On May 4, 2000, José Dominguez received an email with the subject “ILOVEYOU.” The message read, “kindly check the attached LOVELETTER coming from me,” and contained an attached file titled LOVE-LETTER-FOR-YOU.TXT. 

But Dominguez, then a network architect running the University of Oregon’s security group, noticed something unusual: This email had arrived at 3:17 a.m. from one of the university’s vendors.

Dominguez was far from the only person to receive this email. The vendor who had emailed him was not a lovesick insomniac proclaiming deep affection for everyone online, but rather someone who had fallen prey to the very same message. This email delivered not a love letter, but a worm that, when activated by opening the attached file, would delete the recipient’s files, self-replicate and send itself to every email contact.

The ILOVEYOU computer worm, also known as the Love Bug and Loveletter, reached over 45 million computers in 24 hours and ultimately infected 10 percent of computers connected to the internet, causing billions of dollars in damage. A quarter-century later, users and technology are smarter—but scammers are getting smarter, too.

It reached and infected computers within the British Parliament, the U.S. Congress and the U.S. Air Force, according to one analysis by Matt Bishop, a computer science professor at the University of California, Davis.

Now chief information security officer at the University of Oregon, Dominguez says he fortunately didn’t fall victim to the Loveletter because he was using a Linux system instead of Windows, which the worm exploited. “At the time, this was one of those [worms] that was very Windows-targeted,” Dominguez says, “taking advantage of a lot of the integration that Windows has in all of their products, but also some of the vulnerabilities that integration brings.” 

One Windows vulnerability the worm exploited was how the system displayed file types in email attachments. Though the email’s attached file included .txt in its title, indicating that it was a text file, this was an intentional misdirect. The attachment was actually a .vbs file, which stands for Visual Basic Script. A .vbs file contains code that, through Windows or Internet Explorer, can perform processing functions. 

In this case, those processing functions entailed corrupting existing computer files, self-replicating and propagating, or sending itself to the user’s entire email contact list. However, Loveletter recipients were unable to see the .vbs file type because, at the time, Windows systems didn’t display file extensions.

Loveletter’s creator was Onel de Guzman, then a 24-year-old student at AMA Computer College in the Philippines. In 2020, de Guzman said he deployed the computer worm to access the internet for free by stealing passwords, not anticipating the worldwide damage it would cause. This worm came in the wake of a similar attack called Melissa in March 1999, which enticed users to open an attachment that was supposedly risqué content but actually unleashed a virus that propagated to the first 50 contacts in the user’s email address book.

However, ILOVEYOU was remarkable because of its scale. “It was different because through this phishing email, it was able to reach millions of computers, causing damage worldwide,” says Hanan Hibshi, an assistant teaching professor at the Information Networking Institute at Carnegie Mellon University. Phishing is a defrauding practice in which someone tries to extract information from someone else by deceiving them with a misleading email.

More than two decades later, “email continues to be the main method of transport for malicious content,” Dominguez says. Through phishing or malware, email provides ripe grounds for scamming. Dominguez and Hibshi both say this vulnerability arises from how much users trust email.

“It's a matter of the trust that we have put on email as a platform,” Dominguez says.

People who used computers and email at the time “trusted that the system is reliable,” Hibshi says. But ILOVEYOU “was a lesson to everyone that we shouldn't trust things on the internet … and I think that was a lesson that we learned hands-on.”

Back on that spring day in 2000, Dominguez and his team had to warn the University of Oregon about the email. Today, there are safeguards against phishing scams, so individuals are less vulnerable. Spam filters remove suspicious emails from our inboxes, using tools like pattern matching to identify potentially harmful messages. 

With pattern matching, spam filters can detect common phrases and characteristics in phishing emails, automatically marking them as rubbish. It could also flag emails with large attachments or compressed files that conceal their contents. We use our human intelligence for pattern matching, too, perhaps clocking strange sequences of numbers and letters in a message that purports to be from our streaming platform or bank. 

Some scammers devise ways to circumvent these filters in evasion attacks. “With advances in machine learning, these spam filters are even getting smarter,” Hibshi says, “but also the evasion attacks are getting smarter.”

Bishop, the professor from UC Davis, recommends hovering your cursor over the link an email directs you to, which will reveal the URL destination. Make sure you recognize the entire address, and note whether the domain ends in unfamiliar letters, which could signal the website domain could be coming from a foreign country.

Despite best efforts, attacks like ILOVEYOU aren’t a thing of the past. While there are more obstacles to spreading worms and viruses, these blitzes are still out there. “All I need is for one user to make the wrong decision,” Hibshi says. “I only need, of all those millions, one person to just click on that attachment.”