Careful. That lovely Russian lady you got an email from may be looking for more than love.

Cybersecurity researchers say they’re seeing a big spike in romance-related spam ahead of Valentine’s Day. And the emails are being spread by the Necurs botnet, which is thought to control 6 million bots bent on circulating some of the most dangerous ransomware and banking Trojans out there. 

Botnets are networks of connected devices that criminals have infected and can control remotely, without their owners knowing about it.

While the recent emails aren’t carrying computer viruses, that doesn’t mean they aren’t a threat. The emails could lead to urgent requests for money, or extortion attempts if a married man gets caught up in an online correspondence, says John Kuhn, a senior threat researcher for X-Force, IBM Security’s research arm. 

More on Digital Security

“The spammer could also deliver malware at any point during the correspondence,” Kuhn says. 

According to X-Force, the Necurs botnet has already sent more than 230 million spam messages in two recent surges, one that took place from Jan. 16 to Jan. 18 and another that ran from Jan. 27 through Feb. 3. Even if there's no further surge, millions of the emails are continuing to flow out to potential victims. 

The vast majority of the recent Necurs spam was romance-related. And while the volume of emails may be surprising, the subject matter isn’t, experts say.  

Like other marketers, those who craft spam and phishing emails try to keep their pitches timely to make them more likely to get someone’s attention, says Stu Sjouwerman, founder and CEO of KnowBe4, a cybersecurity company that specializes in antiphishing employee training.

And, right now, that means lots of Valentine’s Day, Winter Olympics, and tax season-related spam.

In this case, the emails are written to look like they’re from Russian women living in the U.S. The writer claims to have found the reader’s profile on a social media site, such as Facebook or the Russian dating app Badoo. And, the email says, she found the reader to be “cute” or “sexy.”

The emails are sent from short-lived addresses, making it harder for spam filters to catch, but ask the reader to respond to a different email address. The woman supposedly writing the email promises to send pictures if the reader gets in touch at that email address.

The Necurs botnet has sent out millions of email messages purporting to be from Russian women, trying to draw lonely men into a variety of scams.
Photo: IBM Security

Why Botnets Work So Well

The people who own the infected computers typically don't know they've become part of a botnet.

These networks are used to spread spam faster and cheaper than a cybercriminal could do otherwise. Kuhn notes that large botnets allow spammers to send thousands—if not hundreds of thousands—of emails per infected computer over time. And, if the infected computer has a lot of bandwidth at its disposal, the number of emails sent could reach into the millions.

And when multiplied by the number of infected computers in the botnet, “the capacity for sending spam becomes astronomical,” he says.

Oftentimes, botnets spread ransomware or computer viruses designed to steal login or other personal information off victims' computers. A botnet is also what took down the DNS provider Dyn in October 2016, temporarily shutting down numerous websites including Twitter and Netflix.

Last year, X-Force says, the Necurs botnet sent millions of spam emails as part of a so-called “pump and dump” scheme, in which victims were encouraged to buy a specific penny stock.

That artificially boosted the stock’s price and allowed the botnet operators to sell off their shares and make a quick buck, leaving victims with nothing but losses.

How to Avoid Getting Scammed

So given all of that, how can you avoid falling for one of these schemes?

Here are some tips from digital security experts for protecting yourself from spam and phishing emails—whether they involve romantic advances, promises of free giveaways, or ads.

Think before you click. Common sense is your best protection when it comes to these kinds of scams.

In this case, the spammers are banking on getting replies from people feeling a little extra lonely this time of year. But, when it doubt, just delete emails from people you don’t know; ideally before you open them. You’re better off not taking the risk.

Examine links. Before you click on a link, try hovering your mouse over it. This will usually reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil. Most of the email addresses included in the Necurs romance spam have originated in those countries, Vietnam, and other locations outside the United States.

And if you get an email advertising a great deal at a major retailer, open a window in your browser, search for the retailer’s web address, and compare it with the one in your email. Don't assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.

Don’t open the attachment. It may contain malware, such as ransomware that locks up your computer files, with criminals demanding a payment in order to unlock them.

Guard your financial information. Be wary of emails asking for account numbers, credit card numbers, wire transfers, and details on failed transactions. There’s no reason to share such info via message or an unsecure site.

Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date security software goes a long way toward stopping malware.

Kuhn says that while many spam filters will keep emails like those used in the romance scheme from ever seeing your inbox, cybercriminals are constantly innovating in hopes of circumventing them.

For instance, spam filters are programed to filter put emails with exceptionally bad spelling and grammar, but the ones used in this scam are actually written pretty well, making it more likely that they’ll slip through.

Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plug-in, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as McAfee and Norton offer them.

But keep in mind that these tools aren’t foolproof. Don’t let your guard down just because you use them, KnowBe4's Sjouwerman says.

“If you’re counting on your spam filter and your AV program, then you have a false sense of security.”