Security | Operational Fraud
The Afternoon Our Inbox Lost Its Mind
(Or: When a Thousand Emails Is the Least Interesting Part of the Story)
The Attack: Subscription Bombing
A Thousand Emails and a Very Specific Kind of Panic
These weren’t spam emails. No obvious junk. No scammy subject lines. These were legitimate messages: account confirmations, vendor registrations, “please verify your email” notices. Companies from all over the world. Apparently, we were suddenly the most popular person on the internet.
Over the next two hours, close to a thousand of them hit our inbox. Confusion comes first. Then concern. Then a very specific kind of panic that sets in when you realize this isn’t random and it isn’t accidental.
From a business standpoint, the impact was immediate. The inbox became unusable. Legitimate client emails, time-sensitive requests, real operational issues — all buried under the noise. Sorting signal from junk in real time was impossible. Trying to read anything felt like looking for a specific grain of sand at the beach.
The only rational move I managed to make was describing what was happening and asking ChatGPT what this looked like. The answer came back quickly: subscription bombing.
- Someone had deliberately signed our email address up for hundreds of legitimate services that send verification emails.
- The flood wasn’t the goal. The flood was the cover. (A surprisingly elaborate form of digital misdirection.)
This tactic is often used to hide something more serious — financial fraud, account abuse, unauthorized transactions — while the victim is busy fighting the inbox fire.
The advice was straightforward: start checking accounts. In practice, that’s easier said than done. While we were changing passwords, creating filters, and cleaning up the inbox, the uneasy feeling lingered that something had already happened — and we just hadn’t found it yet.
The Reveal: The Undeliverable Box
The Damage That Wasn’t Found in the Inbox (Because We Were Too Busy Deleting Account Confirmations)
Eventually, the email storm stopped. What didn’t stop was the cleanup. Even after the main blast ended, hundreds of systems kept sending follow-ups. It was like cleaning up confetti weeks after the parade left town.
Days passed. Nothing obvious surfaced. Then, completely by accident, the phone rang. A FedEx driver in the Florida Panhandle was trying to deliver a package that had been shipped using our FedEx account. The problem was that the destination was an apartment complex — and the label didn’t include an apartment number.
She read off the recipient name and address. Nothing matched. No order. No intake. No payment. No record of this shipment anywhere in our system.
Because we’re a high-volume expedited apostille service, this didn’t immediately feel alarming. We ship documents all over Florida. Address issues happen. Our first assumption was simple: this was one of our customers. A minor detail in the grand scheme of things, but detail is where fraud lives.
Still assuming it was paperwork, I asked if it was an envelope.
She paused.
“No,” she said. “It’s a box. It weighs several pounds.”
That’s when the dots connected. What I saw in our FedEx account explained everything:
The inbox flood had done exactly what it was designed to do: delay detection long enough for real damage to occur. They bought time by making us angry at our inbox.
The Aftermath and the Discovery
Bureaucracy, Contradictions, and The World’s Most Expensive Box of Unexpected Herbs
If you think reporting fraud to FedEx is a smooth process, I can assure you it is not. What followed was weeks of bureaucratic incompetence: a dizzying tour through departments that actively contradicted each other.
- Contradictory instructions from different representatives.
- Promised callbacks that never happened.
- Case numbers that went nowhere.
Eventually, the box came back — the undeliverable shipment from the Panhandle. After weeks of chaos, we were finally going to see what had been shipped to someone else on our account.
It was vacuum-packed marijuana from California. Several pounds of it. Naturally.
FedEx didn’t care. Neither did the police. We were the ones who called law enforcement, trying to get several pounds of illegal drugs out of our office as quickly and responsibly as possible. No officer ever showed up. No one followed up. No one seemed particularly interested. After days of being stuck with an unwanted, unexpected liability, the box ultimately ended its journey in a dumpster.
Weeks later, after endless escalation, our FedEx account was finally resolved. Operations normalized. The bleeding stopped. But the lesson stuck.
The Real Takeaway
Subscription Bombing Is Not the Attack — It’s the Camouflage
Subscription bombing is almost never the end goal. It’s camouflage. Attackers usually already have something: they aren’t trying to break into your systems; they’ve already found a way in.
- Reused or leaked credentials.
- An exposed account number.
- Access to a vendor portal.
Once inside, they move fast. Shipments. Purchases. Transfers. Then the noise. By the time the victim regains situational awareness, the damage is already done.
What You Should Do If This Happens to You
If your inbox suddenly explodes with legitimate confirmation emails, don’t celebrate your popularity:
- Don’t treat it like spam. Treat it like a warning flare.
- Assume something else is happening and start looking immediately.
- Check financial, shipping, and vendor accounts first.
- Lock billing, rotate credentials, enable MFA everywhere.
- Preserve evidence before mass deletion.
- Document every call, every promise, every case number. (You will need this.)
The most dangerous part of this attack wasn’t the fraud. It was how effectively our attention was hijacked. A thousand emails is enough to knock even experienced operators off balance — and that’s exactly what this tactic relies on.