Spam is annoying; It is defined as email that tries to sell you a product or a service. It is junk mail, much like the junk mail you receive that is delivered by the postal services or distribution services – and goes directly into the trash. Phishing, on the other hand, presents a very different threat. The recipient of a phishing attack could give up sensitive information like personal information, credit card, social security numbers or even username and password combinations.
Others may fall for attacks that insist they download a malicious content that installs a dangerous software or keystroke loggers on their system. I have in my previous role seen organisation receiving messages alerting accounting to perform urgent payouts (from Management) which was cleverly disguised as internal emails.
If your IT security team receives alert that someone received, and fell victim to, email spam the right response is to investigate the email and see how they can configure the spam filters to prevent further messages from being delivered. Doing so successfully means they are able to save the organization money, time and frustrations.
If a phishing attack is reported, the security team’s response should be much different. While it is important to block future attacks, the first responder needs to perform a risk analysis. Did the email recipient click a link, download and attachment or give up information? If so, those threats need to be dealt with immediately in order to contain the spread of malware/infections or protect the integrity and confidentiality of your organisation – potentially also alert important customers and / or partners.
Both scenarios are important to protect your users against because they disrupt the normal flow and work of your 0rganization. By implementing a structured approach – you will protect your users against all email borne threats (by using technology) and at the same time spend time and distribute / communicate educational information of how to stay safe in time to come. The first line of defence is always education.