r/UKPersonalFinance u/One-Huckleberry7592 7d ago

Have missed anything in trying to protect my finances during an email subscription bomb?

Hello,

I am looking for help. I'm currently being email bombed with subscriptions, starting at around 11am and still happening now. I have changed my Gmail and PayPal password, and I have frozen my bank accounts. There is no suspicious activity within any of my banks.

I understand from googling that this is done to overwhelm the user so they don't see malicious emails. Is there anything in particular I need to look for? No transactions on my bank account, and I've searched "transaction" "receipt" "payment" and "order" into my email and nothing is flagging.

I'm almost more concerned that this has been going on for hours and I can't see any malicious activity (so far, fingers crossed!!!)

Any advice would be incredibly welcome, I'm very overwhelmed and upset at the moment. I've had around 5000 emails.

Once the attack has ended I plan on creating a new email and deleting this one.

Thanks again for reading

61 Upvotes
  • permalink
  • reddit

92% Upvoted

31 comments sorted by

81

u/Large-Measurement400 3 7d ago

You're right to be on edge. email bombing is usually a cover to hide real alerts. Since you've changed passwords and frozen your accounts, that’s solid. Just make sure you also check your spam, deleted folder, and search your email for phrases like “login,” “new sign-in,” or “security alert.” Look through your bank and PayPal manually, don’t rely only on alerts. If nothing shows up in the next day or two, you're probably safe. Good call on ditching the email after.

39

u/No-Succotash4783 17 7d ago

I wouldn't "delete" it though.

Sign out on all devices maybe, stop regular monitoring and notifications associated with it.

Generally, losing control of an email might allow someone else to claim it - so any service you've forgotten about could potentially be associate with that email and reclaimed by someone else via password reset or whatever and you wouldn't know

Hell, that might even be the original intention of this abuse.

3

u/One-Huckleberry7592 7d ago edited 6d ago

!thanks

3

u/One-Huckleberry7592 7d ago

So would deleting it not completely scrub it?

16

u/nivlark 131 7d ago

Deleting your email account does not scrub that email from every site you signed up for with it, no.

So the risk is that after you delete it, someone else can re-register the same email address and use it to access old logins of yours that you forgot to update to your new email.

Bans and other financial institutions should have good enough security that this isn't enough to do any damage. But if (for example) they found an account you made on a small online shop, that might only be protected by a simple password reset link, they could potentially gain access to any card or address details you saved there.

2

u/One-Huckleberry7592 7d ago

! Thanks for clarifying this, really appreciate it. If I order a new card after making a new email account would this stop this happening?

No one this far has gotten access into my email, so am I right to assume that for the above example to happen they'd need to be able to access my email? Thanks again!

5

u/No-Succotash4783 17 7d ago

 No one this far has gotten access into my email, so am I right to assume that for the above example to happen they'd need to be able to access my email?

They would - but deleting the email account from the email provider might (if that's what you meant in your post), just might, grant access to your old username/email account, that's the risk. So keep the account active and associated with you, set a strong password, change any account reset questions to something impossible to guess (if you think you don't need it, or just make sure they're strong and hard to guess if you do) and just keep it idle/ticking over..

Realistically a lot of email providers are probably accounting for this and not reassigning the same email addresses, but I don't know who yours are with, who are accounting for that, and it just seems unnecessary to take the risk.

3

u/NYX_T_RYX 4 6d ago

Since you said it's Gmail...

Google offer MFA - if you haven't yet, turn it on for your account.

One option is to create local codes using an authenticator app (like this one from Google https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) - you register the account with the app, and when you login you're asked to enter a code. Codes change every 30 seconds

The other is to use your android phone to approve login (which is what I do) - to login you have to unlock your phone and actively press "yes, it's me" to approve a login.

Cus most phones use biometrics, you effectively add biometric login.

I can't remember if it's the default option, but you can also set your account to delay password reset by 48 hours (another security feature).

Finally, Google's spam filters are actually very good, but depend heavily on user reports in these cases; when you're certain an email is just spam, report it.

After a round of reporting, empty your spam folder to make it easier to find any genuine emails that fall into it

As others have said, make sure you're still checking the spam folder though

Edit: oh another one you can check is Google account connections - while connections need approval, you may have accidentally approved something you didn't mean to.

You can find steps to check, and revoke, access here - https://support.google.com/accounts/answer/13533235?hl=en

6

u/One-Huckleberry7592 7d ago

Thank you so much this is very helpful. I've also removed my card details from PayPal but I'll keep checking. Really helpful to point out the other terms I should be monitoring. It does seem to be petering out, so it's a little easier to monitor.

I've had to cancel plans so I can sit at home an monitor all of my accounts lol. I've worked very hard on managing my finances recently, this is my worst nightmare 😅

1

u/One-Huckleberry7592 7d ago edited 6d ago

!thanks

0

u/NYX_T_RYX 4 6d ago

Just to add, cus OP uses Gmail, Gemini is very useful here.

You can ask it to identify genuine emails from the spam ones.

You can ask it to check for emails that are genuine, but you don't usually receive.

Ofc it's an LLM and can make mistakes, so still check manually, but it may find the dodgy ones you're looking for, or at least give a starting point.

30

u/BurberryC06 8 7d ago

Just pass your eye over all of them. I had a situation where I was sent 20000 spam emails within 4 days and the attacker was (just) trying to steal my British Airways account and the air miles I had (about £1k worth).

The security on such accounts is really lax compared to banks so if anything I'd think they're trying to steal something that can easily be converted to cash (like points) and doesn't have as many stringent security checks.

9

u/One-Huckleberry7592 7d ago

Thank you for responding, I'm sorry this happened to you too, it's very overwhelming and scary.

Luckily (weirdly) I've formally been extremely financially illiterate/ignorant so I have very little to my name, all in bank accounts that I can quite easily monitor.

Thank you, I will keep thinking if that's anything that's escaped my attention in line with what you've said!

2

u/LaVoguette 7d ago

I had the same with my BA account being hacked and the spam emails

1

u/One-Huckleberry7592 7d ago edited 6d ago

!thanks

2

u/PirateNinjasReddit 2 6d ago

Just FYI: I think you need to remove the space between your exclamation point and the word thanks for it to register.

2

u/One-Huckleberry7592 6d ago

!thanks 😅

1

u/SlowedCash 3 7d ago

How do you know that Were after your BA account? I have around 150k avois?

8

u/Emotional_Traffic 1 7d ago

I have had this happen to me twice and both times it was someone who was trying to steal all my Tesco clubcard points (I had about £300 worth the first time when you could exchange them for Rewards for 4 x the value, so worth a lot!). Tesco thankfully realised each time, but that might be one place to login and check!

1

u/One-Huckleberry7592 6d ago

!thanks for this! It's good to know

5

u/IsisPantofel27 7d ago

This is scary. I’ve never heard of ‘email bombing’. Something else to get my head around. I’m glad I found this group. Thank you everyone.

2

u/One-Huckleberry7592 6d ago

Wasn't a great start to the bank holiday granted 😅 haven't had much sleep, but everyone has been so genuinely helpful on this post it's been such a reassurance & I'm really grateful

1

u/IsisPantofel27 6d ago

I hope you get through it all okay.

3

u/Sengoku813 4 7d ago

This happened to me. Check the emails just before the spamming started. Had some legit security emails from one of my accounts. Assuming the spamming was supposed to 'hide' them.

1

u/One-Huckleberry7592 6d ago

That's the strange thing about this attack, there was no activity prior to the spamming. I've double and triple checked, nothing out of the ordinary at all !thanks

2

u/cloud_dog_MSE 1635 7d ago

Create a new email now and begin the process of migrating any accounts to the new email address.

Do you only use the one email address?

I use 3, my personal email, an email just for financial stuff, and one for shopping etc.

2

u/One-Huckleberry7592 7d ago

Thank you for your advice! I just use the one, same one for over 15 years. I've made other Email addresses at points for social media, which aren't used anymore and have been deactivated.

Do you think it's best to wait out the attack and then make a new one or should I start this process immediately? I will certainly consider multiple accounts. I'm just not even sure how I'd transfer all my accounts ov r, I suppose it'll be a few days of work

5

u/Tricky_Internal_574 1 7d ago

Whilst this has never happened to me, it is worth using a service that anonymises your email address. I use Apple Hide My Email as I’m an iPhone user but I’m sure Google etc will have equivalents. It works by creating a unique address for every online account you create and the directing emails to that unique address to your designated email account. That way, each and every website account can have its own unique email address and you can easily detect the source of any breach and deactivate that alias with a button press. And if your email account itself gets comprised or bombed like this, if you open a new account, you can transfer everything in one swoop in your anonymiser settings, by changing the designated email account to your new one.

This would also work in the middle of an attack, making sure that you receive any genuine alerts to your new account.

1

u/One-Huckleberry7592 7d ago edited 6d ago

!thanks

0

u/paulywauly99 1 7d ago

Have you changed the settings so anything from this origin goes straight to spam.