From deleting 50 emails in the morning to reporting a dodgy comment on social media later that night, we may have thought we’d become accustomed to dealing with a daily torrent of spam.
That was until 2020 took spamming to a whole new level.
Spammers quickly adapted to the changing world by taking advantage of the fact that more of us were at home, on our phones, and feeling somewhat vulnerable in these uncertain times. Even though the share of spam in email traffic dropped in 2020 (globally) and spam calls also dipped, spam texts became the sought-after method for scammers, particularly toward the end of the year.
Let’s find out why.
What happened in 2020?
- Americans received over 54 billion spam calls in 2020, a 10 percent decrease from 2019. Spam calls did, however, return to pre-pandemic levels later on in the year (RoboKiller)
- Spam texts took over with Americans receiving a record-breaking 55.4 billion spam texts in 2020 alone
- The average American received 200 spam calls and 264 spam texts throughout the year
- 37 percent of all texts were spam, compared to 25 percent of all calls
- Fraudulent phone calls resulted in a loss of $1,170, texts a median loss of $800, and emails a median loss of $400 (FTC)
- The share of email spam in global traffic dropped by over 6 percent compared to 2019, averaging 50.4 percent (SecureList)
- 10.47 percent of email spam originated from the United States, a decrease from 14.39 percent in 2019
This report analyzes the types, costs, and trends of spam throughout 2020, the methods favored by spammers, how the COVID-19 pandemic altered the spam landscape, and what the future looks like for spam.
What trends did we see in 2020?
- There were 6.7 billion fewer spam calls in 2020 than in 2019, but Americans were still subject to 54.7 billion of these calls throughout the year. And the calls that did get through were more targeted and effective with the average loss to fraud per spam call jumping from $1,000 to $1,170 year-on-year, according to the FTC
- The FTC also noted a huge drop in the number of fraudulent calls (a 44 percent decrease from 2019 to 2020) but a huge increase in the number of reports for text (145 percent increase) and email scams (104 percent increase)
- RoboKiller also noted this increased trend in spam texts. They were on a steady incline for most of the year, rising 12 percent per month (on average) from April 2020 and peaking in October (in line with the presidential elections)
- Americans received 14 billion political texts and 434 million political robocalls in 2020, with the majority (approx. 70 percent) being Republican-themed
- Even though the percentage of junk emails decreased over the year, Kaspersky believes this could be due to a transition to remote work and, therefore, an increase in legitimate email traffic
- Spam campaigns often utilized COVID-19 themes, whether it was a malicious link asking people to fill out a COVID-19 survey or a text offering a vaccine. Thanks to all of the chaos surrounding the pandemic, it was easier than ever to take advantage of unaware victims
What was the cost?
Due to the huge volume of spam, it is difficult to pinpoint an exact figure for the cost of these incidents. However, TrueCaller’s 2020 U.S. Spam & Scam Report suggests as many as 56 million Americans lost $19.7 billion to phone scams throughout the year.
TrueCaller’s study is based upon a survey of 2,024 US adults that was conducted between March 20 and 24, 2020. Due to the time at which the survey was conducted, the survey perhaps doesn’t take into account the pandemic and its consequences on spam through the US. Nevertheless, TrueCaller’s survey revealed that 22 percent of those surveyed had fallen victim to a spam call or text during the 12 months prior to the survey date. The average loss to a scam call was $351, an increase of 44 percent from 2019’s $244.
The FTC’s fraud reports also give us an insight into the effectiveness and cost of fraudulent campaigns across different platforms (please note: not all of these fraudulent scams will be spam-based).
In 2020, the FTC received:
- 384,874 reports of fraud where the contact method was a phone call, resulting in $440 million in losses with a median loss of $1,170
- 334,833 reports of fraud where the contact method was a text message, resulting in $86 million in losses with a median loss of $800
- 188,167 reports of fraud where the contact method was an email, resulting in $252 million in losses with a median loss of $400
- 135,995 reports of fraud where the contact method was a website or app, resulting in $322 million in losses with a median loss of $150
- 71,685 reports of fraud where the contact method was social media, resulting in $261 million in losses with a median loss of $204
- 36,356 reports of fraud where the contact method was mail, resulting in $48 million in losses with a median loss of $799
However, as only 56 percent of reports included the contact method, these figures are likely to be far higher. In fact, the FTC received 2.3 million fraud reports in total with losses of $3.4 billion. This was a 21 percent increase in fraud reports from 2019 (1.9m) and a 36 percent increase in losses from 2019 ($2.5bn).
Nevertheless, with the contact method figures we do have, we can see the trends in losses to each contact method.
In Q1, before many of the lockdowns started, phone calls saw the highest losses ($104m of $309m). But, in Q2, emails became more effective, accounting for 24 percent ($76m) of the $312 million lost. This is likely due to an influx of people working from home, most of whom would have been reliant on email. However, as the world began to open up again in Q3, fraudulent phone calls regained traction before dropping in place of websites and apps (which accounted for $107m of the $423m lost) in Q4.
Interesting, however, is the number of reports that resulted in a loss.
Of the reports where a contact method was reported in 2020, just 13 percent of scam calls, 14 percent of scam mailings, and 5 percent of texts resulted in a loss. Emails saw a far more significant loss with 28 percent of all reports resulting in such a loss. But it was websites/apps and social media that saw the highest losses with 68 and 65 percent of reported frauds incurring a loss across these channels. When broken down by quarter, these figures remain pretty constant. The only real difference was for emails in Q4 when the number of reports that resulted in a loss dropped from an average of 32 to just 19 percent. This is perhaps due to the world beginning to return to some kind of “normal” and awareness of COVID-19-related scams, in particular, growing.
This is reflected in the FTC’s COVID-19 report where emails account for the biggest chunk (19 percent) of scams (from January 1, 2020, to September 22, 2021, and where a contact method was noted). The data also shows that COVID-19-related scams peaked in Q2 and Q3 of 2020 (before peaking again in March 2021).
Websites/apps and texts were also favored in COVID-19 scams, accounting for 18 and 19 percent of all cases respectively, while phone calls, social media, and mail accounted for 15, 11, and 2 percent respectively. However, it was websites and apps that accounted for the highest losses–$52.51 million in total. Emails, phone calls, and social media resulted in similar losses ($41.17m, $40.23m, and $43.02m respectively) while texts saw significantly lower losses of $11.56m.
As well as the FTC’s fraud-specific details, we also have the IC3’s Internet Crime Reports, which give us an indication of the cost of certain types of cybercrimes that often have spamming at the heart of the campaigns. This includes phishing emails and spoofing which the IC3 notes as two of the key methods (along with extortion) that were used throughout 2020 to “target the most vulnerable in our society – medical workers searching for personal protective equipment, families looking for information about stimulus checks to help pay bills, and many others.”
As our State of Phishing report found, “amid the mass spam phishing emails are many cleverly crafted, targeted phishing campaigns that are incredibly successful.” In 2020, the average victim loss to a phishing email was $225 and cost Americans over $54 million.
On the other hand, spoofing, which deliberately falsifies contact information (e.g. to conduct robocalls or send mass spam emails), had a much higher return for cybercriminals. The IC3 noted losses of over $216.5 million to these campaigns with an average loss of $7,673.
How did it happen?
As we’ve seen above, the pandemic shaped the world of spam with scammers using it to their advantage. But while emails, phone calls, and websites/apps may have dominated the amount lost to fraud in 2020, scam text messages really came into their own.
As we can see from the above FTC data, emails, phone calls, and texts were all reported at similar levels in Q2, but text messages became the dominant contact method for fraud in Q3 2020, taking over from emails in particular.
RoboKiller also saw a similar trend:
RoboKiller’s figures demonstrate how spam texts overtook spam calls towards the end of the year. With more people working from home and more Americans being reluctant to answer calls from unknown numbers (Hiya notes that 94 percent of unknown calls go unanswered), texts became a more accessible, “less intrusive” way of contacting people. Text messages are also far cheaper to deploy than calls and enjoy an average open rate of over 90 percent, so it’s not hard to see why spam texts took off in 2020.
Examples of scam texts received in 2020 include messages saying that a package is waiting for the recipient and they need to click on the link to find out more and contact-tracing messages that suggested the recipient had come into contact with someone who had tested positive for COVID-19 and they needed to click on the link to find out more.
Plus, as we’ve already seen, texts were favored for political messaging in Q2 and Q3 of 2020, meaning it was easier for scammers to sneak in amid the flurry of messages Americans were receiving.
But it wasn’t just political messaging that spammers were relying on.
According to Robokiller, Social Security scams were the most popular type of spam phone calls, accounting for over 14 percent in total. With many businesses shut down and huge uncertainty as to what the future held, Social Security scams played upon this desperation and vulnerability as people sought financial help.
Vehicle warranty scams were a close second, accounting for just under 13 percent of scam calls. Again, these scams preyed upon the fact that many people were looking to protect their finances and assets. This trend was also noted by the FTC’s report on imposter calls where nearly 8 percent of complaints related to warranty and protection plans. This was closely followed by calls about reducing debts (nearly 6 percent of all complaints).
The other top phone scam categories as noted by RoboKiller were:
- Religious – 11.7%
- Vacation Offer – 9.9%
- Credit Card Offer – 9.5%
- Health Insurance – 9.4%
- Loan Offer – 8.6%
- Computer Security – 6.1%
- Medical Offer – 5.4%
What about emails?
As we noted previously, Kaspersky’s SecureList found that the share of global spam traffic in 2020 was down by just over 6 percent, averaging 50.37 percent. But with the inevitable rise in the number of emails being sent in 2020 (thanks to WFH in particular), this is perhaps no surprise.
What did increase was the number of emails with malicious attachments, particularly in the first quarter of 2020. From January to February, the number of global emails that were detected to have malicious attachments by Kaspersky software jumped by 25 percent, increasing by over 3 million. From February to March, it jumped by a further 12 percent, increasing by 2 million.
The levels dropped again in April (in line with many lockdown orders commencing and software perhaps being less readily available) before steadily climbing month-by-month all the way through to October. Levels began to reduce November through to January before they rose again.
Kaspersky also delves into where the most spam originates from, with the US remaining a dominant figure here. From 2017 to 2019, the US was the highest or second-highest source of spam along with China. But this year, it dropped to third with a 10.5 percent share of spam. Russia (21.3 percent) and Germany (11 percent) took first and second place.
Targeted email campaigns that often utilize spam, e.g. phishing and spoofing, also increased, according to the IC3. In 2020, the IC3 received 241,342 reports of phishing crimes–a 110 percent increase from 2019 (114,702). It also received 28,218 reports of spoofing–a 9 percent increase from 2019 (25,789).
Examples of spam emails sent in 2020, included similar themes to the text messages mentioned above (parcels awaiting clearance/delivery and COVID-19-themed messages). Google reported that its systems detected 18 million coronavirus-related malware and phishing Gmail messages per day (globally) as well as over 240 million daily spam messages about COVID-19. But corporate emails were also favored due to the number of people working from home. Messages imitated business emails and sought to steal passwords for corporate email accounts.
Fake online meeting invitations also surged due to the WFH trend. Checkpoint noted a sudden increase in Zoom-related domains being registered. 25 percent of 1,700 registered at the start of the year were registered in the week after the pandemic was announced with 4 percent of these found to contain suspicious characteristics. Google Classroom (classroom.google.com) was also imitated with the likes of googloclassroom\.com and googieclassroom\.com.
Why did it happen?
As we have seen, it was inevitable that COVID-19 would be at the heart of the majority of scams in 2020, and spamming was no exception. The pandemic caused a number of significant factors that gave way for spammers, including working from home, the spread of misinformation/fear, monetary concerns, and a general growth in online activities.
Spammers began to impersonate officials such as the WHO and the CDC, mimicked the likes of Zoom, and exploited people who were at their most vulnerable. And thanks to the factors mentioned above, this made it easier for spam messages to get through.
For example, Malwarebytes found that 70 percent of businesses in the US moved at least 61 percent of their workforce into working-from-home positions with 33 percent moving 81-100 percent. It also found that 44 percent of companies hadn’t provided employees with specific cybersecurity training that related to working from home. Team this with the fact that many employees were under more pressure and subject to more distractions (e.g. homeschooling children) while working from home, and it’s easy to see why this left the door open for spammers.
A 2020 survey by Deloitte found that 25 percent of employees experienced an increase of fraudulent emails, spam, and phishing attempts in their corporate email after the beginning of the COVID-19 crisis. And, as our State of Phishing report found, while many workers are savvy when it comes to generic spam email campaigns, targeted, more specific emails were more likely to worm their way through, especially in the over 55 age group.
But, as we have already seen, it wasn’t just emails and calls that were providing a way in for spammers. Figures from the FTC highlight how it was texts, websites/apps, and social media that really began to take hold throughout 2020–with the latter two, in particular, creating the greatest opportunities for spammers.
While we’ve grown somewhat accustomed to spam emails over the last few years, the sudden growth in spam texts, social media messages, and websites/apps perhaps weren’t met with the same growth in awareness. Add confusion, worry, and misinformation into the mix and this created the perfect cocktail for spammers.
For example, Facebook’s Transparency Report for 2020 highlighted a 36 percent increase in the amount of spam flagged on the platform from Q2 to Q3 of 2020, while Twitter noted a 16 percent increase in its spam reports from the second half of 2019 to the first half of 2020. But Facebook (and other platforms/channels/messaging services) aren’t able to block every spam message. As one report found, Facebook was approving adverts that purported to contain COVID-19 misinformation that the platform had said it would remove and combat. One advert is reported to have told people to “stay healthy with SMALL daily doses” of bleach.
And it is perhaps this reliance on certain platforms and services removing spam messages that played a part in the increase in the number of people being duped. How could such an advert or message come through if it weren’t legitimate?
What needs to be done?
As the spamming landscape continues to change, there is no one-size-fits-all approach to combating it. But being able to adapt quickly and remain one step ahead of spammers is essential. This includes:
- Making sure employees are trained up on cybersecurity best practices – If the 2020 pandemic taught us anything, it’s that being able to ensure employees are clued-up for all eventualities is essential. And this is incredibly important when it comes to cybersecurity. Regular training sessions and up-to-date guides and rules will help mitigate potential security risks.
- Tightening up specific legislation – The FTC’s CAN-SPAM rule is seen by some, e.g. Litmus, as being outdated. This is due to it only providing an “opt-out” option for consumers when it comes to commercial messaging. This means that those who don’t want to receive such messages have to go through the rigmarole of opting out of these messages, rather than being able to withhold their consent from the offset with an opt-in option. Enforcing such a ruling would bring the US’s legislation more in line with the likes of GDPR.
- Educating consumers: At a basic level, consumers should be encouraged to take simple measures. It should be recommended that users install anti-spam software and they should be kept up to date with the latest phishing schemes, be warned not to click on any links within emails, texts, or posts without first checking their validity, be asked to create a unique password with each account, and be advised never to hand over sensitive information online, via social media, over the phone, or through email unless they are 100% comfortable it’s a trusted person/account.
Insights and observations
The FCC has mandated all US carriers adopt STIR/SHAKEN to prevent unwanted calls. It allows the origin of a call to be traced more easily. But only the biggest carriers in the US have adopted it, so spammers are moving to smaller providers. Even after they’re eventually forced to adopt STIR/SHAKEN, gateway carriers for overseas calls are not required to participate, so whether STIR/SHAKEN will actually have a significant impact is questionable.
Everyone should assume that all of their email addresses and phone numbers are publicly available and anyone, including scammers, can target them. Creating a new email address is one of the easiest ways to rid yourself of spam, at least temporarily. Changing your phone number can work for phone spam, but you’ll need to request a fresh number and not a reused one. Alternatively, you can get an out-of-state number. Most scammers use neighborhood spoofing to appear to be calling from somewhere local, so if you have a phone number from a state where you don’t know anyone, you’ll know that any calls from that area code are most likely spam.
Spam campaigns are easy to run, lucrative, and spammers are rarely held accountable, which means spammers can target a lot of people very frequently. Only a very small fraction of recipients need to fall victim to spam in order for the spammer to see a return on investment.
As with all crimes, spamming will continue to adapt to the ever-changing world, consumer attitudes, and company weaknesses. And 2021 is already proving this.
RoboKiller estimated that spam text messages would reach unprecedented heights in 2021, with Americans alone set to receive 90 billion–a 60 percent increase from 2020. It also predicted spam calls to increase by 30 percent to 50 billion.
This is reflected in the FTC’s fraud reports for Q1 and Q2 of 2021, too. In Q1, the FTC reported huge increases in the number of fraud complaints it received–an 82 percent increase from Q4 of 2020 (rising from 171,835 to 312,084). In Q1 of 2021, nearly 232,000 of these reports noted phone calls as the contact method (a 100 percent increase from Q4 of 2020), showing a huge uptick in fraudulent phone calls. Fraudulent emails also rose significantly (44 percent).
Even though Q2 of 2021 saw a decrease in the number of reports (22 percent), fraud across all of the contact methods (bar email) remained at higher levels than any quarter of 2020. What’s more, the median losses reached new heights, too.
In Q2 of 2021:
- Fraudulent phone calls resulted in median losses of $1,400–an increase of 20 percent on 2020’s median loss of $1,170
- Texts resulted in median losses of $986–an increase of 23 percent on 2020’s median loss of $800
- Emails resulted in median losses of $850–an increase of 113 percent on 2020’s median loss of $400
- Website/apps resulted in median losses of $330–an increase of 120 percent on 2020’s median loss of $150
- Social media resulted in median losses of $350–an increase of 72 percent on 2020’s median loss of $204
- Mail resulted in median losses of $899–an increase of 13 percent on 2020’s median loss of $799
These significant increases in reports and median losses suggest that 2021 could be a record-breaking year for spam in the US. That’s why it’s imperative that individuals and organizations remain vigilant when opening messages from anyone–even if it appears to be a trusted sender. As spammers continue to utilize the pandemic with scams such as COVID-19 relief funds and unemployment insurance benefits and resort to other tried-and-tested tactics, e.g. fake parcel collection texts and Nigerian Prince schemes, consumers and businesses alike can never be too careful.
Data researcher: Charlotte Bond
- RoboKiller – https://www.robokiller.com/robocall-insights/robocall_insights_2020.pdf
- FTC – https://public.tableau.com/app/profile/federal.trade.commission/viz/FraudReports/FraudFacts
- Truecaller – https://truecaller.blog/2020/12/08/truecaller-insights-top-20-countries-affected-by-spam-calls-in-2020-2/ and https://truecaller.blog/2020/12/08/truecaller-insights-top-20-countries-affected-by-spam-calls-in-2020-2/
- Malwarebytes – https://www.malwarebytes.com/resources/files/2020/08/malwarebytes_enduringfromhome_report_final.pdf
- Secure List (Kasperksy) – https://securelist.com/spam-and-phishing-in-2020/100512/