Skip to content

You don’t want an email bomb dropped on you — really

Read “The State of Fraud 2023” report

“The State of Fraud 2023” report

Cover of the Signifyd State of Fraud 2023 report

Within minutes of waking up on a languid Sunday morning, I knew something was wrong.

My personal email inbox is a tidy, tranquil place. I process emails as they come in, have them sort themselves into categories, and am prompt about unsubscribing to things I no longer want to receive.

Why, then, did I wake up to hundreds of unread emails? Why were they in a mix of English, Chinese, Japanese, Russian and Polish? Why was I being thanked for creating accounts on websites I didn’t recognize, being congratulated for signing up for newsletters I never consented to, being promised a prompt response to inquiries I hadn’t submitted?

I fought down rising panic and bought myself a few moments to think by clearing the junk out of my inbox. There was too much to check individually; I had to just toss it all and hope it was all bathwater and no baby. More emails came in by the minute. My spam filter was managing to divert most of the flood, but the sheer volume meant that even a small fraction of uncaught emails meant hundreds of new messages in my inbox.

The unsettling nature of an email attack

I was under some kind of attack. My first thought was someone had taken issue with something I had posted online, or something I had said in a public forum, but my online presence is minimal and I post virtually nothing. I’m not an obvious target for that kind of retaliation. So, in between bouts of deleting emails, which were coming in at a rate of 10 to 12 a minute, I read a few pieces online about what was happening to me.

The answer: a “spam attack,” an “email bomb,” a “spam bomb.” It goes by a few names, but the goal is frequently to bury evidence of an unauthorized transaction through sheer, overwhelming volume. With dread, I checked my credit cards for recent transactions.

One email stood out

There it was: a charge to the Apple Store, dated for that same Sunday, for about $1,300. A charge I most certainly had not made. Someone had obtained both my credit card and my email address and used both to purchase an as-yet unidentified Apple product.

I immediately rotated through all my most important online accounts, force-logging out any logged-in devices and inspecting them for new login activity. No evidence of any incursion there; the purchase hadn’t been made with my Apple account, just my email, and I make liberal and heavy use of two-factor authentication. I hadn’t received any new authorization requests or login notifications.

Fraudulent charges mean bad news for the online merchant involved

I deleted another few dozen emails, locked my card and then called my bank to report the unauthorized charge. They disabled the card immediately, issued me a new one and opened a fraud claim on the charge. The cardholder is not liable when someone makes unauthorized use of their card; in situations like this, when it’s a card-not-present transaction, the merchant has the liability. Whatever else happened, I was protected from having to pay any of the costs associated with the unauthorized charge and with the card nuked that should be the end of any further nasty surprises.

The charge was still pending when I called, so I had some small hope that I had caught it fast enough to prevent the thief from getting away with the goods. I spent the rest of my morning on edge, deleting spam emails and undertaking the tedious process of updating the recurring subscriptions and automatic payments attached to my old card. I only used the compromised card for online purchases, and the fraudster had gotten both the card and my email address. Presumably somewhere I had shopped online had been compromised in some way, but I had no real means of determining where or how. The company itself might not even know it had happened.

Email automation might have removed some of the sting

I deleted more emails. I searched fruitlessly for some kind of automation in my email provider that would let me fight back, but their official guidance on this kind of attack was to mark everything as spam. There were 15,000 emails in my spam folder. I was still receiving 10 to 12 every minute, one or two of which snuck past the filter and into my inbox. Every minute. I cursed every website for not better protecting their sign-up forms to prevent this kind of malicious bot-powered attack. Each and every one of them had been unwittingly converted into a weapon. And I cursed whatever fraud detection system, or lack thereof, had let this transaction through.

A break in the case and a chance to cancel the Apple order

Then I saw an email that was not unwelcome. It was an order confirmation from the Apple store, and it filled me with glee. I could call and get this order canceled before the fraudster could get their hands on it. They might have ruined my day, but I could ruin theirs in turn.

Except it was not to be. The order confirmation had the order number inside, for a titanium blue iPhone 15 with 256GB of storage, and also the news that it had been a pickup order at an Apple store in my city and had already been retrieved by one John W. The merchandise was gone. The fraudster had gotten away with it.

Email spam just kept rolling in

The spam attack persisted in full force for the next three days. By the time it finally abated, I had received over 50,000 spam emails. I’m still receiving them to this day, although now it’s only one every few hours or so.

I have to admit a grudging respect for the ingenuity deployed against me and a certain bitter wonder at the constantly evolving schemes and endless ingenuity fraudsters deploy to delay detection. The tactic worked perfectly; although it did alert me that something was wrong, I learned too late to interrupt the theft. What’s more, it costs nothing to deploy a bot to sign an email up to any and every unprotected signup form it can find, or, if that’s too much of a time commitment, you can just pay someone else to do it for you for much less than the cost of an iPhone. Using my real email with my card likely made the transaction look much more credible to any fraud screening it encountered; this data too is readily available for purchase.

Robust fraud protection benefits merchants and the consumers who shop with them 

By all estimates, I came out of the ordeal just fine. I have my new card and the fraudulent charge is gone. The emails have mostly stopped. Even so, it was distressing to experience while it unfolded, and I’m still unsettled by not knowing how my data was obtained or whether it’s still vulnerable.

Ecommerce fraud hurts merchants and consumers alike

It was a reminder to me, as someone who works in fraud prevention, that this isn’t a victimless crime. We don’t just stop fraudsters from getting their hands on ill-gotten gains, or protect merchants from the double whammy of both losing merchandise and having to pay the cost of the chargeback. We also protect victims from the stress and hassle of these unauthorized charges, which is much worse if the unauthorized charge happens to go unnoticed for longer than mine did. I am left grateful for the processes and rules that protected me, and frustrated at the many vulnerabilities that remain at all points in the complex system of online commerce.

And, John W, I hope you drop that phone down a storm drain.

Photo by Getty Images

Do you want to protect your business and customers from ecommerce fraud? Let’s talk. 

Latest posts
Katherine Wood

Katherine Wood

Katherine is a Signifyd staff data scientist. She has a deep background in experimental design, statistical analysis, model selection and feature engineering. At Signifyd she has worked on some of fraud prevention’s thorniest problems including contributing to the design of a solution to prevent the rising fraud tactic of address manipulation.