Ask the expert: How to protect yourself from spam and phishing
Viviana is an expert in our Mail Security team. One of her main responsibilities is protecting our users from spam emails and phishing attacks. In this interview, she tells us why inboxes have a spam folder and why not all “bad” emails are deleted automatically. Plus, she shares some pro tips for recognizing email scams.
by Alyssa Schmitt
Viviana: Well, you just named some of the big ones! However, another major spam and phishing trend we see year-round is fake DHL, Amazon, and UPS emails. Spammers take advantage of the fact that we all shop online and use these shipping and logistics services regularly. They send out fake order confirmations and delivery notifications, which usually contain links to fake websites that are set up to steal personal or financial data from users. And they are very hard to tell apart from the real thing.
And if that wasn’t enough, fake emails often also have Trojan horses, malicious code, and other dangerous malware in the attachments. If you open and download the .ZIP, .exe, or other file types, you soon have a real problem.
mail.com blog: Okay, so caution is definitely advised here. But before we go into more detail about how to recognize fake emails, can we take a look at the terms “spam”, “spoofing,” and “phishing”? They are often used interchangeably, but they actually mean different things.
Viviana: That’s right. “Spam” refers to unwanted or unsolicited emails. They don't always have to be malicious, but they can contain links to fraudulent websites. As a rule, however, spam emails are more annoying than dangerous.
“Phishing”, on the other hand, refers to cyberattacks involving fraudulent, deceptively authentic-looking emails that are sent on a large scale to trick recipients into making a payment or disclosing confidential information such as passwords. These emails are designed to look like they come from legitimate companies, with similar logos, similar wording, and similar formatting. Just think of the fake DHL, UPS, and Amazon emails we just discussed!
What's more, these fake emails often seem to come from familiar email addresses. But “seem” is the key word here – this is a form of deception known as “spoofing.” In email spoofing, information in the email header is falsified so that the sender's email address looks genuine. In reality, however, it comes from a spammer who is faking their identity.
mail.com blog: Viviana, last year you and your team identified a dramatic increase in spam and phishing emails. Can you tell us more about that?
Viviana: First, we should note that the volume of email traffic is constantly increasing – both legitimate, wanted emails as well as unwanted messages. However, the proportion of spam is growing faster in relation to the number of “good” emails.
Spam is used for many different scams, including phishing, identity theft, and other forms of fraud. As long as the perpetrators can profit financially from spam, the incentive to send it remains very high. By the way, it’s not just our company that is seeing the problem of rising spam numbers – it affects the entire email industry.
mail.com blog: Will this trend continue?
Viviana: Yes, definitely, because there are several factors driving the rising numbers. Spammers have a much easier time running spam campaigns these days. Thanks to artificial intelligence, they can create phishing emails with convincing and contextually relevant content in no time at all and reach lots of people through automated processes. This makes sending spam easy and inexpensive.
And then there are botnets and malware: Cybercriminals often use botnets, i.e., networks of compromised computers, to spread spam. As these networks grow, the capacity to send large volumes of spam increases.
mail.com blog: And how is mail.com reacting to these developments?
Viviana: I don’t want to get too technical here, but we have implemented a sophisticated system that detects anomalies and malicious behavior in emails. We are ramping up the use of artificial intelligence to assist in these processes. AI is an important tool in combatting spam and malicious emails and will be ever more widely employed moving forward.
mail.com blog: Viviana, let’s be honest – can a normal email user still tell the difference between phishing emails and genuine emails these days?
Viviana: Modern phishing techniques have gotten very sophisticated, so it is indeed difficult to tell phishing emails apart from real ones.
However, there are some signs that can help you spot a fake email:
Viviana: You should always exercise caution when receiving an email, especially one that requests personal information from you or contains unexpected or conspicuous links or attachments. And of course, emails that land in your spam folder should always be treated with caution – they have been classified as potentially suspicious by our systems and therefore pose a potential risk. And I would advise our readers to be careful with email attachments in general.
mail.com blog: But is there anything I can do to protect myself from getting phishing and spam emails in the first place?
Viviana: To combat spam, I recommend a combination of technical solutions and being careful with sharing your personal data. Every device that connects to the internet, whether smartphone, tablet, or computer should receive regular software updates. And they should all have a firewall and an antivirus program installed.
Then there is the human factor. You should be careful not to give out your main email address everywhere – especially not on unknown websites. All too often, the email address ends up on a spammer's address list.
Viviana: As an email provider, we have an obligation to deliver legitimate emails. We therefore have to deliver certain commercial emails, even if our email users may find them annoying. These emails usually end up in the spam folder. However, if an email is dangerous (e.g., contains a virus) or does not comply with our rules for valid or permitted emails, we reject it. This means that we don’t deliver it at all – not even to the spam folder.
mail.com blog: On the other hand, people sometimes complain that emails they want go to their spam folder and they have to go looking for them. Does this really happen a lot and is there anything a user can do to prevent it?
Viviana: Emails which are actually legitimate, but are mistakenly recognized as spam by the system, are known as “false positives.” Spam filters try to strike a balance between blocking spam and delivering legitimate emails.
There is always a risk of false negatives (spam emails that are not recognized) and false positives (legitimate emails that are marked as spam). Although stricter filters can reduce the number of false negatives, they can also cause more false positives. So, if legitimate emails are wrongly classified as spam, customers should click the “Not Spam” button to mark the message as wanted. This trains the spam filters.
mail.com blog: We also received a question from a user on the subject of training spam filters: “When you move a spam mail from the inbox to the spam folder, your personal spam filter is trained. How long does a spam mail have to sit in the spam folder for the anti-spam system to recognize it? Is there a minimum duration or is it enough to put it there?”
Viviana: As soon as the email is moved to the spam folder, our systems immediately learn: “This email from this sender is unwanted.” The spam filter will remember this information in the future; these emails will go straight to spam.
mail.com blog: What is the most effective thing that I as a user can do to increase my email security?
Viviana: Use strong passwords. However, you have to bear in mind that the meaning of the term “strong password” changes every few years. As computing power increases, passwords that were considered secure and strong a few years ago are actually weak today. Thanks to improved technologies, hackers can crack them more easily than a few years ago. So, it is important to check your passwords from time to time and make them longer and more complex. And you should never use the same password for more than one account. You really do need a separate, unique password for each and every one.
As an additional protective measure, I recommend two-factor authentication. This authentication method is already standard with many providers – e.g., for online banking or PayPal. But it is also available for your email account. If you activate it, this significantly reduces the risk of unauthorized access, even if your password is cracked.
Viviana: The work we do in the Mail Transfer & Mail Security department is exciting and keeps you on your toes. I've learned not to underestimate the motivation and innovation of the opposing team. We try to think like them, to get inside their heads, and to always stay one step ahead! There will always be new challenges that we will have to face with fresh ideas, but the people I work with here are intelligent, resourceful, and dedicated professionals. There's never a dull moment in this job!
mail.com blog: Thanks so much for talking to us today!
If you enjoyed our interview with Viviana, please give us a thumbs-up below!
Images: 1&1/Shutterstock
Expert tips for staying ahead of spam and scams
mail.com blog: Miracle diets, blue pills, or free gift cards – what are the most common spam and phishing scams right now?Viviana: Well, you just named some of the big ones! However, another major spam and phishing trend we see year-round is fake DHL, Amazon, and UPS emails. Spammers take advantage of the fact that we all shop online and use these shipping and logistics services regularly. They send out fake order confirmations and delivery notifications, which usually contain links to fake websites that are set up to steal personal or financial data from users. And they are very hard to tell apart from the real thing.
And if that wasn’t enough, fake emails often also have Trojan horses, malicious code, and other dangerous malware in the attachments. If you open and download the .ZIP, .exe, or other file types, you soon have a real problem.
mail.com blog: Okay, so caution is definitely advised here. But before we go into more detail about how to recognize fake emails, can we take a look at the terms “spam”, “spoofing,” and “phishing”? They are often used interchangeably, but they actually mean different things.
Viviana: That’s right. “Spam” refers to unwanted or unsolicited emails. They don't always have to be malicious, but they can contain links to fraudulent websites. As a rule, however, spam emails are more annoying than dangerous.
“Phishing”, on the other hand, refers to cyberattacks involving fraudulent, deceptively authentic-looking emails that are sent on a large scale to trick recipients into making a payment or disclosing confidential information such as passwords. These emails are designed to look like they come from legitimate companies, with similar logos, similar wording, and similar formatting. Just think of the fake DHL, UPS, and Amazon emails we just discussed!
What's more, these fake emails often seem to come from familiar email addresses. But “seem” is the key word here – this is a form of deception known as “spoofing.” In email spoofing, information in the email header is falsified so that the sender's email address looks genuine. In reality, however, it comes from a spammer who is faking their identity.
mail.com blog: Viviana, last year you and your team identified a dramatic increase in spam and phishing emails. Can you tell us more about that?
Viviana: First, we should note that the volume of email traffic is constantly increasing – both legitimate, wanted emails as well as unwanted messages. However, the proportion of spam is growing faster in relation to the number of “good” emails.
Spam is used for many different scams, including phishing, identity theft, and other forms of fraud. As long as the perpetrators can profit financially from spam, the incentive to send it remains very high. By the way, it’s not just our company that is seeing the problem of rising spam numbers – it affects the entire email industry.
mail.com blog: Will this trend continue?
Viviana: Yes, definitely, because there are several factors driving the rising numbers. Spammers have a much easier time running spam campaigns these days. Thanks to artificial intelligence, they can create phishing emails with convincing and contextually relevant content in no time at all and reach lots of people through automated processes. This makes sending spam easy and inexpensive.
And then there are botnets and malware: Cybercriminals often use botnets, i.e., networks of compromised computers, to spread spam. As these networks grow, the capacity to send large volumes of spam increases.
"Thanks to artificial intelligence, spammers can create phishing emails with convincing and contextually relevant content in no time at all."
mail.com blog: And how is mail.com reacting to these developments?
Viviana: I don’t want to get too technical here, but we have implemented a sophisticated system that detects anomalies and malicious behavior in emails. We are ramping up the use of artificial intelligence to assist in these processes. AI is an important tool in combatting spam and malicious emails and will be ever more widely employed moving forward.
mail.com blog: Viviana, let’s be honest – can a normal email user still tell the difference between phishing emails and genuine emails these days?
Viviana: Modern phishing techniques have gotten very sophisticated, so it is indeed difficult to tell phishing emails apart from real ones.
However, there are some signs that can help you spot a fake email:
- Check the sender’s email address: Phishing emails often come from addresses that mimic real addresses but have small differences, like misspellings or extra characters.
- Look for generic greetings: Phishing emails often use impersonal salutations such as “Dear Customer” or “Dear User” instead of your real name.
- Check for poor grammar and spelling: The most obvious signs of a fake email are grammatical errors or misspelled words.
- Be wary of urgent or threatening language: Phishing emails often create a sense of urgency or threaten dire consequences if you don't act quickly.
- Examine links before clicking: Hover over links in the email (without clicking on them) to see the URL. Scammers try to lure you to their fraudulent websites. If you receive an email from Amazon, for example, any links in the email should lead to Amazon and not some unknown, dubious website.
Viviana: You should always exercise caution when receiving an email, especially one that requests personal information from you or contains unexpected or conspicuous links or attachments. And of course, emails that land in your spam folder should always be treated with caution – they have been classified as potentially suspicious by our systems and therefore pose a potential risk. And I would advise our readers to be careful with email attachments in general.
mail.com blog: But is there anything I can do to protect myself from getting phishing and spam emails in the first place?
Viviana: To combat spam, I recommend a combination of technical solutions and being careful with sharing your personal data. Every device that connects to the internet, whether smartphone, tablet, or computer should receive regular software updates. And they should all have a firewall and an antivirus program installed.
Then there is the human factor. You should be careful not to give out your main email address everywhere – especially not on unknown websites. All too often, the email address ends up on a spammer's address list.
mail.com blog: If there is a good chance that spam emails are dangerous, why are these emails delivered to users’ inboxes at all?"You should be careful not to give out your main email address everywhere – especially not on unknown websites."
Viviana: As an email provider, we have an obligation to deliver legitimate emails. We therefore have to deliver certain commercial emails, even if our email users may find them annoying. These emails usually end up in the spam folder. However, if an email is dangerous (e.g., contains a virus) or does not comply with our rules for valid or permitted emails, we reject it. This means that we don’t deliver it at all – not even to the spam folder.
mail.com blog: On the other hand, people sometimes complain that emails they want go to their spam folder and they have to go looking for them. Does this really happen a lot and is there anything a user can do to prevent it?
Viviana: Emails which are actually legitimate, but are mistakenly recognized as spam by the system, are known as “false positives.” Spam filters try to strike a balance between blocking spam and delivering legitimate emails.
There is always a risk of false negatives (spam emails that are not recognized) and false positives (legitimate emails that are marked as spam). Although stricter filters can reduce the number of false negatives, they can also cause more false positives. So, if legitimate emails are wrongly classified as spam, customers should click the “Not Spam” button to mark the message as wanted. This trains the spam filters.
mail.com blog: We also received a question from a user on the subject of training spam filters: “When you move a spam mail from the inbox to the spam folder, your personal spam filter is trained. How long does a spam mail have to sit in the spam folder for the anti-spam system to recognize it? Is there a minimum duration or is it enough to put it there?”
Viviana: As soon as the email is moved to the spam folder, our systems immediately learn: “This email from this sender is unwanted.” The spam filter will remember this information in the future; these emails will go straight to spam.
mail.com blog: What is the most effective thing that I as a user can do to increase my email security?
Viviana: Use strong passwords. However, you have to bear in mind that the meaning of the term “strong password” changes every few years. As computing power increases, passwords that were considered secure and strong a few years ago are actually weak today. Thanks to improved technologies, hackers can crack them more easily than a few years ago. So, it is important to check your passwords from time to time and make them longer and more complex. And you should never use the same password for more than one account. You really do need a separate, unique password for each and every one.
As an additional protective measure, I recommend two-factor authentication. This authentication method is already standard with many providers – e.g., for online banking or PayPal. But it is also available for your email account. If you activate it, this significantly reduces the risk of unauthorized access, even if your password is cracked.
mail.com blog: To end on a personal note – what do you love about your job?"The meaning of the term “strong password” changes every few years. As computing power increases, passwords that were considered strong a few years ago are actually weak today."
Viviana: The work we do in the Mail Transfer & Mail Security department is exciting and keeps you on your toes. I've learned not to underestimate the motivation and innovation of the opposing team. We try to think like them, to get inside their heads, and to always stay one step ahead! There will always be new challenges that we will have to face with fresh ideas, but the people I work with here are intelligent, resourceful, and dedicated professionals. There's never a dull moment in this job!
mail.com blog: Thanks so much for talking to us today!
Viviana Cotirlea has more than two decades of experience in the IT and security industry in a variety of roles. Today, she heads the Mail Transfer and Mail Security department, where she and her team combat spam and other potential security risks. In her spare time, she enjoys playing adventure board games with her family, traveling the world, and photography.
If you enjoyed our interview with Viviana, please give us a thumbs-up below!
Images: 1&1/Shutterstock
55 people found this article helpful.
Related articles