When discussing email security, the terms spam and phishing often get thrown around interchangeably. There is good reason for this; both represent unwanted email messages and the same tactics can be used to deliver both types of email messages in mass quantities.
These traits, combined with the obvious fact that both are email borne threats, make it easy for someone to lump the two together. However as the sophistication of email borne attacks increase, and the level of threat grows higher, it is important to understand the difference between the two and end the confusion.
Spam is a junk email message whose purpose is to earn money for the sender. Popular spam messages advertise for pharmaceuticals, herbal supplements, low mortgage rates, etc. The spammer often earns money one of two ways: a pay per click model or through affiliate marketing.
The pay per click model is the most ideal for the spammer because they are paid every time someone clicks on one of their links. Nothing needs to be bought, no information needs to be handed over – as long as the recipient clicks on the link and visits the page in the link money is earned.
Affiliate marketing, on the other hand, pays out on a percentage of a sale or if the recipient joins a marketing list giving up their information as a sales lead. Spammers send thousands of emails advertising different products or services in hopes that enough people will buy.
But wait a minute, aren’t these the same methods millions of legitimate web sites use to make money? Absolutely, but the main difference is legitimate web sites promote legitimate companies. Spammers often promote shady companies that offer no customer service and no hopes of receiving an actual product.
Spammers may also promote legitimate companies, products and services. Often times those who are guilty of this bought an email list and thought this was a great way to get the word out. They later find themselves on every DNS Block List known to man and soon realize that this was not a good marketing technique.
Phishing is the practice of luring a recipient into doing one of three things:
- Clicking on a link that takes the recipient to a malicious web page that will infect their computer with malware
- Downloading malware that is sent as a file attachment with the email message
- Being tricked into divulging confidential or sensitive information
The malware that infects the victim’s computer is usually one that will capture username and password combinations, steal financial information or open the computer up so that the attacker can access it again or even turn the computer into a zombie that the attacker can control.
Whatever the method used to phish a victim, the results can be devastating to the victim’s personal life or the organization that they work for.
Spam is annoying and it does cost money to people who fall for it. Many times people who buy something from an email that is spam find that the product is worthless or never even shows up. But the significant costs add up for businesses. Millions are lost every year in productivity as users are forced to deal with spam, and in resource allocation as storage space and bandwidth are used up by illicit email messages.
Phishing is much more problematic. It has been found that 91% of all advanced persistent attacks (APTs) involved phishing. Somewhere along the lines, someone fell for a phishing email and gave up enough information to allow the attackers access.
Phishing relies on two different methods for delivery, one through traditional spam. Thousands of emails are sent to arbitrary inboxes in hopes that someone falls for the bait. These are dangerous, but are more frequently used against consumers.
Businesses are more susceptible to the second method of attack, the spear phish. Spear phishing involves a bit more recon work on behalf of the attacker. They may study a particular organization and find out who is a certain level of management. From there, they craft an email that they send out to everyone who they have identified in hopes that one, or more, are tricked into giving up the goods.
Either threat, spam or phish, represents a serious problem that needs to be addressed by individuals and businesses alike.