The Eternal Fight Against Spam

E-mail spam and malware filters are a wonder of the modern age. Youngsters entering the workplace today will never experience the horrors that were liable to greet their elder peers when they checked a busy inbox first thing in the morning. From badly written solicitations to look after a million dollars to promises that the sexual organ of your choice could be grown to superhuman proportions, there was a time that e-mail spam threatened to overwhelm and kill off the communication medium altogether.

Today, so long as you use a reputable e-mail provider and spam filter, the chances are that you’re blissfully unaware of the fact that internet security outfit Kaspersky reckons 56% of all e-mail is still spam. Almost all of it is stopped before it gets close to your inbox, thanks to the efficiency of modern filters.

What’s more, most of the headline-grabbing cybersecurity attacks of recent times – Mirai, WannaCry, NotPetya – weren’t distributed by e-mail. Instead they relied on older virus-like ways of spreading from device to device rather than conning unsuspecting mail users into opening a dodgy attachment. Phishing attacks distributed by WhatsApp rather than e-mail are the threat du jour.

New methods

Even if the threat is not so visible, it’s certainly still there, says Nick Saunders of Mimecast. The perceptions of the end user are very different to those of security firms, and Saunders reckons there was a four-fold increase in ransomware attacks distributed by e-mail last year.

And, spammers and malware determination to get through sophisticated e-mail filtering hasn’t waned either.

“The use of social engineering to target attacks is rising rapidly,” Saunders says. “Gone are the days of poorly worded e-mails; now phishing e-mails mimic the style of someone that an individual knows, so that it’s very hard for the recipient to know that there’s something wrong.”

Saunders says that he’s seeing an increase in “spear phishing” e-mails, which have been carefully designed to fool people using their personal information. These e-mails are targeting employees with access to financial services inside companies in the hope that they’ll release funds. “Whaling” – similar mails that target high net-worth individuals and C-suite members  – are on the rise too.

Worse, Saunders reckons that the increase in volume of these types of attack suggests that criminals are using machine learning and artificial intelligence to automate the process.

“Large attack organisations are incredibly well funded,” Saunders says. “Spending the money to build this capability would be worth it. They invest more and spend more time on how to stay ahead of the curve.”

Another area of growth, says Linda Misauer, head of global solutions at communications technology firm Striata, is malware delivered by e-mail attachment that uses the host PC to mine cryptocurrency. Often infected users are unaware that their CPU cycles are being used to make someone else rich.

“One of the big challenges is to keep end users up to date about what they should look for that makes an e-mail suspicious,” says Misauer. One way to address this is through subtle cues about what an e-mail should look like, she continues. Striata works with banks in South Africa, for example, to ensure that all information needed is contained in an e-mail so there are no links to click, or verifying the sender’s identity by including the last four digits of a customer’s account number.

E-mail security has to be treated just like any other, concludes Saunders. Corporates may feel that their communications are protected, but it’s wise to assume that determined attackers will get through even the best defences. A smart strategy involves layering security and making sure you have a resiliency plan that will mitigate damage from a misclicked link or restore your working environment if ransomware does get through.

Because as much as it hurts to admit it, the bad guys aren’t going away.