To most of us, spam emails are a time-consuming annoyance, but in some cases, they can become a serious cyber security threat. Whether it’s a phishing scam which tricks you into revealing sensitive information, or a link to download malware, none of us want to fall victim to a cyber scam.
One of the reasons we receive spam is because bots find our email addresses online. You can assume that if your email address is visible somewhere on the web, a bot will find it.
1.1.How do bots scrape websites for email addresses?
Bots are extremely common on the web. In 2021 around 40% of all internet traffic was from bots. Some of these are ‘good’ bots, such as the ones used by search engines to crawl your website, and others are known as ‘bad’ bots, which are run with malicious intent.
Bots use tools to scrape a copy of your website. This means they take a copy of anything that would be visible to a user, including the source code (an HTML copy) of the site.
Once the bot has a copy of the site content, it can scan the content for email addresses. For example, it will look for a word with an ‘@‘ symbol and a ‘.’, and then add this to its database of email addresses.
1.2.What are my options to protect email addresses?
Send users to a form instead
One way to prevent bots from harvesting your email is not to have it on your website to begin with. However, you also want to make it as easy as possible for your website visitors to contact you. You can direct visitors to a contact form instead of giving them your email.
Be careful not to make your email-substitute forms too complicated with multiple fields to fill in, as this may put some people off from contacting you. You want it to mimic the ease of sending an email as far as possible, so just an email and text field is best.
There are some methods which use JS to only generate an email address when a user clicks on it, so it will not be in the HTML of your site initially. However, extra code can add bloat to the page and may affect your Core Web Vitals score or site speed, even if it is the most powerful option.
Obfuscate without JS
You can also opt to hide email addresses in the HTML without JS, but it is not as effective. However, it may be enough to trip up simple bots.
1.3.Is this worth it?
Ultimately, it is unavoidable to end up on some spam lists. Nowadays, bots are becoming increasingly sophisticated and can easily bypass security measures.
The first goal is to reduce your risk of receiving spam emails in the first place. Email obfuscation can be one barrier to this. An effective spam filter on your mail host is another.
The second goal is to avoid getting tricked when you inevitably do receive a spam email. Always check the sender's email address and do not click any links or reply unless you are confident the sender is legitimate. If you are concerned, your IT team may be able to advise if an email looks malicious.