I’m very careful with privacy and security so I was surprised I got an obvious phishing email from “American Express”. I reported the email and moved on only to get another one today. I checked haveibeenpwned and it came back clear. I have never gotten a phishing email before the other day. As for the senders, they all came from generic IT sounding email addresses. They obviously weren’t American Express.

  • MojoLobo@lemmy.jrvs.cc
    link
    fedilink
    English
    arrow-up
    41
    ·
    2 days ago

    If you have signed up on dubious websites with questionable privacy policy, many of them legally sell this data to “data brokers” who then sell it to anyone willing to pay. This happens more than you’d think, for example in 2019 it was reported California DMV makes $50 million a year selling users information. https://www.caranddriver.com/features/a32035408/dmv-selling-driver-data/

    One neat trick is to signup for services with an email like name+website@domain.com, that way if you ever get spam you’ll know where you have been compromised.

    • T156@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      ·
      2 days ago

      Information might also be leaked through data breaches. An email is not a particularly hard thing to find, or even guess.

      A spammer could easily just have a computer iterate through all possible combinations of emails and usernames, and shotgun it.

      Especially for a name like OP’s. If their email is a similar name, it wouldn’t be difficult for generate one that is also two words.

        • Optional@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          2 days ago

          A program to send to [list of firstname.lastname pulled from the census]@gmail.com or whatever is pretty easy. Also merchants sell the email lists for $ so if you’ve bought anything with that email that could be it.

    • jaybone@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      2 days ago

      I’ve used this many times before. But this is so well known I wonder, why wouldn’t spammers/scammers just remove the “+” and trailing characters before “@“?

      • xigoi@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        True. A more reliable way to achieve this is to buy a domain and use addresses in the form websitename@your.domain.

        • jaybone@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          2 days ago

          Yeah that also usually comes up in these types of discussions. Even for technical people, that approach can be a pain to manage.