Today, I had an email from a website called *****. I think they are an
Indian dating agency. There was a message saying that a friend of mine (his
name was included in the message) wanted to share photos with me. There was a
box to press. I right-clicked and copied the URL, closed down my Outlook, and
opened my browser and pasted the URL into the address bar. When the website
came up, I realized it was a con and closed the browser down. Later today, I
had another email from ***** congratulating me on becoming a member with my
email address and password highlighted. My question is: In your opinion,
would they/could they have opened an account using my email address, even
though I didn’t open the email in my Outlook? Or are they hoping that I will enter
the site using those details (if only to delete the account) and that in some
way, will verify the details and put me in more trouble? Any observations
are appreciated, if you have time.
Well, I’ll put it this way: you’ve probably already opened and verified
your account with *****.
I’ll explain how that happened and what steps you should take next.
A click is a click is a click
I want to start by clearing something up.
Copying the link out of your email program, closing your email program, and then pasting the link into your browser didn’t do anything to increase your security. You might as well have clicked the link in the email, which would have done pretty close to the same thing.
It’s the link that’s the problem and the fact that you went to it at all. Where or how you do so in a case like this is pretty immaterial.
“Don’t click links that you aren’t certain about in email” really means don’t use those links at all, in any way.
How it probably worked
It is really a fairly simple thing for spammers – or social media sites or Indian dating sites or just about any site for that matter – to do. While this example is completely and totally made up, it’s not that far from what can really happen.
They start by collecting your email address. Perhaps a friend told them in order to invite you to this service. Perhaps they simply collected the email address from less legitimate sources. Perhaps they just guessed.
Then, they put that email address into a database and assigned it a number. That number’s important.
firstname.lastname@example.org = 182934
Now, they send you your invite. It’s sent to your email address: email@example.com. In that “invitation” amidst all the words about how wonderful their service or product will be a link. It could look something like this:
In reality, it could be completely hidden and even made to look completely misleading. For example, they might choose to encode it more like this:
(2CA96 is that number encoded in hexadecimal and the optout.html could be completely ignored.)
There are many ways to encode the information into a clickable URL.
What information? Well, the number that was assigned to your email address, of course.
No matter how you go to that URL, the mere fact that you’ve gone to it tells them that the email address associated with 182934 got to a real live person.
In fact, they might even assume that the act of going to that URL is confirmation that you want to join their service.
All that they need to do is look up the email address associated with that number and start spamming you.
How to prevent this
Don’t click the link.
Don’t use that URL in any way.
In particular, don’t copy/paste that URL into a browser and go to it.
Your email program had nothing to do with this. The fact that the URL was accessed – even once and regardless of how – caused the problem.
What to do next
OK, so you clicked on that URL or activated it in some other way.
Well, my guess is “unsubscribing”, even if offered, isn’t going to be of any help. Any so-called service that would subscribe you on a single click in an email that you never asked for isn’t likely to be particularly well behaved when you ask to leave.
Instead, the next time that you get email from that service, do one or more of the following:
Mark it as spam if your email service or program supports that.
Block the email address if your email program or service supports that.
Set up a rule or filter to automatically delete the email if your email program or service supports that.
Delete it and get on with your life.
In other words, there’s no reliable way to get them to stop sending. All that you can do is deal with and dispose of the email as it comes in.