The Email Dilemma: Junk, Spam, or Phishing? How to Classify Unwanted Emails and Respond Accordingly Anyone who has used email has experienced this: You open up an email and immediately recognize it s not something you want to receive. This discovery often generates one or more of the following questions (which we ll get to): Is this a dangerous email or just an annoyance? How should I respond? Should I be reporting these emails to ITS? This is one of those it depends situations in life. Fortunately, there are only a few options: It s either spam, junk, or phishing, and they have the following characteristics: Email Characteristics classification Annoying Unsolicited Dangerous Junk X Spam X X Phishing X X X Now let s drill down deeper on definitions, what to examine, criteria to match elements to classification, and how to respond accordingly... Understand Definitions Junk emails are unwanted emails from legitimate businesses or other organizations for which you unwittingly signed up. For example: You installed software, and didn t notice that at the end of the dialogue you had a choice whether or not to be put on the company s email list... and the default answer was to opt in. Another way to get a junk email is when businesses harvest email lists from conference attendee, magazine subscription, or other lists without your explicit consent. Yes, these emails are annoying and unwanted, but not technically unsolicited because you agreed in the Terms and Conditions to letting a business share your email address when you signed up. However, getting off an email list should be easily remedied if the sender is ethical: Any legitimate business will provide an Unsubscribe link at the end of their mass distribution emails. It s the law! The CAN-SPAM Act requires businesses to do this.
Spam emails are unwanted and unsolicited, but do not present an imminent threat to the recipient. They are always unethical and may be criminal, depending on the content. Yes, flouting the CAN-SPAM Act is illegal, as is selling counterfeit merchandise, hyping stocks, and perhaps a few other acts based on misinformation, so we are qualifying malicious here narrowly to mean intent to steal or cause material damage, such as stealing personal information (credit card number, SSN, password, et al) or computer resources (surreptitiously using your computer s CPU and memory), ransoming information by encrypting it and extorting a fee to release it, or damaging your hardware, software, or information for political or other reasons. What s the spammer s motivation? To make a fast buck. Spammers want to drive traffic (customers) to web sites that sell shoddy, counterfeit, or even illegal services or merchandise. Sometimes the spammers own these web sites, and sometimes they are spamming-for-hire and make money by providing evidence to advertisers that they ve emailed a large volume of email addresses. Another type of spam is pump and dump emails that hype junk stocks. Regardless of how they hope to profit, spammers don t care about the inconvenience to the user incurred along the way, or if they cause the recipient to buy something that s overpriced or even worthless. Spammers are unethical at the least and criminal at worst, and never offer a way to get off of their distribution list. Phishing emails are deceptive and dangerous, present an imminent threat to the recipient and their organization, and can wreak havoc by unleashing software which can steal confidential information, hijack systems and networks, or open up back doors for intruders to survey an organization s digital assets for weeks, months, or even years. Phishing emails are an attempt to commit a crime, so they are by definition sent by cybercriminals. Unlike junk and spam, phishing emails try to fool the recipient into believing the email is something it really isn t, such as a delivery notification, IT support alert, government notice, or any other urgent message, for the purpose of catching the recipient off guard and getting them to click on a malicious link or file attachment. Clicking will install a virus or other malware on the recipient s computer. Many people don t realize that most of the widely-reported cyber breaches affecting Fortune 500 companies, nation states, and other high visibility targets, have had phishing emails as a key tactic employed in the attack. Next, let s review what to look at when examining a suspect email. Examine Indicative Message Elements Inspect the following within the suspect email: 1. Sender s email address domain (after the @ sign) and compare with purported sending organization mentioned in email message. 2. All links in the email. The text you see in an email for a link is a description, not the underlying link. Hover your cursor over each link to reveal the actual URL address (don t click!). 2
3. Unsubscribe link: Is one provided and, if so, does the actual URL point to a legitimate or suspicious web site? 4. Language content, tone, and style used in email body. Read the email and compare the tone, grammar, spelling, and style against your expectation for this type of email. 5. Email signature. The text at the end attributing the email to someone. Now that you ve assessed the indicative elements in the email, you can make a judgment as to its likely classification and then respond accordingly. Determine Classification Match Email Elements to Most Likely Email Type Email type Elements to Examine Sender s Email Domain (user@domain) Unsubscribe Link Web Links (URLs) Style/Tone Content Signature (Attribution) Junk Consistent with organization name in email body Provided, and points to legitimate web site Re-directs to reputable web sites; accurate descriptions Professional Standard business solicitation Typically signed by an actual person associated with the Spam Phishing May or may not be consistent with purported sending organization mentioned in email body. Not consistent with business or organization name mentioned in email body. Usually not provided If provided, points to malicious website. Re-directs to suspect business web sites Re-directs to illegitimate web sites or legitimate sites that have been hijacked; Links are deceptively labeled 3 Sometimes sloppy and unprofessional; keywords may be hidden in image thumbnails to avoid spam detection. Tone is urgent; recipient advised to click immediately on links or on file attachment; attempts to appear professional, but often has spelling, grammatical, or terminology mistakes. Business solicitation which may be for counterfeit or disreputable products Tries to fool user by appearing to be consistent with stated purpose. Contains a payload of malicious software in links or file attachment. organization Rarely signed by a real person, or anyone at all. Usually signed with a generic team or department name. Advanced versions may use the name of an actual employee.
Respond According to Classification Email Click on Unsubscribe link (if type provided) Junk X X Spam X Phishing Select Junk=>Block Sender (when reading or when selected in list in Inbox) Report to ITS (forward to IT@Framingham.edu) X Final Thoughts There will always be exceptions: The classification taxonomy presented here is a guide based on common traits, so an email may not have all the aforementioned characteristics in a classification, yet still be within that family of emails. For example, for phishing identification, a very important clue is if the email domain (the part of the email address after the @ sign) is different from the organization purported to be sending the email. If it isn t consistent, then it is almost certainly phishing. For example, if the sender is supposedly a Framingham State University employee, but the email address is JaneDoe@Frammingham.edu or JaneDoe@Framingham.net, then the email is very likely phishing, because neither one of those match our domain. But, this is not always a reliable indicator: Phishers and spammers sometimes hijack legitimate email accounts for the purpose of sending out phishing and spam. The most reliable clue is if one or more links in the email, or the file attachment, has a malicious payload. Unfortunately, visual inspection is insufficient -- it usually takes expertise and tools to determine if a file or link is malicious. There no one-size-fits-all response: What s effective is determined largely by the behavior and intent of the sender. Flagging a spam or phishing email as Junk (in order to block the sender) is often ineffective, since spammers change, obscure, and forge their sending addressing in an attempt to evade spam detection technology but it can t hurt. Similarly, spammers don t honor unsubscribe requests, and clicking any link in a phishing email is risky, so unsubscribing is only a viable option for Junk email from legitimate businesses. Phishing emails are like a biohazard they shouldn t be handled by a novice, so alert ITS and don t click on anything if you have a suspected phishing email in your Inbox. ITS also wants to know about phishing emails so we can alert our user community when either pernicious or persistent examples appear here. ITS has technologies that attempt to filter out spam and phishing emails, but they are not foolproof. What should you do if you are unsure? ITS is here to help, so if you are still unsure about whether an email is a phishing email, don t click on anything in the message just forward it to IT@Framingham.edu, or open an incident in myit and attach the email. ITS will examine the email and let you know if it is a phishing email. Confirmed and suspected phishing emails should be deleted from your Inbox, and then deleted again from your Deleted Items folder in Outlook, as there have been cases of users in other organizations recovering phishing emails from their Trash or Junk folders and clicking in them, with serious consequences. 4
Questions? Email IT@Framingham.edu. Author Publication Date Last Review Date Bryce Cunningham Director, Information Security Information Technology Services Framingham State University 10/11/2017 10/11/2017 5