How Email Bombing Uses Spam to Hide an Attack

If you suddenly start receiving an endless stream of junk email, perhaps asking for confirmation of a subscription, you’re the victim of email bombing. The perpetrator is probably trying to hide their real goal, so here’s what to do.

What Is Email Bombing?

The term “email bombing” can also refer to flooding an email server with too many emails in an attempt to overwhelm the email server and bring it down, but that’s not the goal here—it would be challenging to bring down modern email accounts that use Google or Microsoft’s email servers, anyway. Instead of a denial-of-service (DOS) attack against the email servers you are using, the onslaught of messages is a distraction to hide the attacker’s true intentions.

Why Is This Happening to You?

An email bombing is often a distraction used to bury an important email in your inbox and hide it from you. For example, an attacker may have gained access to one of your accounts on an online shopping website like Amazon and ordered expensive products for itself. The email bombing floods your email inbox with irrelevant emails, burying the purchase and shipping confirmation emails so you won’t notice them.

If you own a domain, the attacker may be attempting to transfer it away. If an attacker gained access to your bank account or an account on another financial service, they might be trying to hide confirmation emails for financial transactions as well.

By flooding your inbox, the email bombing serves as a distraction from the real damage, burying any relevant emails about what’s going on in a mountain of useless emails. When they stop sending you wave after wave of email, it may be too late to undo the damage.

An email bombing may also be used to gain control of your email address. If you have a coveted address—something straightforward with few symbols and a real name, for instance—the entire point may be to frustrate you until you abandon the address. Once you give up the email address, the attacker can take it over and use it for their purposes.

What to Do When You Get Email Bombed

If you find yourself the victim of email bombing, the first thing to do is check and lock down your accounts. Log into any shopping accounts, like Amazon, and check for recent orders. If you see an order that you didn’t place, contact the shopping website’s customer support immediately.

You may want to take this a step further. On Amazon, it’s possible to “archive” orders and hide them from the normal order list. One Reddit user discovered an email from Amazon confirming an order for five graphics cards with a total value of $1000 buried in an onslaught of incoming email. When they went to cancel the order, they couldn’t find it. The attacker had archived the Amazon order, hoping that’d help it go undetected.

You can check for archived Amazon orders by going to Amazon’s Your Account page and clicking on “Archived Orders” under “Ordering and shopping preferences.”

While you’re checking your shopping accounts, it would be wise to remove your payment options entirely. If the perpetrator is still waiting to break into your account and order something, they won’t be able to.

After you’ve checked any site you’ve provided payment information, double-check your bank and credit card accounts and look for any unusual activity. You should also contact your financial institutions and make them aware of the situation. They may be able to lock down your account and help you find any unusual activity. If you own any domains, you should contact your domain provider and ask for help locking down the domain so it can’t be transferred away.

If you discover an attacker has gained access to one of your websites, you should change your password on that website. Make sure you use strong, unique passwords for all your important online accounts. A password manager will help. If you can manage it, you should set up two-factor authentication for every site that offers it. This will ensure attackers can’t gain access to an account—even if they somehow get that account’s password.

Now that you’ve secured your various accounts, it’s time to deal with your email. For most email providers, the first step is to contact your email provider. Unfortunately, contacting Google is incredibly tricky. Google’s contact page doesn’t seem to offer a contact method for most Google users. If you’re a paid Google One subscriber or G Suite subscriber, you can contact Google support directly. When digging through their many menus, we only found a direct method of contact when you have missing files in Google Drive.

It’s doubtful anyone from this support team can help with your problem. If you’re on Gmail without a subscription, you’re going to have to ride out the bombing. You can create filters to clean out your inbox. Try to find something common in the emails you are receiving and set a few filters to move them to spam or trash. Just to be careful not to filter out emails you do want to see in the process.

If you’re using an Outlook.com email, help is built into the website. Log into your email, then click on the Question mark in the upper right-hand corner.

Type something like “I’m getting email bombed” and click “Get help.” You’ll be given an “email us” option, then follow with that.

You won’t get immediate relief, but support will hopefully contact you to help. In the meantime, you’ll want to create rules to filter out the junk you’re receiving.

If you’re using a different email provider, try to contact them directly and set up filters. In any case, don’t delete your account or your email address. Gaining control of your email address might actually be what the attacker truly wants. Giving up your email address gives them an avenue to achieving that goal.

You Can’t Stop The Attack, But You Can Wait It Out

Ultimately, there’s nothing you can do to stop the attack yourself. If your email provider can’t or won’t help, you’ll have to endure the attack and hope it stops.

Just be aware you may be in for a long haul. While email bombings sometimes trail off after a day, they can go on as long the perpetrator wants or has the resources for. It may be a good idea to contact anyone important, make them aware of what’s going on, and provide another way to contact you. Eventually, either your attacker will get what they want or realize you’ve taken the steps to prevent them from succeeding and move on to an easier target.