Do You Know What to Do When You Get Spammed?

Don't KnowJust a day after we recognized the 35th anniversary of that first mass marketing email that Gary Thuerk sent to about 400 users of ARPANET news spread of the Commtouch Internet Threats Trend Report for the first quarter of 2013 was released that claimed around the world an average of 97.4 billion spam emails were sent each day. That is quite a bit of junk mail.

Now any organization with a good anti-spam solution in place, notice I said good, will see a great deal of these messages filtered out because their technological controls will spot these illicit messages and sent them directly to the spam folder.

But what about those messages that make it through? Criminal organizations, and individuals, who send spam are constantly working to circumvent these technical controls so that their messages make it into their victims’ inboxes.

In addition to your technical controls, your organization should be teaching your users the basics about spam and phishing. Organizations who are serious about supplementing their anti-spam solution with a human element should make sure that their users know the following:

Why malicious emails are so dangerous

Most users aren’t quite clear as to the problems caused by spam and phishing attacks. They don’t know that by clicking on that link they could be going to a web site that infects their computer with malware. They don’t know that most Advanced Persistent Threats use email as the manner in which they establish a foothold in the organization’s network. Most aren’t even aware of what an Advanced Persistent Threat is despite the term being thrown about in the wake of recent attacks. Without first understanding how dangerous these threats can be users may not take the rest of their education seriously.

How to spot a malicious email

Whether the email is a marketing email that is more annoying than dangerous or a spear phishing email that is loaded with malicious attachments or links users need to know how to spot the common characteristics used by these threats. Teaching them to spot a malicious email or any security threat for that matter, gives the rest of your education program, and your security program, a solid foundation in which to work from.

What to do with a malicious email

Different organizations have different policies for dealing with spam and phishing emails. Some instruct their employees not to interact with a suspicious email, but instead to simply delete it. Others may have the employee identify the email as such so that the anti-spam filter can analyze it to learn its patterns. Others may have employees forward the email to an address in the organization’s IT security department. Whatever course of action your organization takes, make sure that people know what it is.

Who to tell if they fell victim to an attack

Most users are embarrassed if they realize that they have fallen for a phishing scam, especially at work. Whether they fear ridicule from their manager, or simply fear for their job, when these problems go unreported it allows the threat to gain a foothold in the organization’s network and gives them time to identify confidential assets that they can compromise. When users are safe to report, and know how to report, if they have fallen for a suspicious email it gives IT security time to deal with the breach and possibly mitigate any losses as a result. It also helps the organization’s reputation with the public when it is disclosed that yes there was a breach but it was immediately contained and no data/resources were stolen.

Technical controls used to secure email have improved greatly over the years, and some offerings are even geared towards the management capabilities of the small to medium sized enterprise and abandoning the old one size, and one price, fits all mentality. But there needs to be an additional layer that supports the anti-spam filter and that layer is the employees themselves.

Written by Jeff


  1. Adelai · May 16, 2013

    All these things should be spread not only to the people handling emails and IT stuff in the office or at home. It is the kind of information that should be provided to anybody who cares about his or her personal safety – or his/her business’ security. It is an accepted fact the emails are used by millions of people all over the world, so there should be no exceptions. Knowing the what, why, how and who of spamming will not eliminate these malicious emails per se, but it will greatly help control the actions and its consequences to the victims.

  2. Georgie · May 16, 2013

    The first time I received spam, I certainly didn’t know what to do. So I ended up opening them and sharing some of them to my friends. You can definitely call me a spam promoter. But I guess you cannot fault me especially since around that time there’s not enough information around as even IT experts were figuring out what spam is.

  3. Angie · May 20, 2013

    Definitely, when I first started using the computer and e-mail, I had no idea how to deal with spam, though I think I was smart enough not to open a lot of them. With websites such as these, I became more empowered, and over the last few months, I received less spam.

  4. Fred · May 29, 2013

    Don’t worry, Angie, you’re definitely not alone. When I started using PCs and e-mails sometime in 1999, I had no idea as well, although it wasn’t really my habit since to open mails that came from people I didn’t know. I always assumed they were wrongly sent. Back then, there were already people begging for money, but I didn’t have the resources yet, so I didn’t act on them, which is definitely a good thing.

Leave A Reply