I had a very interesting conversation recently about emails, and what the difference between Spam and Phishing actually is.
One person openly stated that all messages received were treated with suspicion, which is of course the ideal approach, but that anything that was even remotely dodgy was immediately labelled as Phishing and deleted. Here’s the rub – is it one and the same?
Previously I’d argue not, as actually I see them as two very different problems, but earlier this week this conviction was challenged.
The Same but Very Different
To me, Spam is electronic junk mail. It floods my inbox offering me things I don’t want, and sending me newsletters I’ve never asked for. It’s annoying but on its own it’s harmless.
Phishing, while having the same characteristics as Spam – as in I don’t want it and didn’t ask for it, has the critical difference that its primary intention is malicious. Behind every phishing message is a criminal trying to trick me into doing something that will harm my computer or into revealing something that I shouldn’t.
A case in point is the ransomware attack suffered by Lincolnshire County Council in January. Its systems were held hostage after someone inadvertently interacted with a phishing message, downloading a previously unseen ransomware variant, which then set about encrypting PCs and servers.
While a backup will often render ransomware redundant, without it organisations are left with a moral dilemma – to pay or not to pay? Troy Gill, security manager of AppRiver believes, “Feeding the fire by paying these guys should be avoided if at all possible. If you’ve been the victim of a ransomware attack, and you’re contemplating paying, keep in mind that the only reason these thieves keep making these attacks is because people are paying them. If all of the victims stopped paying ransoms, they wouldn’t have a successful business model, whose core objective is to steal your money.”
Another view is that of Rohyt Belani, CEO of PhishMe who adds “The size of the ransom demanded isn’t the issue everyone should be preoccupied with. We should all be taking steps to equip humans – employees – with the conditioning needed to avoid falling victim to attacks that shut down entire IT systems, interfere with critical communications and extort money.”
And that’s true. For Phishing to be damaging someone has to interact with it. But is this also true for Spam?
Is Spam always innocent?
And it’s here that things start to get murky.
While I previously believed Spam to be relatively harmless – and I still hold this belief when it arrives in my inbox, what about when it carries my name and arrives in someone else’s inbox? Suddenly it’s not so innocuous any more.
Frustratingly that’s exactly what happened earlier this week. One of my colleagues alerted me to a message that she’d received that purported to be from me, but it hadn’t come from any of my email aliases. If my name was Jane Smith then it might have gone past unnoticed, but the fact is I have a very distinctive name, and so it didn’t.
Specialising in security, as we do, both of us looking at the message immediately identified it as Spam and so the message was consigned to the trashcan, but what about someone else who may not have been trained to spot the warning flags. Could they then label me as a fine purveyor of Spam? What about if this was taken a step further and the message contained a malicious file or a forged link? Could this potentially harm my reputation?
Deciding to take action, I requested the input from one of the trusted security experts I interact with. Unfortunately his response was far from reassuring. Jonathan French, security analyst at AppRiver confirmed, “Spoofing names is common and easy to do. There’s not much you can really do about something like that as it’s a tactic to just try to get a user interested enough to click and open the message.”
The only saving grace is that it hadn’t been sent from my actual email address. However, Jonathan suggested that to not always be true as scammers can ‘spoof’ domain names. His recommendation is for organisations to “Have something in place that can help receiving servers identify spoofed messages.” While it won’t stop my name being used in vain, it could prevent someone trusting the message and clicking it blindly.
So there we have it, my name is associated with Spam. Suddenly I don’t see it as a benign nuisance, but instead it’s a reputation eroding menace – and I can do nothing about it.