How do spammers know who I am? And, what should I do?
March 24, 2017 3:59 PM Subscribe
Today I got spam/phishing email that claimed to be from the postal service-- nothing new.
However what was new, and scary, is that this message was to my primary email and had my correct address and my cell phone number. They missed a part of my address but had majority of it right.
The email claimed a delivery attempt had failed and I should print the attached "invoice" to go to my nearest post office to pick up the box. They seem to have forgotten to add the so-called invoice file, there was no attachment. The expected parcel delivery date: April 1. The "from" email address was gibberish.
WTH?what can/should I do?
The email claimed a delivery attempt had failed and I should print the attached "invoice" to go to my nearest post office to pick up the box. They seem to have forgotten to add the so-called invoice file, there was no attachment. The expected parcel delivery date: April 1. The "from" email address was gibberish.
WTH?what can/should I do?
Your email, address, and phone number are not confidential data. It's all over databases in whole or in part, and it's not hard to key together from several if necessary. Even if you've never bought anything delivered to your home address before, if you've ever signed up for a utility or given someone a resume that data is out in the wild forever.
Someone bought a list with your info on it. No malice or menace involved, except whatever is inherent in craven capitalism.
posted by Lyn Never at 4:31 PM on March 24, 2017 [8 favorites]
Someone bought a list with your info on it. No malice or menace involved, except whatever is inherent in craven capitalism.
posted by Lyn Never at 4:31 PM on March 24, 2017 [8 favorites]
There are a lot of "people finder" address search services online, like Spokeo and such, that use publically-available records as their database. This is information that's always been publically available, the only thing that's changed is that before the days of the internet, someone would have to drive to your town hall and sit there with a book and look everything up and copy it, but with the Internet, all they have to do is download a list of "all mailing addresses in X city" and there they go.
The services will remove your info if you ask, but some make you jump through some hoops - it's still definitely worth it; still, others pop up now and then, so you may want to do a troll through the web every couple years or so to knock back any such sites that have popped up. Here's one article about how to do that. I've done this process a couple times (once after a REALLY scary obscene phone call, and once after a really annoying incident with a socially awkward guy who saw my ad on OKCupid and thought he'd cut to the chase), and I think I just did a search for my home phone, checked out all the links where there was a hit, and if I didn't like the amount of information that was available about me, I followed up with the procedure to take the info down. Usually the most I had to was fill out an online form or something, except in one case where I had to send a fax request.
posted by EmpressCallipygos at 4:37 PM on March 24, 2017 [1 favorite]
The services will remove your info if you ask, but some make you jump through some hoops - it's still definitely worth it; still, others pop up now and then, so you may want to do a troll through the web every couple years or so to knock back any such sites that have popped up. Here's one article about how to do that. I've done this process a couple times (once after a REALLY scary obscene phone call, and once after a really annoying incident with a socially awkward guy who saw my ad on OKCupid and thought he'd cut to the chase), and I think I just did a search for my home phone, checked out all the links where there was a hit, and if I didn't like the amount of information that was available about me, I followed up with the procedure to take the info down. Usually the most I had to was fill out an online form or something, except in one case where I had to send a fax request.
posted by EmpressCallipygos at 4:37 PM on March 24, 2017 [1 favorite]
Doubt they forgot the attachment, probably a ploy to get people to reply "hey you forgot the attachment" which narrows the pool down to gullible people.
posted by acidic at 4:38 PM on March 24, 2017 [7 favorites]
posted by acidic at 4:38 PM on March 24, 2017 [7 favorites]
Anyone who has your email address in any kind of address book or contact list on a computer or phone or online account could get hacked or their device could be infected by a computer virus or a trojan horse / fake app they're tricked to install that harvests contact info in an automated fashion. (And then, the person directing that harvesting could re-sell what they collect to spammers.)
posted by XMLicious at 8:18 PM on March 24, 2017
posted by XMLicious at 8:18 PM on March 24, 2017
This information very likely comes from data miners and brokers, who gather information from a variety of sources and compile it into individual profiles, which they then sell to marketers and con artists.
Here is a PDF describing where they get some of their data and what they do with it (including predictive modeling, which they use to extrapolate further information) and I'll just warn you it's terrifying.
And for what it's worth, just yesterday, the Republicans shot down some recent changes that would have prevented YOUR ISP from selling your internet history to these people, so things are going to continue to get worse.
posted by ernielundquist at 8:12 AM on March 25, 2017 [2 favorites]
Here is a PDF describing where they get some of their data and what they do with it (including predictive modeling, which they use to extrapolate further information) and I'll just warn you it's terrifying.
And for what it's worth, just yesterday, the Republicans shot down some recent changes that would have prevented YOUR ISP from selling your internet history to these people, so things are going to continue to get worse.
posted by ernielundquist at 8:12 AM on March 25, 2017 [2 favorites]
Print it out & report it to the police & FBI.
Also grab the
email headers for the report.
posted by semaphore at 8:45 AM on March 26, 2017
Also grab the
email headers for the report.
posted by semaphore at 8:45 AM on March 26, 2017
This thread is closed to new comments.
Presumably, a spammer has acquired a database that's a bit richer than name/email pairs, and they're using as many fields as they can to make their "hello, we're the post office" scam more convincing. Maybe an organization you contribute to had its donor db swiped? Or a hotel you stayed at? A contest you entered? Name, address, email and phone number wouldn't be weird things for any business to store, and unfortunately they do get stolen/sold/hacked. I wouldn't assume that you're being spearphished. The senders probably just want to infect a bunch of computers with their "invoices" to add them to a botnet.
posted by mumkin at 4:21 PM on March 24, 2017 [3 favorites]