As the internet has developed over the decades, spam has as well. At least a couple of times a year, we notice an uptick in reports from our clients about increases in spam email hitting user inboxes, some of those being malicious. This blog post will equip you with everything you need to know about spam, spoofing & phishing, and what you can do to protect your organization from a spam attack. 

Questions about spam, phishing, or email attacks? We’re all ears! 

Spam

Believe it or not, email spam actually gets its name from the canned meat! It originally is a reference to a Monty Python sketch in which the canned meat was annoyingly repetitive and unavoidable in any configuration (I’m not kidding! Watch the skit here). Spam has pretty much coexisted with email since the technology was created, but really picked up steam in the mid-1990s and has grown into the annoyance that it is today. 

Spam is in the eye of the beholder or more specifically, the recipient. If the sender’s “important message” is unwanted, it is spam. You can find yourself on a sender’s contact list by logging into a retailer’s website, ordering food from a restaurant, or signing up for a whitepaper. These are legitimate emails, if you no longer want them, you can (and should) click the unsubscribe link at the bottom of the message. A two week “unsubscribe diet” will have a tremendous impact on how much mail you receive.

Messages that are completely unsolicited are likely in violation of the CAN-SPAM Act. Here is a real example of a spam message that we received at Umzuzu:

Let’s dissect this example a little bit.

  • Email subject: All caps, trying to grab attention. Obvious solicitation of a service.
  • Sender: Not an actual business email, just a regular Gmail account that someone is using. 
  • Content: The usual cheap sales pitch, trying to entice you into the service they are “providing.”
  • No signature or real sign-off at the end. 

Now, spam like this is generally easy to identify. However, spam scams can get intricate pretty quickly. Let’s look at the next level of scamming, which is called spoofing

Spoofing

Texas Tech University describes spoofing as an attempt where a “bad actor impersonates another individual or organization, with the intent to gather personal or business information.” These attacks are a bit more high tech than the usual spam scam, where the bad actor is able to impersonate somebody else through a manipulation of their email header. The main vehicle that spoofers use to distribute their messages (SMTP, or Simple Mail Transfer Protocol) does not itself have any ID verification built-in. Purdue explains that “by changing certain properties of the email, such as the ‘From’, ‘Reply-To’, and ‘Return-Path’ fields that are found in the message header, malicious users can make the email appear to be from someone other than the actual sender.” Let’s take a look at what a spoofed email looks like:

The above example shows what appears to be an email from the CEO of the company. However, it feels rushed and is a pretty unusual type of email to receive from the CEO. Plus, if you regularly work with Sally on accounts, you know that she would have just texted you about this. Why is she emailing me about a vague account that’s outstanding? If we were to look at the email header, we would likely see that the email originated from a source that really isn’t Sally’s real email address. Simple spoofing attacks like this are often used to try to get you to convey some sensitive information to the bad actor, by making you believe that they are someone you know. Often, they ask for a bank routing number, your cell phone, or social security number.   

Phishing

The most sophisticated and dangerous form of spam is called phishing. Phishing is similar to spoofing, but usually much more intricate. Phishing emails tend to replicate an institution or major company of sorts, trying to get you to inadvertently leak sensitive information through convincing (but phony) web pages. Phishing is one of the most common attacks on schools and universities, but can try to mimic your bank, insurance company, or something else important. Phishing is the toughest one to identify, because the bad actors will go to lengths to make their message look as real as possible. However, they rarely are truly perfect. Let’s look at an example:

At a first glance, this seems like a decently convincing message. However, once you look at it a little longer, you’ll start to see the discrepancies. Phishing emails try to establish the following:

  • A sense of authority (Wells Fargo is the figure of authority in this example)
  • A sense of urgency (take action now or your account will be suspended!!!)
  • A call to action, usually via link you must follow (“Secure Wells Fargo Link”)
  • A sense of legitimacy (inclusion of the Wells Fargo logo, address, and other details that you might find in normal emails from them)

A more targeted phishing attack is called Spear Phishing (clever!), in which a bad actor will glean some publicly-available information about you to include in their message. They might be able to find your name, company, and other big-picture tidbits from social media to make the message feel more personal or urgent (depending on the content of the message). If you want to see more examples of what phishing may look like, Baylor University’s phishing blog has some great examples. 

How to protect yourself from email attacks

Now that we have discussed the three most prevalent types of email attacks & looked at some examples, let’s discuss what you can do to protect yourself and your organization from them. 

  • Set expectations on how users should receive messages.
    • As an administrator, it is very important that you inform your users how you, other authoritative figures, and/or vendors will normally contact users. Establish recognized channels of communication for each and let the whole organization know that if you receive something that doesn’t match this criteria, to report it. 
  • Not sure about it? Don’t interact! Report it to your admin for review.
    • If you are not expecting an email from your financial, insurance/benefits provider, or any other service you use, then approach the message with great caution. Be careful to not click on any links or interact with any attachments. If it needs to be escalated, notify the proper administrator in your Workspace or reach out to the institution through a known contact method to inquire. You can send a copy of the email’s header for further verification. 
    • If a suspicious email asks or urges you to submit sensitive information of any kind, do not engage with it & report it to the proper administrator right away. 
  • Report spam and phishing accordingly.
  • Set up 2-step verification across your organization (also known as 2SV, MFA, 2FA).
    • This is probably the most effective tool you have against bad actors in your fight on spam. What makes 2SV so effective is that a bad agent can always guess or steal your password, but they cannot replicate what you have. That is, a hacker could successfully guess your password, but they won’t receive the text verification code when Google asks for it. Only you will get that. Without the verification code, the hacker doesn’t have a way to access the account. 
    • Begin an enrollment campaign in your organization to get everybody set up with 2SV, so that everybody is protected from potential digital break-ins. 
  • Establish email verification records in your DNS.
    • To better protect your domain from being used in any email attacks, setting up your domain with SPF, DKIM, and DMARC records for all of your sending sources is the most effective way to protect your domain and ensure your emails are being delivered properly. You can check out this blog post for more information on these

If you have any questions about spam, 2SV, DNS records, or other internal security measures, drop us a line and we’ll be happy to help.