Think email threats are a thing of the past? Think again

With advanced zero-day attacks and exploit kits grabbing headlines, you might think that spam and other email threats were falling out of favor with hackers. But these attacks are still popular, partly because they’re such effective and cheap ways to get valuable data. 


Symantec’s annual Internet Security Threat Report (ISTR) covers a lot of ground. Over the course of 80 PDF pages, it does a deep-dive into pretty much every modern security concern.

You’d be excused for overlooking the email section to get to some of the jucier stuff. But that could be a critical mistake. Here’s what the experts found.

Spam and phishing threats are down

The overall spam rate (the percentage of emails in a given inbox that are spam) is down for the third straight year. In 2015, just over half of email (53%) was spam. Consider that in 2013, that was closer to two-thirds (66%). So clearly, this method of attack would seem to be on its way out.

It’s the same with generic phishing attempts. While one in every 392 emails sent in 2013 was a phishing attempt, that dropped to one in every 1,846 in 2015.

If all this seems to be adding up to email no longer being a threat, think again: It’s not that hackers are no longer targeting electronic messages. They’re just doing it in more efficient ways.

More precise spearphishing

Take spearphishing, for instance. Rather than generic attempts to try to fool users into revealing personal information or company secrets, these targeted attacks go hard after small groups within organizations. And they’re becoming massively more popular and refined.

In the past two years, spearphishing campaigns launched against companies have nearly doubled. They’ve seen a 55% increase from 2014 to 2015 alone. However, these attacks have also:

  • decreased from 23 recipients per campaign in 2013 to an average of 11 in 2015
  • gone from an average of 29 email attacks per campaign to 12 in 2015, and
  • taken two fewer days on average to complete.

What that means: Hackers are setting their sites on specific targets and going after them in a more ruthless, efficient way.

Whereas they once went after several high-ranking officials, they’re now zeroing in on the ones who have the most information to give or pose the most attractive targets. And they’re not overloading systems with phishing emails or prolonged campaigns that would raise red flags for users or IT. Instead, they’re moving quickly to get the information or objectives they’re targeting.

What IT should do

Perhaps the biggest takeaway from all of this is while you’er securing the perimeter, don’t forget about email and the human element.

In order to keep harmful messages at bay, be sure you have measures in place to scan for malware. But given that the most common malicious attachments were .doc files (55.8%), .xls (15%) and .zip (8.7%), scans alone may not be enough to detect harmful attachments.

In other words, as is so often the case, it comes down to the security awareness of your own people.

Make sure users know not to open attachments or emails from senders they don’t know and trust. And remind them that before sending anything with valuable information they should step back and consider whether they would hand hard copies of the information to someone who asked for the very same thing.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy