While email does make it easier for all of us to communicate both in our work and personal lives, there are two major issues with email communication: spam and phishing.
That means the average person needs to know how to spot these illegitimate emails and businesses need to know not just how to protect their employees, but how to avoid inadvertently sending spam.
In this article, you’ll learn the difference between spam and phishing, how common they are, and how to avoid each of them.
You may know spam as junk mail. But, what’s that? Unsolicited bulk email means that the recipient didn’t ask for it (unsolicited) and that many people were sent the email at once (bulk).
These two elements are essential to the definition of “spam.”
But emails that are both unsolicited and bulk are almost always spam.
As well as being sent via email, spam can also be sent via SMS or instant messaging. Unsolicited sales and marketing calls (also known as nuisance calls) can also be considered spam.
Spam is generally commercial (meaning from businesses) but it can also serve more nefarious purposes, such as fraud. However, when a spam email uses social engineering techniques to trick the recipient, we call it a “phishing” email.
Not sure what social engineering is? Examples will help. We’ve rounded up 6 recent, real-world examples of social engineering attacks here.
Phishing is essentially a more targeted version of spam.
A hacker impersonates a trusted brand or person and sends a fraudulent message in an attempt to steal information or money, commit fraud, or install malware on a target’s device.
But, there are many types of phishing. Here are a few examples:
It’s important to note that a phishing attack can be delivered via several different communications channels:
Phishing attacks can also have different aims, for example:
Now, let’s take a closer look at spam and phishing.
According to 2019 research from PreciseSecurity:
However, bear in mind that — despite these statistics — people’s experience of using email is generally improving. This is because:
Phishing is the most prevalent example of cybercrime. Let’s look at some of the best data we have covering the past few years:
While – yes – there certainly are some risks associated with receiving spam, most email providers like Gmail and Outlook have gotten pretty good at filtering these emails out. Don’t believe us? Check your spam folder!
A bigger risk – specifically to businesses – is accidentally (or negligently) sending “spam” as part of a direct-marketing campaign.
Businesses sending spam (including those who are perceived to be sending spam) run the following risks:
Phishing is one of the most damaging forms of cybercrime. But, as we’ve discussed, there are a lot of different types of phishing.
Wire transfer phishing causes direct, quantifiable losses when businesses pay fake invoices sent to them by fraudsters. The FBI’s data shows that U.S. businesses lost $1.7 billion in 2019 to wire transfer phishing via email.
Ransomware attacks are frequently delivered by email. Clicking the link in a phishing email can lead to your documents, databases, other files becoming encrypted. Emsisoft estimates that ransomware cost organizations $7.5 billion in 2019.
But what about the impact caused to individual companies? A single phishing attack can be devastating for a business.
The biggest known phishing scam of all time targeted tech giants Facebook and Google. This example of wire transfer phishing cost the companies around $121 million over two years.
But the indirect losses caused by phishing can be even greater. When Australian hedge fund Levitas Capital was defrauded for nearly $8.7 million in November 2020, the firm recovered 90% of the money. But the fund was forced to close after losing its biggest client as a result of the attack.
Unfortunately, Levitas Capital isn’t the only organization to have lost customers after a breach. After a breach, companies see an average of 3.9% customer churn. It makes sense, then, that “losing a customer/their trust” is the biggest consequence of a data breach according to security leaders.
So, how can businesses reduce the risk of being successfully targeted by a phishing attack?
Much of the traditional guidance on phishing focuses on staff training — helping your employees to identify phishing emails and manually delete them. The classic “telltale” signs of a phishing email are often said to be:
This might have been good advice when phishing emails were sent out in “spray and pray” bulk attacks. But now, it’s unfair and unrealistic for organizations to expect their employees to be able to spot phishing attacks, especially those using advanced impersonations techniques.
Today, effective phishing emails look like any other email. They don’t carry these “telltale signs.”
That means staff training — while important — must not be your primary defense against phishing. As the National Cyber Security Centre (NCSC) says:
Want to learn more about why phishing training alone just isn’t enough? Read our blog: Pros and Cons of Phishing Awareness Training.
The only truly reliable way to root out phishing emails is by implementing an email security solution like Tessian Defender.
Here’s how Tessian protects your people and prevents inbound threats like phishing
Importantly, solutions like Tessian Defender prevent the most advanced attacks. Specifically, those that slip past legacy solutions, Secure Email Gateways, and spam filters.