Spam filters are bad at detecting spam, according to research from email management company Mimecast.
Mimecast’s third quarterly Email Security Risk Assessment, which inspected 45 million emails that passed spam filters, found that 24% of emails that reach users’ inboxes were “unsafe.” Many contained malicious attachments, links, or social engineering tactics.
Of the emails that Mimecast deemed unsafe:
- 8,682 contained dangerous file types that are rarely sent via email for legitimate purposes, such as .jsp (Java Server Pages), .exe (executables), and .src (source) files.
- 2,281 contained malware attachments, of which 1,778 were known malware types and 503 were unknown. The report states that “known malware […] can generally be caught in a true belts-and-suspenders approach by commonly deployed endpoint-based anti-virus technologies,” but “unknown malware will generally not be blocked by commonly used endpoint anti-virus technology.”
- 9,677 contained social engineering tactics. Such emails rely on social engineering, often impersonating a trusted party in order to prompt the recipient to do something they shouldn’t. Examples of this are business email compromise (BEC) attacks, W-2 scams, or tech support fraud.
In a press release, Mimecast said: “Email remains the top attack vector for delivering security threats such as ransomware, impersonation, and malicious files or URLs. [Attackers’] motives include credential theft, extracting a ransom, defrauding victims of corporate data and funds, and, in several recent cases, sabotage with data being permanently destroyed.”
Spam filters aren’t enough
Mimecast’s study shows that many of these systems consistently fail to spot fraudulent emails, concluding that “the entire industry needs to work toward a higher standard of quality, protection and overall email security.”
But the success of email as an attack vector is at least partially because people put too much faith in email security systems. Given the sheer volume of malicious emails that are sent every day and how quickly criminals’ techniques evolve, it’s unreasonable to expect an email security system to catch every piece of spam. The most important line of defense is the person who receives the email. If you are able to identify and properly respond to a malicious email, you can mitigate the danger.
Our Phishing Staff Awareness Course uses real-life examples, tips, and best practice to help staff protect themselves and their organization against malicious emails. By enrolling your employees on this course, you will:
- Alert them to the risks of clicking on suspicious links
- Educate them on phishing and how it works
- Reduce the risk of cyber attacks in your organization
- Help them identify a phishing scam and equip others to avoid a scam if they see one