Spam or Phishing: Why Knowing the Difference Matters

Originally this post was meant to address targeted spam and how spammers are able to find out more about you and use this information to trick you into opening their emails.

However while researching the post, I found an article written for the blog of a large email security vendor that spoke of the problem of targeted spam, interestingly the post was dated 2009.

It told the story of someone receiving an email warning that a package was not able to be delivered and that the attached file contained tracking information that would help her receive the package more quickly.

In 2013 we know that this is not likely a legitimate email, or at least we should, but is it spam?

Absolutely not.

Unfortunately people are often confused between spam and phishing, particularly spear phishing, because of how the two are presented to them. This creates a problem because the security concerns between the two are quite different.

How spam and phishing are different

Ferris Research estimates that spam costs businesses world-wide over 50 billion dollars, 17 billion in the United States alone. These costs are associated with loss in productivity and other expenses.

Spam is annoying; defined as email that tries to sell you a product or a service. It is junk mail, much like the junk mail you receive that is delivered by the post office and goes directly into the trash.

Phishing, on the other hand, presents a different danger. The victim of a phishing attack could give up sensitive information like credit card numbers, personal information or even username and password combinations. Others may fall for attacks that insist they download a malicious attachment that installs a Trojan horse or keystroke logger on their computer. Others still may be enticed to click on a link that takes them to a web site loaded with malware ready to infect any visiting computer.

Now many readers may have immediately determined that phishing is much more troublesome for a business. After all, if someone is able to socially engineer a username and password from an employee then all is lost. But that is not the case. Spam is no more troublesome than phishing and phishing is no more a concern than spam. Why? Because they are different; and that is the point I am trying to get across here.

In the article that spurned this discussion, you have a major security vendor mixing the two terms. As this mistake trickles across to network and email administrators, users also begin to confuse the two and that leads to problems because phishing and spam require different approaches when it comes to how attacks are reported and dealt with.

When an organization’s IT security team receives a report that someone received, and fell victim to, email spam the right response is to investigate the email and see how they can configure the anti-spam filters to prevent further messages from being delivered. Doing so successfully means they are able to save the organization money and time.

When a phishing attack is reported, the security team’s response should be much different. While it is important to block future attacks, the first step needs to be containment. Did any of the email recipients click a link, download and attachment or give up information? If so, those threats need to be dealt with immediately in order to contain the spread of malware or protect the integrity and confidentiality of information. If the breach was large enough, it may need to be reported to customers, clients and government agencies.

Both are important to protect your users against because they disrupt the normal flow and work of your organization. By implementing a layered approach towards securing your users against all email borne threats is always the best solution, but making sure that the technology layers are easily configurable and manageable will make the difference between an illicit email slipping past the gates or being stopped before your user ever has a chance to become a victim.