Twenty years ago, if you mentioned spam and phishing in the same sentence, one would assume you were enjoying some time on the lake and a sandwich made from canned meat. In today’s IT world, those words have much more menacing meanings (although the canned meat version of Spam still brings back horrible memories).
While most of us know to quickly delete any email from a Saudi price wishing to give us his vast inheritance, hackers and IT criminals have become much savvier and determined in their intent to steal our identities and financial information. While these people may be evil, they are not stupid and it’s important that you and your employees are able to identify the differences between spam, phishing and spear phishing.
Spam is any sort of mass-delivered unsolicited email, usually from someone trying to get you to buy something or give them money. It usually has to do with money, although spam can also be political or social engineering. Spam doesn’t care if there is no followup. Extremely low click rates are expected for them, and sometimes they have no links at all. There is usually nothing malicious in a link or in the email. Spammers often believe you want to buy their services if you only were aware of them. Examples that you’ve probably received include scams about travel, lotteries, or a guaranteed bank loan or credit card.
Phishing is a mass-delivered email from someone pretending to be someone they are not, usually trying to get you to send money, or give away your credentials or other sensitive information. Phishing emails usually come with a malicious payload or a malicious link, but they can come with links to otherwise clean websites that are pretending to be something they are not, such as a company login screen.
Spear phishing is an email sent to one specific person, tailored and targeted specifically to that person, trying to get you to send money, give away credentials, or other sensitive information. Malicious payloads and links, when included, are unique, and as such are often undetectable by normal filtering measures and traditional AV. The success rate of spear phishing is dependent on the skill of the attacker and the amount of research they put into the attack, as well as the ability of the recipient to recognize malicious intent. CEOs and other top executives are often the targets of spear phishing because they don’t always participate in security awareness training, as may be required for their employees. To prevent the risk of CEO fraud, all company personnel should undergo ongoing security awareness training.
The difference between phishing and spam is a fine line that has to do with the intent of the sender. If the sender wants you to buy their service to fix your company website, you may find that to be worth close to zero value, but the sender does expect to provide value for your money. That’s spam. However if when you click the link it asks for the credentials for your website in order to help fix you, that’s a phish.
Unfortunately we can’t always know which it is until we start down the process, but hopefully, we’d never start down the process of something with close to zero value. Clicking a link can provide telemetry to the sender, making you the target of future attacks because, even if you didn’t follow through this time, they know you are willing to click and that there may be a real person behind the email address.
Chi is proud to partner with the industry’s leading security providers including Barracuda, CrowdStrike, Cylance, IronScales, Mimecast and Palo Alto. Contact us today to determine which security solution is best for your organization.