Attacking the inbox: IT pros seeing rise in ‘subscription-bombing’

With today’s scam artists becoming spam artists, good luck getting to inbox zero ever again.

Jeff Sample, IT consultant and senior industry development manager for trades at construction-collaboration platform Bluebeam, said that he and his industry peers have been seeing “subscription bombing,” where bots overwhelm a victim with thousands of legitimate newsletters, digital services, and mailing lists.

The idea is to overwhelm your inbox so you miss legitimate invoices—and fall for fraudulent ones.

In early 2025, IT Brew reported on a subscription-spamming tactic, in which adversaries blast inboxes with a flood of messages, then call up as “IT” to add malware under the guise of saving the day.

What Sample is seeing is slightly different: The spammed inbox buries legitimate emails, leaving an opening for an adversary to throw a fraudulent bill on top of the growing pile.

The move. Sample has observed this tactic over the past six months:

• Somebody’s email account gets compromised—say, a subcontractor looking for payment or the construction company making that payment.
• The adversary then spies on invoice-related conversations between the two parties.
• When it’s time to pay, the attacker subscription bombs a subcontractor and signs them up, via script, to so many (legitimate) services that any authentic discussions and invoices get bumped to the bottom of the inbox.
• Next, the adversary (using a deceptively similar email address to the legitimate subcontractor) sends a fake bill or self-serving accounting number to the target construction company.

Hackers at work. Tactics like this are increasingly targeting the construction sector—a busy ecosystem of third parties.

According to an annual data breach breakdown from the Identity Theft Resource Center, the construction sector saw 119 total compromises in 2025—up from 105 in 2024 and 71 in 2023. Across all industries, US respondents experienced 3,322 data compromises in 2025, a 79% spike over five years.

What to do. Standard practices to prevent fraud include independent verification using a secondary trusted channel (an encrypted spend management platform, for example, or calling a known contact) and segregation of duties (the person who approves an invoice can’t process a payment, for instance).

Sample recommends companies require single sign-on and two-factor authentication so attackers can’t easily log into email and collaboration tools, and consider implementing simple processes regarding payment rules and payment changes like: “No routing change can happen through an email.”

Jeroen Hoof, an instructor at cybersecurity training resource SANS and freelance incident response lead, recommended companies create email-forwarding rules that send approved vendor communications (from known, approved email addresses) to a specific folder.

Jeremy Makowski, senior threat intelligence researcher at cybersecurity intelligence provider Rapid7 Labs, who wrote in November about why construction companies are especially vulnerable to cyberattacks, recommends credential protection and endpoint security technology that watch for infostealers.

Enterprise technologies are likely able to catch the slew of subscriptions, but small and midsize orgs that are “just as powerful and making just as much money,” Sample said, may not be ready for the growing threat.

“Subscription bomb: It’s a new one that we’re seeing on a more regular basis,” Sample added.