Spam. Even after all these years, no one has come up with a truly effective way to deal with it. There are filtering solutions, whitelisting, blacklisting, and other approaches, but somehow the spammers still find a way to get their messages across. And there seems to be no way to “fine-tune” filters so that they successfully filter out the bad stuff without either letting some bad stuff through or inadvertently filtering out the good stuff. How many times have you heard “Your email got caught in my spam filter”?

The less-than-perfect accuracy of these filters means that there is still a manual component to spam filtering. You have to manually check the spam folder for legitimate email and manually delete the spam that gets through. Added up over millions of email users, and that’s a big chunk of time wasted.

Benign and Malicious Spam

By some estimates, over 45% of all email sent today is spam. Most of it, of course, is merely annoying attempts to get you to buy something. The spam keeps coming because the cost of sending an email is vanishingly close to zero; even with a response rate that now averages 1 for every 12.5 million messages sent, the spammers can still make a profit.

This fact is not lost on cybercriminals. Whether they’re trying to fool people into installing malware, visiting dangerous websites, or supplying bank accounts credentials, cybercriminals need only a few unwary recipients in order to achieve their goals. That’s why spamming is still the leading technique for cyberattacks.

Although malicious spam represents only a tiny fraction of the total, it’s still millions of messages sent every day. And the problem is getting worse, not better; it will be cybercriminals’ tool of choice for the foreseeable future.

Protecting Yourself and Your Business

Spammers in general, and cybercriminals in particular, depend on two factors, one technical and one psychological, for the success of their spam campaigns:

• Poorly configured or nonexistent filtering
• Gullible recipients

You can deal with the first one with good technology choices. The second is more difficult, because it involves constant education, training, and testing.

Let’s look at the technology angle first.

• Use spam filtering. Yes, all spam filtering suffers from the accuracy problem described earlier. But some filtering is better than no filtering, and good filtering will eliminate most of the problem.
• Don’t rely on just one layer of filtering. You may think that the filtering built into email clients such as Microsoft Outlook is sufficient. It’s not. You need something more sophisticated that identifies and filters spam before it gets anywhere close to the user’s inbox.
• Configure it properly. Your email service provider probably offers some form of spam filtering, and it may already be turned on. If it seems like you’re still getting a high volume of spam, call their technical support to find out why. It may not be configured correctly.
• Shop around. Numerous anti-spam solutions are available. They vary widely in approach (on-site vs. cloud), capability, and price. Find the best one you can afford.
• Add anti-phishing tools. These tools also vary in their scope and sophistication. Most can warn users that a message might be a phishing attempt. Some add the ability for users to report suspected phishing to the IT team or service provider so that they can be more effectively filtered.

Dealing with the psychological aspect is more expensive, time-consuming, and inefficient, but it’s still necessary, because ultimately the last line of defense depends on there being a little voice in each user’s head that says “this email looks suspicious.”

• Training. Train your staff regularly (not just once!) to remind them to be vigilant for potential phishing attempts. Ordinary junk mail is easy to spot; it’s the phishing attempts that rely on social engineering that are more likely to get past users’ mental defenses.
• Reinforcement. Some anti-phishing tools enable administrators to send users fake phishing emails to see who is fooled into taking the “bait.” If a particular type of phishing email gets a high rate—that is, users click on the link or open the attachment, rather than reporting the email or deleting it—you have an idea of where to focus the next round of training.

As long as email remains an important business communications tool, there will be spam, and spam will remain the leading technique for cyberattacks.  Unless you can live without email, you owe it to yourself and your business to make sure you’re protected.