As you might already know from our Wombat Advantage program, we are very customer focused; we actively seek opportunities to engage with — and learn from — our customers, and we also actively ask for feedback from the program administrators who use our security awareness training products.
As part of that customer engagement, we sometimes receive requests for certain pieces of content, including resource materials and even blog posts. One request we’ve received in the past is to develop content that helps users understand the differences between spam and phishing emails. Our question back to those who request that topic is: In the end, does it really matter when it comes to email hygiene?
The Waters Are Murkier Than They Seem
We’ve seen a number of sources that seem to equate spam to “nuisance email,” defining it as unsolicited bulk mail that doesn’t attempt to procure sensitive information.
Sorry, but that definition is so 2008.
The reality is that trying to teach users the distinctions between spam and phishing is a losing proposition because the differences are as clear as mud. This excerpt from the Kaspersky Labs website is a great example:
Spam is the electronic equivalent of the ‘junk mail’ that arrives on your doormat or in your postbox. However, spam is more than just annoying. It can be dangerous – especially if it’s part of a phishing scam.
Spam emails are sent out in mass quantities by spammers and cybercriminals that are looking to do one or more of the following:
• Make money from the small percentage of recipients that actually respond to the message
• Run phishing scams – in order to obtain passwords, credit card numbers, bank account details and more
• Spread malicious code onto recipients’ computers
So…spam can be spam. But spam can also be phishing. Which means your end users are likely to enjoy a "spam vs. phishing" lesson as much as you’ll enjoy answering the questions that spring from it.
Your Education Efforts Are Better Spent Elsewhere
In our opinion, rather than attempting to teach your users to sort phishing emails from spam emails, you’ll realize more benefits from educating employees about the potential dangers of interacting with any unsolicited message. Whether from an (ultimately) reputable source or not, an unknown message should always be treated as being a possible phishing email. It’s the more effective (and more straightforward) path to improving phishing awareness and reducing successful phishing attacks.