The digital tools we all use every day have gotten impressively smart: Google’s spam filter, for example, has gotten so good that most Gmail users very rarely see true spam messages anymore. In my own Gmail account, real spam messages show up so infrequently in my inbox that it’s actually a surprise to see them when they do get through.
It’s only because our digital tools have gotten this good that their intermittent failings are so frustrating. Back in the ’90s and early 2000s, voice transcription was pretty terrible, and users kind of just expected it to be terrible. But now that it’s pretty reliable, we all get frustrated when it substitutes something like “potatoes” for “OK, sure.”
It’s a fair question. There are several reasons why this is challenging to get right, and we’ll outline those below.
Filters Stop More Than You Might Think
The first point we want to clarify is that existing spam filtering technologies do stop quite a few phishing emails, perhaps more than you might think. Yes, some still get through, and we’ll talk about the reasons why in the sections that follow. But plenty do get stopped.
If you’re a Gmail user, go ahead and pull up your inbox. Click on the Spam category and take a look at what’s there. Google has filtered out all sorts of junk, but it’s not all straight-up spam. Right now, I see emails from “CVS” and “Kroger” in my spam folder (not to mention **CapitalOne**, asterisks and all, and the occasional fake lawyer or Nigerian prince).
Now, by the subject line alone, I can tell they aren’t legit. They’re phishing expeditions. The point here is that good quality spam filters can and do stop phishing emails every day. They don’t stop them all, and the ones aimed at corporate accounts tend to be a bit more sophisticated. But filtering tech as it exists today still plays a role in stopping phishing attacks.
Phishing Emails Masquerade As Normal Emails
Virus emails are easy to spot. They have sketchy attachments, usually executables, which are scannable and blockable. Others have links that trigger downloads to the computer. Those links are also easy to identify, and corporate systems can easily block automatic downloads. But phishing emails? They just look like normal, everyday emails. There isn’t much about them (the well-made ones, at least) that an automated system can see as being different from the dozens of legitimate emails you get every day.
Phishing emails do contain links, but the links themselves aren’t malicious. They just take you to a regular web page, one that itself isn’t doing anything malicious either. It’s just sitting there, waiting for you to enter information. There’s no way your email spam filter can proactively click the link, navigate to the website (which looks normal from a code perspective) and make a determination on the legitimacy of the landing page. We just aren’t there yet.
So, because phishing emails look just like regular emails, even the best corporate spam filters struggle to catch and block them all.
Phishing Landing Pages Are Hard to Catch, Too
We alluded to this in the previous section, but the links in phishing emails send users out to phishing landing pages. These landing pages are also hard to catch. They look like normal websites, and they aren’t actively doing anything wrong. They aren’t trying to run scripts or launch downloads or mine data.
They just sit there, waiting for you to enter your login credentials. In this way, they look just like legitimate login pages, as far as most automated systems can tell.
Server Impermanence Makes Tracking Difficult
Despite the challenges listed above, digital security tools can and do flag servers and domains as illegitimate. A particular phishing landing page and the server it sends its data to won’t work for long. As soon as a real human discovers the ruse, the phishing servers and domains are reported as malicious. At this point, spam filters and virus detectors can stop schemes using those “known bad” servers and domains. This method accounts for some percentage of the phishing emails that do get blocked.
Unfortunately, savvy bad actors won’t be stopped in this way. The people running successful phishing schemes don’t need a particular scheme to work forever. They will run a scheme and deploy it on a server for a short time. After they collect enough information, they disconnect the server, which will never be seen again online. All they need to do is get enough users to give up their key login information, and the damage is done. They dive into those accounts, downloading everything they can and generally wreaking havoc. No amount of blocking their (now nonexistent) server and domain can stop the damage at this point.
For a deeper understanding of just why phishing attacks are so dangerous, read our post, Why Is Phishing So Dangerous?
Lastly, some phishers will register a lookalike domain, one that looks very similar to the company they are impersonating. This last tactic isn’t particularly likely to fool spam filters more than other approaches, but it’s very good at fooling humans.
Here’s an example. Let’s say your company uses Microsoft 365 (formerly Office 365) for its corporate email. Users may be accustomed to going to outlook.office365.com to log in via web browser. In that scenario, a phishing email targeting your Office credentials might buy up the domain office385.com (assuming Microsoft hasn’t already bought it preemptively) and route you there.
If you don’t look too closely and they build a convincing enough login page, you might have a hard time detecting the phishing scheme.