Finnish security company F-Secure claims after 40 years spam is still essential to online criminals. It is used to spread malicious URL’s, scams and malware.
This is a far cry from the first ever spam message sent by Gary Thuerk of Digital Equipment Corporation. He was trying to get people to watch a presentation for the DECSYSTEM-20.
According to Päivi Tynninen, Threat Intelligence Researcher at F-Secure: “Email spam is once again the most popular choice for sending out malware. Of the spam samples we’ve seen over spring of 2018, 46% are dating scams, 23% are emails with malicious attachments, and 31% contain links to malicious websites.
“During the past few years, it’s gained more popularity against other vectors, as systems are getting more secure against software exploits and vulnerabilities.”
People still continue to click on spam
Some organisations spend a lot of time trying to educate their users to adopt safer web browsing and email habits. Not clicking on dodgy looking emails is something that is now being taught to children at school. Despite this, more and more people are clicking on spam emails.
Click rates rose in the latter half of 2017 from 13.4% to 14.2% according to research from MWR InfoSecurity. This might seem a low percentage but given the number of spam emails sent every day, it represents a significant threat to businesses.
Adam Sheehan, Behavioural Science Lead at MWR InfoSecurity names three tactics that increase the chance a spam email will be opened. They are:
- The probability of recipient opening an email increases 12% if the email claims to come from a known individual
- Having a subject line free from errors improves spam’s success rate by 4.5%
- A phishing email states that its call to action that is very urgent gets less traction than when the urgency is implied
It is not just a known individual or an error free subject line that attracts people. It seems that many fall for a spam email because it comes from a household name. One example is an email about a package that requires a label to be printed from an infected word document. Users open the document, type in a password, enable macros and malware is installed on their computer. A similar approach is used with special offer coupons that have to be printed.
What does this mean
This is 2018. After decades of spam, malware and other attacks via email, is it too much to ask that people think before they click? Apparently so. Even with all the anti-spam and email protection in place, tens of millions of spam emails get through every year.
This is a company-wide problem. As a recent report showed, the C-Suite is just as likely to click on a spam or phishing email and not report it. This shows that there is a better need for security training inside organisations. One solution is gamification of cyber security. There are a number of companies who offer solutions to train employees on how to spot a spam email. Are you using one?