The first half of 2012 has come to an unceremonious end, and as Internet Doomsday looms like the plot from a bad Nicholas Cage movie (yes, I realize the oxymoron), it seems somewhat appropriate to fondly look back at the past few months and wonder what in the hell has happened to the state of spam. In some ways, it seems as if a divisive carving knife has cut right down the middle of the whole spam debate, the masses on one side slapping themselves on the back and congratulating each other for bringing an end to the pesky stuff; and those on the other are walking around with placards foretelling the end of the world, reminding everyone that yes, spam email volumes have gone down, but malware and targeted campaigns are on the rise.
Occasional spikes in spam mail volumes have done little to settle what seems to be a growing debate: Have we seen the end of the Golden Age of spam? Is it all downhill from here? Will we continue to see dwindling numbers? Will spam be relegated to a pesky nuisance that incites nostalgic sentences beginning with words like “y’know sonny, when I was your age, I spent thirty hours a day deleting spam emails from my inbox.”? The answer, across the board, is of course not. Sure, we’ve seen dips in email spam campaigns and recent suggestions of new growth. New delivery methods – most notably social networking sites like Facebook and Twitter, as well as vishing and m-spam campaigns – have resulted in the spam love being spread around far more than we are accustomed to, and certainly way more than five years ago, when many of the modern delivery methods didn’t exist or simply weren’t popular enough to be a target.
All this combined with spammers getting smarter and more personal in their attacks, as well as the takedown of a couple of high-profile botnets responsible for some heavy spam traffic , and it’s not at all surprising that considering only email spam is going to make it appear that spam levels are on a decline.
So now that the year is half over, how are we doing in 2012? Emailtray, a purveyor of email client software, published an interesting infographic this past week, and the numbers are worth a look. According to the study, which spans 2011-2012 and focuses on February of both years:
- 68 out of every 100 emails was spam in 2012
- 1 in every 298 emails was a phishing email in 2012
- Email spam dropped from 81% to 68% between February 2011 and February 2012
- Phishing emails dropped from 0.46% in 2011 to 0.28% in 2012
- Broken down by top 10 countries, China is getting the most spam at 74% and Japan is at the bottom of the list at 65.1%
- Not surprisingly, sex-related (43%) and pharmaceutical (30.5%) spam emails topped the list of spam email categories
- Of the 10 most popular phishing targets, PayPal topped the list followed by Facebook and TAM Filedade
The infographic ends with some nice, if not common sense, tips about recognizing spam emails and it may be worth sending to your friends and co-workers if you suspect they need a refresher at how to spot spammy nastiness.
So, if we’re to consider these numbers, little is surprising. As previously stated, new and multiple delivery methods are helping to spread the spam around, and reductions in bulk emails due to botnet takedowns can explain the reduction reported by Emailtray between 2011 and 2012. The phishing numbers can probably be treated in the same respect as spam mails, that is, they’re dropping in the email category due to the delivery method being spread around.
What is of great interest, however, is that first number. If 68 out of every 100 emails is spam, even if that number is down, then there are a few takeaways. First, we still have a lot of work to do. Even though we sometimes treat spam as a source of humor, there’s nothing funny about people losing their life savings and companies losing their valuable data and millions of dollars.
Second, we’re still seeing a significant amount of email spam, and because we now know that the scammers are using multiple methods and personalized attacks, it’s time to remind ourselves why we’re here: our users. Take a minute to review your training and vigilance policies. Is enough being done? Is it time for an in-class refresher? And take a few minutes to talk to your users. Do they have any questions? Do they know how to recognize a bogus email? Do they really understand what happens when they click a link?