A surprising old phenomenon has come back to popularity in the coronavirus pandemic: Chain email. I’ve gotten two already, one asking me to add a recipe and pass it on, and one asking for an uplifting poem People are gravitating toward these as a means of connecting, a reminder we’re thinking of each other and there for each other, even a special way to reach out to one person.
But there’s a problem with chain email, and it’s not just the annoying suggestion that you MUST respond. Chain email, like any forwards, can be a threat to your security and privacy.
Early on, participating in chain mail was a reliable way to invite spam into your inbox. So were (and are) any long forwards.
Take a look at a message like this from your inbox. How many email addresses can you count in the “CC” field, or in the text of the message as people have passed it on to each other? And what else shows up because of the “signatures” at the end of their email—phone numbers? Street addresses?
Now imagine that message posted on a public website—which they have been, with some regularity. All it takes is one person forwarding the email to a mailing list that has its archives posted on a public site. Suddenly that whole list of valid emails is available for a piece of code called a “crawler” to pick up and send back to a spammer—or someone bent on something more malicious, like phishing.
With the advent of email providers like Gmail and Yahoo filtering your spam into a separate folder, spam is less of a concern now—though not everyone has those filters set up, and every now and again something gets through. But the phishing risk is still there, and there’s another concern: revealing who knows whom.
It may seem totally normal to make your social networks public—after all, we all do it on social media. It’s easy to see who is connected to whom. But that information can be a goldmine for people who want to harm us and our communities. For example, we’ve got plenty of evidence that Russian agents have attempted to influence American elections for years through spreading social media propaganda. They went so far as to organize rallies in the US—and they mobilized people via email to do so.
Knowing who you normally talk to via your email and social media is valuable to those who want to disrupt our society, as well as to garden-variety phishers who want access to your financial accounts. They can pretend to be those people, or pretend to be you, to falsely gain others’ trust. An email address can look more “official” or “real” than a social media account.
The two chain letters I received do better on the spreading-around-addresses front than the chain letters of yesteryear. They ask people to respond using BCC instead of revealing recipients to each other using the CC field, and the instructions say to delete earlier email addresses when you pass the mail on.
But one of them said, “If you cannot do this in five days, let [someone.I.don’t.know]@gmail.com know so it will be fair to those participating.” So even though this chain didn’t encourage us all to spread addresses around willy-nilly, it still wanted us to give our addresses to one person. Do we know who that person is? No. If it’s someone relatively legitimate, congratulations, you’ve contributed to a massive marketing list they can sell products or services to in the future. If it’s someone shady, we have no idea what they could do. If you participated in this chain email, let me know if you start getting overly excited political messages later this year as we get closer to the election, or, say, messages telling you to end the quarantine early.
The email said “so it will be fair” and “seldom does anyone drop out”—and I instantly recognized these as appeals to my emotions. I’d be hurting someone if I didn’t reply! I should feel guilty. Everyone else was contributing, what was wrong with me?! I should feel that peer pressure. These are common techniques to pressure you to respond to email or social media messages you shouldn’t—keep an eye out for them.
By passing on a chain letter, you demonstrate to anyone listening that you’re susceptible to peer pressure, or to fear appeals that urge you to act immediately. That information is useful to someone who might want to try a phishing scheme on you again, trying to get something else out of you next time, like money or access to important files from your workplace.
And even though some of these chain emails don’t ask you to forward around a bunch of email addresses, that still doesn’t mean you couldn’t be tracked via those emails. One way emails can track you is the inclusion of a single pixel image—a tiny white dot smaller than the period at the end of this sentence. When those images load, it can send information back to whoever owns the site where that image is saved.
The good thing is that a number of common email apps, including Outlook, Google, and Apple Mail, can be set up to not show images. See this article for more information on how to turn off auto-loading images.
A number of you might be saying “ugh! Why send this via email when you can just get recipes on social media?”
As I said in Keep Calm and Log On, even social media “challenges” can have a sinister dark side. Have you ever seen something like the image here on your feed? This particular account, Good Old Days, specializes in them. Any sense of what’s wrong with this picture? (Aside from the hideous art.)
The name of your first grade teacher is a common security question, set up so you can get back into your accounts if you forget your password.
The make and model of your first car. The name of your first pet. Your high school. The town in which you were born. All of these questions come up in long threads on social media where people share, get nostalgic, tag their siblings and friends—and provide vast, harvestable lists of answers for criminals to try when they want to get into your accounts. It is really, really important not to share this information. If you have, you may want to take a moment to go over your accounts (particularly your online financial accounts) and change which security questions you chose or what the answers are. This is also a good time to set up a password manager, which can help you safely keep track of your passwords and security questions.
It’s easy to feel helpless in the face of digital threats. But there are simple things you can do to keep your accounts safe:
Use the “BCC” option rather than the “CC” option to hide the recipients of the email. Particularly if you’re broadcasting an email to a bunch of people who don’t need to have a discussion with each other. (This isn’t just safer, it’s also more polite.)
If you’re forwarding something, delete the big chunks of information about who sent it before.
Slow your roll. Recognize peer pressure or when an email or social media post frightens you, whether that’s an urgent piece of information about coronavirus or elections, or something superstitious like “people who didn’t forward this before died and you will too!!!!1 😱😱😱😱☠️” It’s particularly important not to forward these without thinking and checking whether they’re true. Here are some more tips to stop yourself from making decisions online based on stress.
For more security, privacy, and digital mindfulness tips, order a copy of Keep Calm and Log On.