in its security blog. Some recent topics include ransomware, stalkerware, and account takeover. F-Secure predicts that the use of phishing tactics as a lure, using office documents as an infection vector, and the use of cloud services to host malicious content, will likely continue.

The good news is that with education and software, we have eliminated or limited many malware attack options to spam. The bad news is that spam still works. My best advice: Think twice before you click.

Your thoughts on this topic are welcome. Post your comment or question below…

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 23 Oct 2023

For Fun: Buy Bob a Snickers.

Prev Article:
Does Your IP Address Reveal Your Home Address?

The Top Twenty
Next Article:
Geekly Update - 25 Oct 2023 (robots, drones, transhumanism)

Most recent comments on "Do You Know the Preferred Tool of Online Criminals?"

Posted by:

23 Oct 2023

A really good thing is to use different throwaway addresses for banking etc.

A quick check of which of your addresses a message is sent to may immediately rule out the real entity.

Still follow all Bob's sound advice also.

Posted by:

23 Oct 2023

You wrote "think twice before you click". It would have been better "Never click".
I simply do not open any emails without first checking the address, and even from friends I know I prefer to write a fresh email rather than "reply".
I probably miss the occasional email from a genuine source, but that's too bad.

Posted by:

Bob K
23 Oct 2023

I use Thunderbird for reading my email. It does offer some security beyond what you get if you use a online access, like at

I can, without even opening an email, just selecting it, hit CTL-U, and see the complete email as it came in. That includes all the headers, source of the body, and so on. A quick romp thru that will show up things that aren't what they seem. And, learning to read the headers isn't that difficult and can really show where a message originated.

I'll second the idea of using throw-away addresses. And, by using an email client on my computer, my address book is local -- less chance of being hacked and used by bad people.

Posted by:

23 Oct 2023

Use Code words with family members; words that mean nothing to anyone, such as "picnic" (because something funny happened at a family picnic 20 yrs ago).

Picnic: Link to a Youtoob video

If you see a Link from family without a Code word, don't click on the Link; and get confirmation from family member.

Posted by:

Bob K
23 Oct 2023

I should add:

Purge email addresses from emails you forward, and use BCC where possible for distribution lists.

Make the spammers work to compile email lists to send to! The less your email address is floating around on the web, the less chance the spammers will have it to use.

Posted by:

Ronald Hudak
23 Oct 2023

Usually to enter my Accounts at Chase Bank, I just had to give my Used ID and my Password. Now Chase has added another step. They send me a Code on my smartphone. And I need to enter that Code to see my accounts. So if someone did steal my Used Id and my Password they cannot access my accounts without the code.

Posted by:

Ernest N. Wilcox Jr. (Oldster)
23 Oct 2023

I'll start by saying that I treat everything that comes from the Internet with the same degree of caution and skepticism. When I was little, my Mother taught me to not trust strangers because I could never know their intent. When I grew up, that entire concept was branded "Stranger Danger!", and I taught my children all about it too. Today, I use what my Mother taught me, and I taught my children, with regard to the Internet. Everyone you encounter on the Internet is a stranger until you can properly confirm their identity. Everything you use on the Internet is created by strangers, and is not to be trusted until you can confirm the intentions of those who created it. The safest thing to do on the Internet is to start with an attitude of Zero Trust, or what I label as Cognitive Security.

The basic rules are simple.

1. Avoid unknown websites.
2. Always check the URL in any link to make sure it matches what you read on it's label, or don't click.
3. Remember that email comes from the Internet, and should be treated with the same level of skepticism as anything else from there.

As a rule of thumb, I seldom (if ever) click links in email messages, or for that matter, on webpages. When I receive any email message, the first thing I do is look at the header to identify where it really comes from. If the purported sender does not match what I find in the header, I move the message directly to the spam folder. This usually rules out better than 99% of all the spam that seems to get through my email account provider's spam filtering system.

For the messages that pass my first test, I never click any link without checking it as noted in number 2 above. If a message purports to come from someone I know, I contact them to confirm they sent the message, and even then I check any links as noted in number 2 above before clicking. If the message purports to come from a business or any other entity I interact with (including my bank, Amazon, etc.), I never click any links in the message. Instead, I go to the purported website using my web browser, then I look for whatever the link was supposed to take me to. If I can't find whatever it was, I delete the email message, but I never click the link because I don't trust businesses any more than I do anything else on the Internet.

These are what have kept me safe on the Internet since the late 1990s when I contracted a virus on my IBM-compatible PC from downloading a file from a BBS site I connected to using a dial-up phone modem. That was a real lesson for me. After I got rid of the virus, I got an antivirus program, and checked every file I downloaded going forward. As malware has become more sophisticated, so has my anti-malware behavior to the point that i now brand it as "Cognitive Security". While I keep my computers as secure as possible by using all the tools my OS provides, and by keeping my OSs as up to date as possible, I have found that a healthy dose of skepticism is at least as important as any security software I can install on my computers. This goes for everything from the Internet, including email,

Ernie (Oldster)

Posted by:

Mark Neville
23 Oct 2023

A big mistake I made was clicking on “This email is from a mailing list, click here to be removed “

Posted by:

23 Oct 2023

If banks and other websites would stop including links in their warning emails, that would help a lot.

If everyone knew that Chase bank would NEVER include a link in their emails, then pfishers would be stopped dead. I simply cannot understand why these critical websites still send texts and emails with included links!!

They will tell you never respond to a phone call claiming to be from them, instead call the number for customer service on your credit card or account, but they still put links in their emails, so people are tempted to click thinking they MIGHT BE legit.


Posted by:

24 Oct 2023

should we click on links in this email, how can we be sure it came from ask Bob?

Posted by:

Bob K
24 Oct 2023


If you hover your cursor over the link, and see something that starts with:
you are probably OK. But if it starts with:
you might be VERY careful!

Posted by:

Ernest N. Wilcox Jr. (Oldster)
24 Oct 2023


Check the URLs associated with the links in any email message. The ones in the Bob Rankin newsletters will start with "". If it starts with anything different, it's a fraudulent scam. If nothing else, you can ALT+Click the link, then choose 'copy link' in most web browsers. It's what works in Firefox anyway.

I hope this answers your question,

Ernie (Oldster)

Posted by:

24 Oct 2023

The security steps, which I take regarding my computers, along with their operating systems, applies to my cell phone as well. I receive a lot of spam text messages from banks that I do NOT have accounts with. Also, regardless, if any text message is from a trusted source or spam, I NEVER "click" on any of the links. I will always check any sites on my computer to determine what is authentic or not. I appreciate Ernest's comments. Too many shady characters are out there in the cyber world. Thank you Bob for another informative article!

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Do You Know the Preferred Tool of Online Criminals? (Posted: 23 Oct 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved