Email bombing is a common social engineering attack where criminals first overwhelm a victim’s inbox with spam and then follow up with a fake support call. Attackers use the chaos to pressure victims into installing remote access tools or revealing credentials. The result can be data theft, ransomware, fraudulent invoices, and long recovery processes. This guide shows how the scam works, how to spot it, and exactly what to do if you or your organization are targeted.
Attackers trigger hundreds or thousands of emails to flood a victim’s inbox. They use techniques such as fake newsletter sign-ups, automated form submissions, or hijacked third-party lists. The inbox fills with messages that look legitimate or urgent, creating stress and distraction.
While the recipient is distracted, someone calls or messages pretending to be IT support. The caller claims they can stop the flood and secure the account immediately. They may spoof caller ID or appear as a familiar internal contact.
The fake technician asks the victim to install remote access software, run commands, or provide one-time verification codes. Once installed or provided, the attacker has direct control of the device and can move laterally in the environment, steal credentials, or deploy malware.
Attackers may send follow-up phishing emails with malicious links, request invoice payments to fraudulent accounts, or pressure victims to disable MFA protections by asking for verification codes.
A sudden flood of email that starts from multiple legitimate-looking senders
An unsolicited call or message claiming to be IT support and offering immediate remediation
A sense of urgency and pressure to install software or share codes right away
Caller ID that seems plausible but is not verified through internal channels
Requests to approve remote access tools such as AnyDesk, TeamViewer, or to run administrative commands
If you feel pressured, pause. Pressure and urgency are core tactics used to short-circuit rational decision making.
Do not grant remote access. Politely refuse and hang up if a caller pressures you.
Do not install software or run commands prompted by unsolicited contacts.
Block the sender and mark the messages as junk or phishing in your mail client.
Report the incident to your internal IT or security team immediately. If you do not have internal IT, contact your email provider or managed service provider.
If you suspect you shared credentials or codes, change your passwords from a different device and enable multi-factor authentication if not already enabled.
Document the incident: save inbound messages, record caller ID, note timestamps, and preserve any files accidentally downloaded for investigation.
Temporarily disable affected account logins or force password resets for impacted users.
Apply temporary rate limits and blocking on inbound mail to the affected accounts.
Isolate any devices that were given remote access or show signs of compromise.
Collect email headers and logs to trace the source of the flood.
Pull endpoint telemetry from EDR to identify suspicious processes or remote access client installations.
Check authentication logs for unusual sign-in activity and MFA approval events.
Revoke active sessions and reset credentials for impacted accounts.
Remove unauthorized remote access software and run full endpoint scans.
Roll out targeted phishing simulations and user awareness reminders to reinforce policy.
Tune spam filters, implement or refine rate limiting, and block known abusive IP ranges.
Review and enforce remote access policy requiring prior approval and managed remote support tools only.
Ensure logging and alerting for anomalous MFA or account activity.
Implement SPF, DKIM, and DMARC to reduce spoofing and improve filtering.
Use mailbox rate limiting and reputation-based blocking to prevent mass email delivery to internal users.
Configure advanced anti-phishing tools and attachment sandboxing.
Enforce multi-factor authentication for all accounts, and educate staff never to share one-time codes.
Use privileged access management for any support or admin activities.
Adopt an allowlist for remote management software and enforce installations via trusted channels only.
Maintain a clear policy that internal IT will never request remote access without prearranged verification.
Train staff to verify support requests through a secondary channel, such as a known internal phone number or a ticketing system.
Run regular phishing simulations and tabletop exercises that include multi-channel social engineering.
If you are in the United States you can report the attack to the Federal Trade Commission at reportfraud.ftc.gov and to the FBI Internet Crime Complaint Center at www.ic3.gov. For identity compromise, visit IdentityTheft.gov for recovery actions. Local law enforcement may also be able to assist depending on the severity.
Email bombing followed by a fake support call is a cheap and effective social engineering tactic because it relies on human stress and urgency. The best defense is preparation: enforce strong email and identity controls, maintain strict remote access policies, and train employees to verify all support requests. If you are unsure about any call or message, do not engage. Report it and let security professionals investigate.
What is email bombing?
Email bombing floods a target inbox with a large volume of messages to overwhelm the user. Attackers use it to create distraction and urgency for follow-up social engineering.
Why do attackers follow email bombing with a phone call?
The phone call exploits the victim’s stress and distraction, increasing the chance the victim will follow instructions and grant remote access or reveal codes.
If I installed remote software during an attack what should I do?
Disconnect the device from the network immediately, report to IT or security, and do not log into sensitive accounts until the device is verified clean. Expect to reset credentials and run forensic scans.
How can I verify a legitimate IT support call?
Verify through an independent channel such as your company’s official helpdesk number or ticketing portal. Do not rely on caller ID alone.
Can technical controls stop an email bomb?
Controls like SPF DKIM DMARC, rate limiting, spam filtering, and reputation blocking help reduce impact. They do not replace user awareness and incident response plans.
Should I report the scam even if no data was stolen?
Yes. Reporting helps authorities track trends and can assist in recovery and mitigation measures across organizations.