Last updated September 27, 2022
- Fear is a powerful motivator—and spam, which make up over 85% of all email, takes advantage of this fear to scam people or invade their privacy via cyberattacks.
- The fear created by spam can be positive or negative. It can either be FOMO (fear of missing out) on something that seems too good to be true, or it can be the fear or what might happen if we don’t take an action (like clicking a link or providing personal information). In either case, spam positions itself as the solution to a problem.
- Spam normally contains an urgent-sounding headline, a sender’s address that seems to be from a trusted authority or personal contact, and body text designed to compel the recipient into taking action before we have rationally considered what’s being asked of us.
- Using spam filters, carefully scrutinizing senders’ addresses, looking for suspicious attachments, and second-guessing anything that sounds too good (or bad) to be true can help protect you from spam designed to activate your fear response. When in doubt, do not click.
Fear is one, if not the most, powerful motivators for action. It’s a profoundly primal instinct designed to protect us from harm by searing bad experiences into our memories so that we can avoid them in the future.
Spam relies on the instinct of fear to get otherwise rational people to act irrationally. Many data engineers are actually trained on the tactics that scammers use to trick their victim into clicking on malware.
How is Spam Related to Fear?
Spam accounts for 85% of all email sent and received globally on a given day, and refers to any unsolicited and unwanted communication, usually email, that is sent out in bulk. Though most spam aims to sell unproven, ineffective, and possibly dangerous products and services to gullible consumers, a small percentage aims higher.
These spam emails, such as phishing emails or malicious links or attachments, usually utilize fear tactics to gain information related to usernames, passwords, or banking information from unsuspecting readers.
How Does Fear Make Spam Effective?
Fear makes us deeply uncomfortable and can override even our most rational instincts. Scammers and other cybercriminals know this, which is why they play on our fears to manipulate us into doing what they want.
How Spam Sparks Fear
Most of us strive to be good, so when even the most rational among us receive an email saying there was a billing error or that we owe unpaid taxes, our fear response kicks in to respond. The same thing happens when we’re told our computer is infected with malicious software, or that we are suspected of being connected to some illegal activity, and the police are on their way to arrest us unless we “click the following link.”
Even seemingly positive spam emails play on our sense of fear of missing out. After all, if we aren’t willing to help a wealthy Nigerian prince gain access to his vast fortune, he will just ask someone else for help, and we will miss out on the generous reward. This holds true for spam emails selling a “miracle cure” since missing out on a “miracle cure” motivates the fear of poor health down the road.
All of these scenarios spark fear of consequences or fear of missing out, priming us to act.
Spam Positions Itself as the Solution
Once the scammer has frightened us, they swoop in and offer a solution. Often it’s something very simple and straightforward, such as clicking a link, downloading a file, or responding to the email with personal information. After all, it’s in the scammers’ best interest to make it as easy as possible for you to hand over your money or personal information.
Once the action is complete, the reader is compromised, and the scammer has all or most of the information they need to harm the reader, either by stealing money from their accounts or using their credentials for nefarious purposes.
The Anatomy of a Spam Email
The average spam email follows a fairly predictable format. The headline is usually phrased to invoke a sense of urgency and trigger our fear response (such as “Payment Declined – Immediate Update Required” or “Re: Claim Office”, which makes it look like someone is responding to an email you sent them.) The email headline may also be worded to suggest that the reader is the one in the wrong (such as implying that a payment is past due, or that this is a final payment notice).
The Sender’s Address
The sender’s persona typically falls into one of two broad categories: They are pretending to be someone authoritative that you trust (such as an Apple employee who wants to help rectify your payment problem) or someone you know (like a co-worker who needs some information from you).
The Body of the Email
In the body of the email, the message of fear really takes root. The reader is typically told that something has gone wrong (or that a once-in-a-lifetime opportunity has presented itself) and that they need to take action to either fix the problem or reap the rewards. In the above examples, a declined payment will likely require the reader to input their “correct” or “updated” banking information so that the payment can be processed or their reward can be sent, or provide other personal information.
The scammer may even ask you to help them perpetuate the scam by having you respond to them and forward the email to your contacts. This not only gives them access to your bank account or other personal details but also makes their original email seem more legitimate to your friends or co-workers by having it come from someone they trust.
The Goal of Spam
The goal of most spam is to scare us into acting quickly by instilling a sense of urgency and triggering a fear response. This helps ensure that the reader acts before they have rationally considered the email, and asked themselves important questions such as who sent it, why they are sending it, and what risk they take in responding to the email.
How Can I Protect Myself Against Fear-Motivated Spam?
One of the easiest things you can do to help protect yourself from email spam is ensure that you have robust spam filters installed. These filters can prevent the most obvious spam from getting through to you or your employees.
Next, you should always take a close look at the sender. Is this someone you can trust?
If you aren’t absolutely sure the sender is trustworthy, then you should reach out to them via a communication channel (such as calling your friend or contacting the company’s support line directly) to verify. This is particularly true for unsolicited emails or emails that are formatted so that they appear to be a response to an email sent by you.
- Typos in the sender’s address, such as “[email protected] (Note the extra “p” in the domain name). However, DNS spoofing allows scammers to masquerade as legitimate companies, so make sure you look at the whole email address, not just the domain name.
- The form of address. Does the sender address you by name, or simply call you “customer” or “friend”?
- Embedded links with strange URLs. To assess a URL, hover over the text without clicking so that you can see the actual address. If the link appears suspicious, enter it into your browser directly instead of clicking on the embedded link. Spam emails often include spoofed links that are designed to look like they originate from reputable sources.
- Bad spelling, grammatical errors, and typos. This may indicate that the writer has a poor grasp of English, or that the text was translated using a translating app such as Google Translate.
- Suspicious attachments. If a suspicious email includes attachments, verify why they are there and what they contain when you contact the sender.
- Offers that sound too bad (or too good) to be true. Apple isn’t going to brick your iPhone over a billing error, and even if that Nigerian prince is real, he has no reason to share his vast fortune with you just because you forwarded his chain email to all your friends and family members.
Spam doesn’t look like it is going anywhere soon, so we need to take steps to safeguard ourselves and our businesses from cybercriminals. Learning to identify spam can help, and remember: when in doubt, don’t click. Contact us if you need a hand with cybersecurity.