If you receive emails flagged as spam or see a warning that a message might be a phishing attempt, it’s a sign that your email provider is scanning your emails. The company may do that just to protect you from danger, but in some situations it can delve into your communications for other purposes, as well.
Google announced that it would stop scanning Gmail users’ email messages for ad targeting in 2017—but that doesn’t mean it stopped scanning them altogether. Verizon didn’t respond to requests for comments about Yahoo and AOL’s current practices, but in 2018 the Wall Street Journal reported that both email providers were scanning emails for advertising. And Microsoft scans its Outlook users’ emails for malicious content.
Email providers can scan for spam and malicious links and attachments, often looking for patterns. You may get a warning if an email you receive is similar to some that were sent in previous phishing attacks, in which attackers trick users into revealing personal information, such as passwords and credit card numbers. You may also receive an alert if an email contains a link that has been blacklisted by the provider for this type of behavior. In Gmail, this may show up as a yellow banner with black text, with a warning such as “this message could be a scam” along with some additional information and a link to report the message.
Providers also compare incoming files to known dangerous files. It would be difficult to compare every incoming file in its entirety to every known dangerous file—the amounts of data involved would be far too big—so instead, the providers run known harmful content, such as abusive images, through certain mathematical functions to create short, unique identifying values, called hashes. Then the company performs the same function on incoming files and compares the hash that results to its big list of hashes from harmful files.