Are you getting more unwelcome email lately? From junk emails, to annoying advertising, to malicious phishing, it can feel like the tools that keep our inboxes spam free aren’t working as well lately.
Johan Hammerstrom, our CEO, answers Carolyn’s questions about email safety. How do you know which unsubscribe links are legitimate, how do you flag spam, how do you report phishing emails?
Get some helpful and practical tips on cleaning out your subscriptions and protect yourself and your organization.
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements. He was happy to share his thoughts on email safety and spam in this podcast.
Carolyn Woodard: Welcome to the Community IT Innovators podcast. My name is Carolyn Woodard and I’m the Outreach Director for Community IT. And I’m happy to welcome Johan Hammerstrom, our CEO to our podcast.
Johan, I have been getting a lot of spam. It feels like I’m getting more spam recently and it’s clearly spam, but I’m wondering why is it getting through our spam filter and are there extra steps that I could take to protect my email?
Johan Hammerstrom: Great question. I’ve been getting a lot more spam as well. I think people are rightly concerned about the amount of unwanted email that they’re getting. And they want to know what they can do about it.
It’s important to understand the different types of unwanted email that we all receive, because each type of unwanted email has its own approach to preventing it. There’s no one size fits all solution to unwanted email because there are different types, and it’s helpful to understand those different types, both to protect ourselves from malicious email and to protect ourselves from annoying email.
I like to think of unwanted email like a matrix. There’s two axes.
The word spam is a term that has come to encompass all forms of unwanted email, but technically spam really only refers to bulk email that is sent to a large group of people that is commercial in nature. A lot of us get more spam in our personal email accounts than we do in our work email accounts.
We all get the “free electronic gadget” type emails that seem like scams, but they’re not. They’re promoting a product or service that you’re not interested in, and they are sending it out to a really wide audience. (It’s a marketing tactic.)
Carolyn Woodard: Could that also be something where maybe you did buy something from that store one time, and you had to give them your email, and then you get their emails forever?
Johan Hammerstrom: Well, that’s a good question. Technically, those are not considered unwanted emails because you have signed up for the service. At some point along the way you agreed to terms of service that included receiving future emails from that organization. For those emails, all you need to do is click on the link at the bottom of an email and there’s an unsubscribe button that will allow you to opt out. Any reputable email sender has that unsubscribe option and once you opt out of the email, you won’t get any emails from them anymore.
Often all of our email addresses are just out there, and there are unscrupulous senders who buy our email addresses and send us email. I’ve been getting one on one of my personal email accounts – “deep thoughts for the day” or something like that. I don’t know where they got my email address from. But it’s legitimate, there’s no link to trick me or social engineering. It’s just a real email newsletter I don’t want. I can unsubscribe from it and I did, but it’s just kind of bizarre to try to understand where did this come from?
Carolyn Woodard: But how do you tell? Because sometimes you get a spam email and it might look legitimate, and it might say “just click here to unsubscribe,” but you shouldn’t click there because it doesn’t unsubscribe you. It takes you to some site that’s got blinking lights and whatever. It’s not an actual unsubscribe button, it’s a malicious link. Is there a way to tell?
Johan Hammerstrom: You’ve got to use your best judgment. You know you signed up for something, and you can recognize it’s a legitimate email from a known address. You bought somebody something from Target and now you’re getting a bunch of emails from Target about all their deals.
Unsubscribe with caution because sometimes the unsubscribe button doesn’t work. And in those cases, you want to use the spam flag button in your email.
Google, Yahoo, personal email, and business email solutions like Outlook all have the ability to block senders. And in cases where you don’t know why you got on the list and it looks a little sketchy, you’re better off reporting it as spam.
Carolyn Woodard: Our CTO and cybersecurity expert Matt says to hover over or look at the address that it’s coming from. If it says that it’s from Target, but it’s actually from joe @ discountrecords.it or whatever, then you understand it’s not actually from Target.
Johan Hammerstrom: Exactly. You can use some of the anti-phishing skills that are important to develop. Those skills can be used against spam as well.
I think the key difference between spam and phishing is that spam is generally not malicious in the same way that that phishing is. It’s annoying, but it doesn’t really pose a major danger to you or to your organization.
Carolyn Woodard: That makes sense. When you say to report it, do you mean move it? There’s a button that you can say this email is junk, or is there something else you should do?
Johan Hammerstrom: It’s the junk button. This gets into the difference between bulk spam and targeted spam. Bulk spam is pretty easy to block because it’s email that’s getting sent out to millions and millions of addresses and the language in the email tends to be very generic. Anti-spam solutions essentially use a dictionary of known offending senders, known offending servers, known offending language. They are very effective at blocking these because the emails are obviously spam based on who’s sending them and the text in the email.
It is important to flag spam but generally speaking, your spam filter – whatever solution you’re using – should be pretty good at blocking these. The chances of you seeing “real” spam is pretty low because people report it and it gets blocked. (Email services like gmail and Microsoft also block “real” spam constantly to improve your inbox experience.)
The much more annoying “spam” is something that I think you and I have seen a lot more of particularly this year and those are unwanted targeted emails. Those are like “cold call” emails and just the other day I looked in my junk email folder and I get 15 to 20 a day, every day. Those technically aren’t spam because they’re directed at me as the CEO of a managed services provider. There’s a level of intentionality about them, unlike bulk spam which may be sent to millions of email addresses, the seller may be sending thousands of these emails, but only to likely prospects, perhaps to a purchased list of CEOs like me.
They are selling services that a managed services provider would be interested in purchasing. They’re offering small business financing that the CEO of a small business might be interested in obtaining. They’re completely unwanted. They’re extremely annoying. I don’t want to receive these emails, but they are legitimate. They all include text saying, “if you don’t want me to email you anymore, just reply and let me know.” I never do. I just don’t have time for that.
What I’ve found as an effective way of stopping those in Outlook is to use the Block Sender option. That automatically adds the sender to a block list that Outlook maintains on my individual account. It also provides information back to Microsoft indicating that this sort of cold call email is unwanted and shouldn’t be delivered to my main inbox.
Of the 15 to 20 emails that I’m getting a day, I would say two or three get to my inbox and the rest just automatically go into a junk email folder. Those emails are harder to block because they’re coming from a legitimate sender and they’re coming from someone who purchased my email address. My email is on multiple lists. I’ve been to MSP conferences. I’ve attended MSP-targeted webinars. In the process of doing those things, of just being in this business, my email has gotten on lists that end up getting sold to other people and sold to other people and that’s where these emails come from.
Those emails are legitimate in a sense, as annoying as they are. These emails are not dangerous, generally speaking. They’re technically not spam because they’re targeted.
They’re sales. It’s basically very aggressive, very annoying sales. And I don’t know why it’s gotten worse this year. Maybe AI has made it easier for people. The AIs are writing these emails. The AIs are figuring out how to get around the email filters, I don’t know.
Carolyn Woodard: Yeah, I wondered about that because I also get this, because I’m in marketing. I get emails like, “Do you need a video service? Do you need more marketing? Do you need this? Do you want to buy this list to be able to sell to this email list?”
I feel like over the past six months or so it’s gotten a lot worse. I wondered if maybe there are new services, AI services, or the memo went out to all the marketers out there, that this is an easy way to cold call thousands of people at once. And the memo didn’t mention how annoying it is. I guess for marketing, if one person clicks and says, “I WOULD like that service, make me a video,” then it’s worth it to the sales person on the other end. I do feel sorry for them. But I also feel annoyed by them.
Johan Hammerstrom: I do. I sympathize with what they’re trying to do because we are also a business, but we don’t do that. A lot of businesses don’t and they still are very successful as businesses. So it’s not necessary. They wouldn’t do it if it didn’t work. Somebody is responding to those emails, but I do not. I found that the junk email filter works pretty well. And Microsoft is also a big player in the AI space. So maybe the cat and mouse game of using AI to block these emails is going to start ratcheting up.
Carolyn Woodard: But tell me about malicious emails. What should you do when you see something that clearly is malicious? It used to be “Your CEO wants you to buy some gift cards because they don’t have time,” or what have you. And I know there are new scams coming out all the time. What do you do when you see something like that, that sets all of your alarms off? You immediately realize, “I should not click on this link.”
Johan Hammerstrom: Just as there’s two kinds of annoying email, the targeted email and the mass produced general email, there are also two kinds of malicious email.
There’s targeted malicious emails and there’s mass produced malicious emails.
There’s really two kinds within that, two kinds of malicious email.
There’s emails that are trying to get your credentials and those are known as phishing attacks.
And there’s emails that are trying to defraud you. Those are known as fraud attacks.
The phishing attacks are pretty obvious to spot once you’ve been trained on how to recognize them. They say things like “Your HR department just released a new 401(k) plan, click on the link here to sign in,” or “Your shipment is waiting to be delivered and it can’t be delivered until you sign in and authorize the delivery.” Or “Because your mailbox is full you need to login and authorize an increase in the size of the mailbox,” and on and on and on.
They’re very generic messages. They pretend to be from a legitimate source and they cause you to click on the link and by clicking on the link, it takes you to a fake site that the malicious actor is hosting and then they phish you into entering your credentials on that fake site.
You put your username and your password in, thinking that it’s your legitimate email site, and now they have your credentials and your credentials have been compromised. That’s a generic phishing attack.
Those are dangerous and your organization needs to be on guard against them, but through proper training, staff can really come to identify those. We’ve seen over and over again that with a good training regimen, organizations go from being 40% click prone – that is 40% of their staff are prone to click on a phishing attack – down to 5% click prone. That’s a huge increase in the security of an organization
That improvement happens relatively quickly through a solution like KnowBe4, a security awareness training solution that combines both short and fun security training videos and quizzes and exercises with simulated phishing campaigns to test the organization, your proneness to falling for a generic fishing campaign.
Carolyn Woodard: And when you do, if you did click on that and enter your information, the solution is to change your password right away. Once you’ve done that, then you’ve cut them off from being able to access your account, unless you’ve used that password somewhere else. If you have reused that password you may have problems, because they’re going to take your login and password and try that password on different sites where you might have some access. So that’s why not to reuse passwords, but also if you change it right away, that gives you some protection. Is that right?
Johan Hammerstrom: Exactly. Don’t ever reuse passwords and that’s why, because if one of your passwords accidentally gets out, then it’s only that one system that’s compromised.
If you think you’ve been phished, you do want to let your IT know as soon as possible. There’s really no shame in getting phished. It happens. Obviously, it happens a lot. That’s why these attacks continue to be perpetrated.
The sooner you report it and the sooner the mitigation steps can start happening, the more the damage can be contained. If you think you’ve been phished, let your IT department know right away.
One of the big questions people have is “should I report all of the phishing emails that I get? Should I report all the spam that I get to the IT department?” The answer is going to vary from IT department to IT department. Check with your IT department and see what they want you to do. I’m guessing that most IT departments probably don’t want you reporting ALL of the spam that you get. We know there’s a lot of spam out there. They may not want you reporting the general phishing attacks, either, because there are a lot of those. It’s really important to recognize them and delete those emails. A good spam filter will prevent a lot of generic phishing attacks.
The bigger danger is with the targeted attacks. Spear phishing is a targeted version of phishing. It’s usually done by a malicious actor that is targeting your organization. They do their homework. They know something about your organization. They know something about the staff at the organization, the work that it does. They probably know many of the systems that you use, Microsoft, Salesforce, Zoom. They craft an email that is much more specific to your organization. We have been spear phished. A lot of MSPs get spear phished. Those are the most important to report to your IT department because they could be an early indicator of a concerted attack by a malicious actor against your organization.
I remember I got a really well-crafted spear phishing email and sent it to our chief technology officer. He detonated it. Most IT departments have a safe detonation environment where they can open the link and check on it. He detonated it and it took him to a page that looked very similar to our email login. It had our logo on it. They had scraped our logo from our website and built a spear phishing site that was highly targeted, highly specific.
Those are very dangerous individualized attacks because while most generic phishing attacks are pretty easy to detect, spear phishing attacks are designed to fool organization staff into thinking that they are on a legit site. You really need to be on guard.
Luckily, the same sort of mitigation training that works against regular phishing also works against spear phishing. But you also want to report those to your IT department. Targeted attacks are easier to block because they’re coming from a known actor and you can just block all of the email from that known actor for your entire organization. That’s another reason why reporting targeted attacks is important.
Carolyn Woodard: That sounds a little bit more like a longer con or more like they’ve spent more resources on getting your logo and setting up the fake site. That’s also what they use for wire fraud attempts. Can you talk a little bit about email scams trying to get you to transfer money?
Johan Hammerstrom: Phishing attempts all involve links to malicious sites, links to sites that are trying to harvest your credentials. But the wire fraud emails tend to be more like a regular con, like someone calling you on the phone and telling you that you’ve won the lottery and in order to claim your prize, you just need to provide your bank info so they can deposit the money in your account. That’s just a regular con and those cons are now often perpetrated through emails and people get familiar with these types of emails.
One of the most common ones is an email sent to someone in the finance department from someone pretending to be the CEO saying, “Can you go buy gift cards and send me the gift card numbers, because I need to get these out to our clients right away?”
Those fraud attempts can be generic in nature. You could have a malicious actor just sending a generic email like that to a large number of organizations, hoping to get someone to fall for it. Or they can be more targeted. The more targeted they are, the better they are at spoofing the person that they’re trying to impersonate. If it’s a generic attack, it may just say “CEO” with a Gmail address. And for people who aren’t paying attention, they may fall for that and go out and buy the gift cards.
Especially in this day and age, most people have become more savvy and they aren’t going to fall for that. But it’s possible to send an email using the name and the email address of an executive at an organization. That’s more credible and it’s more likely that someone will fall for that. There is a really good solution for blocking those sorts of emails, and it’s called impersonation protection. It uses AI. It essentially scans your mailbox, very quickly in real time, and it can identify emails that pretend to be from someone else in the organization that aren’t really from them.
Impersonation protection solutions are very effective at blocking those sorts of emails. If your organization is getting a lot of these fraudulent spoofing emails, impersonation protection can be a very effective solution. Those emails are also good to report because the reported email can be used to better tune the impersonation protection system.
Malicious actors, particularly ones that are targeting an organization, if they don’t get what they’re looking for from the first person they reach out to, they’ll reach out to somebody else in the organization. So if you let your IT department know, they can put everybody on alert, “Hey, we’re being targeted by this malicious actor.” Usually the goal is either to get you to buy something like a gift card and then give them the thing that you’ve bought, or to get you to wire them money or to harvest your bank information.
Carolyn Woodard: Well, thank you, Johan, so much. Those tips were all so helpful, and I think will help us really protect our inboxes. Thank you.
Johan Hammerstrom: It’s my pleasure.
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about your email safety and spam, you shouldn’t have to worry about understanding your provider.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Join Nura Aboki and Jeff Gibson in a webinar exploring what IT policy documents you need, and how to create or revise them for your nonprofit. May 15 at 3pm Eastern, Noon Pacific
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.