Tales & Trails of a Traveling Wiseguy

Something weird is happening with spam and spam filtering at work this week. The volume of spam we're receiving is way up. Whereas I used to see maybe 10 spam messages a day that got through our filters I'm now seeing 50. At the same time a lot of my colleagues are seeing their outgoing messages throttled. Messages are being queued for hours at a time or bounced back to us, undelivered.

The last time I saw a major uptick in incoming spam like this was several years ago, at a different company. And there it was the result of a willful change we'd made. Execs said, "Hmm, spam isn't too bad, deleting 10 a day is manageable, we don't need to pay to renew spam filtering." The very first day after the filtering contract expired we were inundated. Within hours employees from across the company were complaining that email was rendered unusable. And while ICs were contending with several dozen spam messages per day, some senior managers were getting multiple hundreds. Execs restored the budget for spam filtering post-haste.

The situation this week is not due to deliberate change on our side. No exec went the penny wise and pound foolish route of trying to save money on email. Instead, it's a situation that has been thrust upon us.

Google (our email provider) says that we're being throttled because their algorithms see we're the target of a huge uptick in spam. Yeah, we noticed that, too— incoming spam. Why are they treating us like it's our problem? We pay them to fix it; so the fact it's broken is their problem! And why TF are our outgoing emails, legitimate business emails sent by actual people, being throttled? It's like they're punishing us for being victims of their own failing filters.

I got a cold-call email at work today from a person who tried to make herself seem like a friend or contact so that I'd be more likely to respond. If you work in a corporate job you probably know the kind of thing. There's the classic fake "Following up on our last conversation" intro (there was no previous convo) or "More info you asked for about XYZ" (never heard of XYZ). This one tried to play to the college listed in my LinkedIn profile to come across as having something in common. It was like, "Oh, wow, you went to Cornell, too, I bet you're really looking forward to the Cherry Blossom Festival!"

This bombed as a gambit to establish rapport because I'd never heard of a cherry blossom festival at Cornell. It certainly wasn't a thing during the 4 years I was a student there, and I'm virtually certain it wasn't a thing for at least 10 years prior (it still would've been talked about as campus folklore) or 10 years since (I would've read about it in alumni newsletters they were regularly sending me). It's a fail of an attempt to seem familiar.

Now, if the same person had reached out with, "Cornell! Wow, it's almost time for Dragon Day, and I'll bet you have memories!" I might actually have responded. Even to a complete stranger I might have replied with something like, "I sure do!" and mentioned the time I participated in a Dragon Day parade as an act of civil disobedience after craven university administrators tried to declare it illegal. Or the time my friends stole a dragon— a baby dragon—and drunk, angry dragon-parents swarmed the house I was living in, demanding it back. Good times! But alas, no, this stranger's attempt at camaraderie was to cite a nonexistent cherry blossom festival.

My company has a number of internal Slack channels dedicated to security issues, including one where alerts about security threats are shared. Today two of these channels had messages from different staff members who were concerned about a text message apparently all of us in the US received from a hither-to unknown number.

I saw this message, too. It included a link it asked us to click through to manage information about our payroll. Such messages reasonable raise a bit of skepticism as asking people to confirm financial information is a common scam nowadays. Scammers pretend to be a company the victim does business with, whether that be a bank, PayPal, eBay, etc.

The key word is pretend. Not all email/text/etc. coming from your bank, PayPal, eBay, etc. is fake. Some of it is legit. How can you tell? Well, shit, it's actually not hard! For starters, look at the actual URL of the link. Does it go to the website of a company you do business with? If so, it's legit. (Be sure you see the actual link target as opposed to what the link displays as, if the medium allows those two to be different.)  If it goes anywhere else, it's not.

Today's momentarily suspicious text message was from the company that does our payroll. I recognized their name because, well, they've been delivering my paychecks for 10 months. I regularly log on to their web portal to check my paystub details, too. And the link actually went to their domain, as opposed to unheardofsite.foreigncountry/link. But that didn't stop some of my colleagues from working themselves into a lather online.

"I guess this is spacm as I did not sign up for that," wrote one.
"I believe this is a fraud attempt to hack into our personal information," another responded.
"I don't recognize this company name at all," added the first.

That's your payroll, dumbass, I wanted to respond.

Look, I get it: in 2023 there's plenty of reason to be suspicious of links in text and email. There are plenty of fraudsters out there. But you can't dismiss every link as fake and an attempt at theft— especially when it's so trivial to vet legit links from fake ones.

Oh, and maybe pay attention to who's giving you thousands of dollars every two weeks. What are you, a crooked politician?

I've been getting more spam calls lately. Well, potential spam. It's easier than ever to avoid it because the phone companies have added spam detection to their smartphone software. Now I see stuff like this when a potential spammer calls:



The thing is, while it's easier than ever to avoid spam, it's also easier than ever for spammers to... well, spam. Auto-dialer software is really cheap now, phone lists are cheap, bandwidth is cheap... basically a few scammers in a garage can stage a nationwide spam operation placing a billion calls. That's what's behind the notorious extended-car-warranty spam, authorities believe.

I get 2-3 spam calls every weekday now. The government seems powerless to stop them. What to do?

The old conventional wisdom is "Just ignore them, maybe they'll go away." Also, "Don't answer! That just proves your number is real and they'll call you more!"

The thing is, spammers are not going to just go away. It's too cheap for them to keep trying. And they're not dialing random strings of 10 digits; they're buying lists of phone numbers. "Proving" your number is real is not really a thing. (OTOH, actually falling for a scam supposedly does get you onto a hot list of known suckers the scammers sell to each other.)

So I came up with a new conventional wisdom: Answer the call. Answer it, let them start the pitch, then hang up. Maybe then their system will mark your number as already contacted and stop trying.

I did that today with two spam calls. Both were actually a live person trying to sell me something! Well, one was a charity asking for money; the other was trying to pitch me business software. I know they've been trying repeatedly because I recognize their location. I told both of them politely I would not donate/buy and asked them not to call again. Maybe now I'll get fewer spam calls per week, at least for a little while.

Update: It worked! Once I finally answered these organizations' calls they stopped trying. I went from several spam calls a week to one or none.