“I accidentally opened a spam email”—now what?
Spam emails have always been annoying, but people are cottoning on to the fact that they can also be dangerous. Spam emails include phishing emails—emails designed to get you to reveal sensitive information. That sensitive information can then be used to target you with scams and even steal your identity.
You probably already know a lot of this, given that you’re worried about having accidentally opened a spam email. So here’s what you can (and shouldn’t) do if you’ve opened a spam email.
What to do and what to avoid once you’ve opened a spam email, in short:
- Don’t click on any links (including buttons and unsubscribe links)
- Don’t reply to the email.
- Flag the email as spam or a phishing attempt.
- Delete it if your client doesn’t do this for you.
- Report ongoing issues to the FTC.
- Change your passwords and scan your device if you clicked on something.
- Take steps to reduce the amount of spam you get from now on.
What not to do after accidentally opening a spam email
The most important thing to do when you accidentally open a spam email is actually a list of things not to do. This is because it’s extremely unlikely that merely opening a spam email will do you any harm, it’s rather the things we do when we’re flustered and not thinking straight that get us in trouble.
Number one on this and virtually every other list you’ll come across is don’t click or tap on any links, buttons, or other interactive elements. Yes, even—or especially—unsubscribe links. Just opening the email isn’t likely to execute any code on your device, but clicking on something might.
Even if clicking on a link “only” takes you to a phishing website, the spammer may well have set that site up to siphon off even more of your personal data than opening the email alone could reveal. And that’s not to mention the fact that some phishing sites are so well-made, that almost anyone would fall for them.
Don’t interact with any attachments or QR codes
Attachments can also be extremely dangerous if you click on, download, or open them. Scammers sometimes create hyperlinked images that look just like attachment thumbnails. Clicking on these links can lead to malware being downloaded and/or executed on your device, or you might be taken to a phishing site.
QR codes are also increasingly being used by scammers and other cybercriminals to redirect users to malicious websites or get malware onto their devices. Don’t scan any QR codes you find in a spam email, and generally be cautious when scanning QR codes in any context.
Don’t reply to the email
Replying to a spam email won’t immediately lead to your device being infected with malware, but it gives the spammer much more of an opportunity to target you. If nothing else, it tells the spammer that your email is in active use and that you’re the kind of person who doesn’t know not to respond to spam emails.
Do this every time you accidentally open a spam email
Accidentally opening spam emails is something that happens to all of us from time to time. It happens less and less often the better you get at spotting spam and protecting personal information like your email address in the first place. Still, no one but the most paranoid among us is immune. Here’s what you can do the next time you open a spam email:
Flag the email as a spam email or phishing attempt
Most modern email clients (like Gmail, ProtonMail, etc.) give you the option of marking messages as either spam or phishing emails. The exact steps vary from client to client and provider to provider, but the gist is the same regardless.
Select the spam email and look for a “report spam” or “report phishing” option. Here’s the difference between spam and phishing emails: a spam email is any email that you didn’t ask to receive, whereas a phishing email is a spam email that’s designed to swindle you out of personal information, like login details, banking information, or something as seemingly innocuous as your middle initial.
Delete the email if your client doesn’t do this automatically
Almost all email clients will automatically delete messages marked as spam or phishing. Once you’ve reported an email, go back to your inbox and refresh it. If the message doesn’t disappear, select it and send it to your trash folder. Leaving spam emails lying around in your inbox only increases the chances of you opening them again down the line.
Report repeated or targeted phishing attempts to the FTC
Getting a lot of emails from a single address or a single sender using multiple addresses? Have you received spam emails that contain a worrying amount of your personal information? Report the email as spam or phishing and lodge a complaint with the Federal Trade Commission (FTC).
Do this if you clicked on something in a spam email
Clicking on a link (including buttons and unsubscribe links) in a spam email definitely raises the chances of your personal data being phished and even the chances of your device and/or accounts being compromised. Here’s what you can do to bump those chances back down:
Change your passwords
Just clicking on a link won’t immediately expose your passwords. The two ways it could do this would be if clicking the link downloaded a virus that then registered your keystrokes or if it was a phishing link that took you to a fake website designed to get you to type in login credentials, including your password.
So change any relevant passwords after clicking on a suspicious link. Use a password manager like NordPass or Bitwarden to generate and keep track of your passwords. Never use the same password for two or more accounts. Reusing passwords between accounts is one of the best ways to get hacked.
Scan your device for malware
Speaking of viruses—and trojan horses—clicking on a link or opening a malicious attachment can certainly end in your device being infected. If you use Windows or macOS, but especially Windows, run a virus scan to prevent malware from taking hold. Your options for anti-malware software on macOS are much more limited, but running a scan is still a good idea.
Linux users are in luck, with most malware simply not affecting their devices. Android and iOS devices should also be relatively resistant to malware, but installing reputable anti-malware software can’t hurt and may provide some much-needed identity theft protection.
Pull the plug (in case of emergency)
What if you click a link or attachment in a spam or phishing message and then notice your device doing strange things, like opening and closing windows or apps or slowing down and heating up? It’s best to immediately disconnect your device from the internet, to stop any malware from downloading more viruses or uploading your personal data.
The quickest way to do this is to put the device into airplane mode. Easy enough on mobile devices, including laptops, but what about desktop computers? Pull the plug: remove the ethernet cable, turn off your router (if you’re at home, don’t do this on work or public networks), or power down the computer.
Once you’ve isolated your device from the internet, use an unaffected device on another network to look into your options as far as next steps are concerned. If in doubt, take your device to a reputable shop to seek professional advice.
What you can do to reduce the risks of spam emails
This whole article has been about what you can do once you’ve opened a spam email, and maybe even faced a targeted phishing attack. What if you could stop phishing attacks and spam emails before you even have a chance to fall victim to them? Here are three things that can really make a difference:
Stop the spammers from getting your email address in the first place
Spammers can’t send you emails if they don’t know your email address. A great way to keep it, and your other personal information, away from them is to stop data brokers from spreading it around online. Data brokers have even been caught knowingly selling personal data to scammers.
Legislation like the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR) means that, depending on where you live, you may have the legal right to demand that these data brokers leave you out of their operations. There are two ways you can leverage this right.
Figure out which data brokers are likely to hold your data. Do this by searching for your name, address, and/or phone number in a search engine of your choice (better yet, try more than one): this will leave you with a list of people search sites, a kind of data broker. Then, research data brokers known to operate in your state and industry—you won’t be able to confirm they have your information like with people search sites, but that’s fine.
Now you can either go through your list and opt out of each data broker manually—we’ve prepared detailed, step-by-step instructions to help you do this—or sign up for Incogni and let us do all this legwork and more on your behalf.
Turn off automatic image loading
You can reduce the risks associated with opening a spam email just by changing one setting in your email client. Turn “automatic image loading” off. Almost all email clients have a setting like this, but it might go by different names. This will stop your email client from automatically displaying images when you open an email. Malicious attachments and tracking pixels won’t be automatically executed by the client, keeping you significantly safer when accidentally opening spam emails.
Maintain regular backups of your files
This piece of advice won’t make your device any safer, but it will take your stress levels down a few notches in the event of something going wrong. Make regular backups of all your important files, including documents, photos, videos, and (properly encrypted) passwords.
Having complete and current backups will make you immune to ransomware attacks, for example. If someone encrypts your files and tries to extort you, you can just ignore their demands, format your SSDs, and recover from your backups.
FAQ
Can you get hacked by opening an email?
Yes, you can get hacked by opening an email, but it’s extremely unlikely. Mercenary organizations like the NSO Group have developed cyberweapons that don’t even require a single click to infect a device. So opening an email could lead to you getting hacked, but you’d have to be a high-value target.
Can I get a virus from opening an email?
Yes, you can get a virus from opening an email but, again, it’s very, very unlikely that you ever will. To protect yourself against malicious software hidden in attachments or embedded files, go to your email client’s settings and disable “automatic image loading” (or similar).
Can I tell if my email has been hacked?
You can’t always tell if your email has been hacked. There are many potential signs, like emails getting marked as read or disappearing from your inbox or emails you didn’t write sitting in your drafts folder. But it’s also possible that a hacker could leave no obvious traces at all.
Do spam emails contain malware?
An extremely small minority of the spam emails that make it to your spam folder, let alone inbox, will contain malware. Generally, cybercriminals won’t indiscriminately spam their malware out into the void: doing so would only alert email providers, operating system developers, and users.
What if I clicked on a phishing email but did not enter details?
If you clicked on a phishing email but didn’t enter any details, you may still have revealed some valuable information to the scammer. Just opening an email can give them your IP address—from which they can get your general location and ISP details—device info, OS info, and browser/client info.
