Email Security Guide: Spam & Phishing Prevention

Understanding Spam in 2024

In 2024, spam continues to be defined as unwanted and unsolicited messages sent indiscriminately to large groups. Although the core definition remains consistent, the tactics employed by spammers have evolved dramatically, particularly with the rise of artificial intelligence (AI).

Spam is no longer confined to just email either, it has spread to various communication channels like social media, text messaging, and phone calls. The pervasiveness of spam across multiple channels underscores the need for vigilance and proactive measures to protect yourself from these unwanted intrusions.

Recognizing the types of spam emails that can hit your inbox can help you stay alert. Here are the three most common types of spam emails to watch out for:

• Marketing/Advertising Emails: These make up the largest portion of spam, accounting for 36% of all spam emails.
• Emails with Adult Content: This category is the second most prevalent, comprising 31.7% of all spam. These emails may contain explicit images or videos, links to adult websites, or solicitations for adult services.
• Financial Emails: The third most common type of spam, these represent 26.5% of all spam emails. This category encompasses a broad range of financially motivated spam, including:
  • Phishing emails: These attempt to trick recipients into revealing sensitive financial information, such as credit card numbers or bank account details.
  • Money scams: Examples include emails claiming a lottery win or inheritance, often requiring an upfront fee to claim the prize.
  • Fake invoices and payment notifications: These can trick recipients into making payments for non-existent goods or services, or into revealing their financial details.

Spam vs. Email Marketing: What’s the difference?

The most important difference between spam and regular marketing email is consent. Spam is unsolicited and the recipient has not given permission to receive these messages. Spam is sent to many people, regardless of whether they’ve expressed any interest in the product, service, or content being promoted. It often relies on purchased or harvested email lists obtained through data breaches, or by collecting addresses from websites and online forums.

Regular marketing email, on the other hand, is sent to people who have opted in to receive communications from a particular business or organization. This consent can be given explicitly, such as signing up for a newsletter or providing an email address during a purchase, or implicitly, such as agreeing to receive marketing emails in a website’s terms of service. Legitimate companies respect this consent and will only send emails to people who have opted in. They also typically provide a clear and easy way to unsubscribe from their mailing list if the recipient no longer wishes to receive emails from them.

While consent is the defining difference, several other factors distinguish spam from legitimate marketing emails. Spam frequently promotes products or services of dubious quality, makes unrealistic promises (like winning a lottery), or attempts to spread misinformation. Genuine marketing emails focus on providing value to the recipients, such as sharing helpful content, offering exclusive deals, or announcing new products or services. The primary intent of spam is often deceptive or malicious. The sender’s goal might be to trick recipients into revealing personal information, installing malware, or making fraudulent payments. Real marketing email, while intended to promote sales, aims to build relationships with customers and provide them with relevant and valuable information.

Another key difference is adherence to laws and regulations. The CAN-SPAM Act of 2003 sets requirements for commercial email in the United States, including truthful subject lines, clear identification of the sender, and a functioning unsubscribe mechanism. Canada’s Anti-Spam Law and the European GDPR place a strong emphasis on user consent and privacy in electronic communications.

All Scam Emails Are Spam, But Not All Spam Emails Are Scams

While the terms “spam” and “scam” are often used interchangeably, there’s a subtle but important distinction between them. As we already determined, spam email is primarily unsolicited and unwanted, often commercial in nature, and sent in bulk. While spam can be annoying and clog inboxes, it’s not always inherently malicious. Scam emails, on the other hand, are purposely deceptive and fraudulent. They are meant to trick recipients into taking actions that benefit the scammer, often resulting in financial loss, identity theft, or other harm. With the emergence of generative AI, a new dimension in spam and scams has further blurred the lines. AI allows spammers to create more personalized and convincing marketing emails, making them less obvious as unwanted solicitations. It empowers scammers to create highly sophisticated phishing and business email compromise (BEC) attacks that are difficult to distinguish from genuine communications. This evolving technology makes it crucial for users to stay vigilant, exercise caution, and employ protective measures to safeguard

Identifying Spam Emails

Most of the time spam emails are glaringly obvious, but as mentioned before, with generative AI making it more difficult to tell, you can look for these red flags to help you identify spam email in your inbox:

• Suspicious sender addresses: Spammers often use addresses that mimic legitimate companies but contain misspellings, random characters, or public email domains (like Gmail or Yahoo) instead of the company’s domain.
• Generic greetings: Legitimate businesses typically address you by name. Spammers often use generic greetings like “Dear Customer” because they send mass emails.
• Urgent or threatening language: Scammers use urgency to pressure you into acting quickly without thinking. They might warn of account closure or offer limited-time deals that are too good to be true.
• Request for personal or financial information: Legitimate companies will never ask for sensitive information like passwords, credit card numbers, or Social Insurance numbers via email.
• Unusual attachments or links: Be wary of opening attachments or clicking links, especially from unknown senders. They may contain malware or redirect you to phishing sites.
• Grammatical errors and typos: Poorly written emails can be a sign of spam, although not all spam emails contain errors.
• Offers that are too good to be true: If an offer seems unrealistic, it probably is. Be skeptical of promises of large sums of money or rewards.
• Foreign or mixed languages: Spammers might use businesses or languages unrelated to your location.

Managing Spam Email

If you identify email as spam, follow these steps to prevent future messages and help your email provider improve spam filters:

• Don’t respond or click any links. Replying or clicking confirms your address is active, inviting more spam. Unsubscribe links might also be fake, leading to phishing sites or malware downloads.
• Mark as spam. This trains your email provider’s spam filters to identify and block similar messages.
• Block the sender. This prevents future emails from that specific address.
• Report the sender. This flags the account for investigation by your email provider.

Proactive Measures to Reduce Spam

• Train your spam filter. Regularly marking spam emails as spam helps your email provider learn to filter more effectively. (For customers using Webnames.ca email, you can forward the entire email to reportspam@webnames.ca. No additional content needs to be added in the body of the email as only the attachment will be analyzed. These messages are fed directly into our spam filtering appliance for analysis and machine learning.)
• Use a third-party spam filter: Consider an additional layer of protection if your email provider’s filter isn’t catching everything.
• Unsubscribe from mailing lists. Reduce unwanted marketing emails by unsubscribing from lists you no longer wish to receive communications from.
• Hide your email address. Limit publishing your address online. Consider using contact forms on websites instead.
• Use alternative email addresses. Create separate addresses for different purposes, such as personal, work, and online shopping.
• Consider using a temporary email address. For registrations or situations where you don’t want to give your real address.
• Use email screening. Some email management apps offer a screening feature that quarantines emails from unknown senders.

Phishing Prevention Strategies

Phishing attacks use deceptive emails to steal sensitive information. Here’s how you can protect yourself:

• Verify suspicious emails. Contact the sender or company directly through official channels (not the information in the email) if you’re unsure about the email’s legitimacy.
• Be wary of requests to update account information or verify passwords via links. Legitimate companies rarely request this through email. Go directly to their website instead.
• Hover over links to check the actual URL. Don’t click links that look suspicious or don’t match the organization’s website.
• Be cautious about urgent or threatening language. Don’t let pressure tactics force you to make mistakes.
• Enable multi-factor authentication (MFA) or two-factor authentication (2FA) whenever and wherever you can. These security measures requires additional verification factors, making it harder for scammers to access your accounts.
• Implement DMARC. Domain-based message authentication, reporting and conformance (DMARC) helps protect your email domain from being used for phishing attacks. It helps prevent spammers/scammers from spoofing a company’s email domain by specifying how to handle emails that haven’t been authenticated.
• Be wary of QR codes. Quishing attacks embed malicious links in QR codes. Scan with caution, especially from unknown sources.
• Be aware of deepfakes and AI-generated content. Scammers use these to create convincing messages that appear to be from legitimate sources.

Be Aware of AI’s Capabilities in Email Scams

Generative AI refers to a type of artificial intelligence that can create new content, such as text, images, audio, and video. It is increasingly being used in email scams to create more sophisticated and convincing phishing messages. It can analyze large amounts of data to tailor emails to individual targets. This makes phishing attempts more believable, as scammers can use personal details or references that resonate with the victim.

AI models are evolving rapidly to produce text that mimic human writing styles. This allows scammers to craft messages that sound more natural and less generic, increasing the likelihood that victims will engage. Generative AI can automate the creation of vast numbers of scam emails, making it easier for scammers to reach a broader audience without significant manual effort and it allows them to adapt messages in real time based on responses or changes in detection technologies, making it more difficult for spam filters to catch them.

AI can also help identify social engineering tactics that are most effective in various contexts, allowing scammers to exploit emotional triggers more effectively. But beyond text, generative AI can create fake documents, images or even deepfake (hyper-realistic fake audio or video) audio/video, further enhancing the credibility of scams.

While generative AI can be a powerful tool for legitimate purposes, its misuse in the context of email scams poses significant challenges for individuals and organizations trying to protect themselves from fraud. Here’s how it is being used in email attacks:

• Creating convincing phishing and BEC attacks. Deepfakes and Large Language Models (LLMs) are being used to impersonate trusted individuals or officials, making phishing emails and BEC attacks more sophisticated and harder to detect. For instance, LLMs like GPT-4 can generate text that mimics the tone and style of legitimate correspondence, increasing the chances of deceiving the victims.
• Scaling personalized attacks. Generative AI allows scammers to personalize email attacks at scale. This means they can create unique and convincing messages for many potential victims, making their attacks more effective.
• Bypassing security filters. Some spammers use a technique called Bayesian poisoning to trick spam filters. They send emails with a jumble of words and numbers, confusing the filters and allowing their message to reach the inbox.

It could be considered ironic that while generative AI is being used to create more convincing email scams, the same technology can also be harnessed to detect and combat those scams. This highlights a paradox where advancements in technology lead to both innovative malicious uses and the development of countermeasures. The ongoing “arms race” between scammers and cybersecurity efforts exemplifies this irony, as each side leverages cutting-edge tools to outsmart the other.

Here are some ways that AI is being used to combat AI:

• Detecting AI-Generated Content
  • Transformer-Based Models: Advanced email security solutions that use AI models similar to those behind LLMs to analyze email content. These models can identify linguistic patterns and characteristics unique to AI-generated text, helping to flag potentially suspicious emails.
  • Semantic Content Analysis: Some security solutions group emails with similar semantic content and identify patterns indicative of LLM-generated text. By analyzing the meaning and context of this text, this method aims to detect AI-generated content even if it’s well disguised.
• Assessing Malicious Intent
  • Probability Scoring: AI models can assess the likelihood of an email being both AI-generated and malicious. Some security solutions assign a probability score based on the identified patterns and textual analysis.
  • Combining AI with Traditional Methods: It’s not enough to simply detect AI-generated content because legitimate emails also use AI tools or templates. Advanced security tools combine AI detection with traditional methods like sender reputation analysis and authentication protocols to reduce false positive.
• Analyzing Visual Content
  • Image Recognition: Some security solutions include advanced image recognition capabilities to analyze visual content within emails. This helps detect malicious QR codes used in quishing attacks or other suspicious images that might evade text-based analysis.
• Continuously Learning and Adapting
  • Dynamic Engines and Machine Learning: There are patented dynamic engines and machine learning algorithms on the market that continuously learn from new threats. These systems adapt to evolving attack techniques and improves its accuracy over time.
  • Training on Malicious Emails: The models used in the above example are initially trained on vast datasets of malicious emails and are constantly updated with new attack samples. This ongoing training ensures that the system can identify and adapt to the latest threats.
• Protecting Against Specific Threats
  • Preventing Generative AI-Based BEC Attacks: Some systems are specifically designed to combat business email compromise attacks that utilize generative AI. They analyze email content, sender behaviour, and other factors to identify and block these targeted attacks.

Best Practices for Email Security

In addition to or to re-emphasize the importance of some of the aforementioned strategies to combat escalating threats of spam and phishing, implement these best practices:

1. Recognize and Avoid Email Scams
   • Scrutinize sender addresses for inconsistencies.
   • Be wary of emails using urgent language.Verify suspicious communications through direct contact.Never send sensitive information via email.Avoid opening attachments or clicking on links from unknown senders.If you receive a suspicious attachment, use a malware scanning tool to check for malware before opening it.
   • Recognize common spam tactics like generic greetings, poor writing and grammar, promises that are too good to be true and fake unsubscribe links.
2. Implement Robust Security Measures
   • Use a reputable email provider that utilizes advanced spam filters. (Webnames email service scans for email containing malware and stops them from reaching your mailbox.)
   • Enable MFA/2FA and encryption for added security. Keep all software update to protect against vulnerabilities.
   • Educate yourself and your employees about common email scams, phishing techniques, and best practices for email security. (Contact us for more information about employee training programs.)
3. Counter AI-Powered Email Threats
   • Invest in AI-enhanced security solutions that can detect and block sophisticated attacks.
   • Stay informed about ever evolving AI technologies and tactics used in email scams.
   • Reinforce training to keep employees aware of the latest threats and prevention techniques.

By adopting these email security best practices, both individuals and organizations can significantly mitigate the risks associated with spam, phishing attacks, and other online threats. Staying vigilant, informed, and proactive is essential for maintaining a secure email environment. Prioritize your email security to protect your personal and professional information from evolving threats.

If you have questions about email security or would like to explore additional domain security products, don’t hesitate to reach out to our team. We’re here to support you in safeguarding your digital communications and enhancing your overall security. Your peace of mind is our priority.