What if you woke up tomorrow to find hundreds of emails in your inbox—emails thanking you for signing up for newsletters, for joining forums, or for things you can’t even figure out because the emails are written in different languages? Emails that weren’t stopped by your spam filter because they’re not, technically spam—they’re legitimate confirmation emails, just for stuff you didn’t actually sign up for?
If that happens to you, pay attention: You’re being email bombed, and there’s probably a good reason why. And that reason isn’t good for you.
What is email bombing?
Also known as “subscription bombing,” email bombing is when you suddenly get a large number of emails—often hundreds—from various businesses and websites all at once. They’re all confirming things you never initiated, and all of them are addressed to your actual email.
An email bomb is created using automated scripts that locate forums, newsletters, and other sites online and enter your email address into them. Because it’s an automated process, a bad actor can have you signed up to hundreds of sites like this in a matter of minutes—and have hundreds of emails on their way to you, all at once. The sheer volume of messages in an email bomb can be dizzying—and that’s the point. Because it’s almost certainly designed to disorient you.
Why you might be email bombed
When you get an email bomb, there are three not-great possibilities as to why it’s happening to you:
-
A prank. The least worrisome reason behind an email bomb is that someone out there hates you and wants to make your life slightly more miserable by giving you an online mess to clean up. It’s the digital equivalent of signing people up for magazine subscriptions, or having unwanted pizzas delivered to their house.
-
Malicious links. Sometimes email bombs are used to trick you into clicking on malicious links buried in the “unsubscribe” portion of the text. You get a bunch of mysterious, unwanted emails from legitimate businesses or sites, so you click the “unsubscribe” without thinking too hard—and your computer is compromised.
-
Distraction. This is the most likely—and dangerous—possibility. Someone has compromised a credit card or store account and made some illicit purchases, or made some changes to your accounts they don’t want you to see. So they seek to bury those confirmations or alerts under hundreds of bullshit emails.
For example, this woman woke up to hundreds of emails in her inbox one morning—and eventually figured out that someone had used her credit card information to make a $1,300 purchase, and the email bomb was designed to obscure what had happened. Scammers hope that you’ll just mark everything as spam and delete it without paying close attention, missing important emails informing you of charges, changes to your accounts (like passwords or two-factor settings), or other scams.
Bottom line: If you’re unexpectedly deluged by an email bomb, don’t assume it’s a prank or a mistake—assume you’re under attack.
What to do about an email bombing
If you experience an email bomb, there’s not much you can do to stop it—your email has been entered into lists and databases, and the automated services that run those sites will continue to send you confirmations or newsletters until you unsubscribe. If the script used by the bad actors to sign you up keeps running with your address, this can go on for a long time. If you can’t shut down the affected email, all you can do is mark things as spam and unsubscribe from things—at the actual website, not by clicking on the link in the emails.
You should also change all your passwords and set up as many extra security features as possible, including two-factor authorizations, on as many accounts as possible. If someone is email bombing you, they may have compromised more than one aspect of your life.
You’ll also have to keep reviewing the emails as they roll in, because email bombs aren’t always set off at exactly the same time as the fraudulent charge or invasion of an account. It can be exhausting, but that’s why the tactic is used. If you give up and let critical emails slip through, you’re letting the scammers win.
Eventually, the tide of emails will subside and whoever targeted you will move on to someone else. As long as you don’t let the bomb distract you, you’ll be fine.