"How many email messages did you open this month? A few dozen, a few hundred? It's hard for you to know," said Paul Everton, founder of email security company MailControl. "But marketers and hackers probably know."
Spymail is email with hidden embedded trackers that log recipient data like reading habits, keywords, and demographic and psychographic information. Though many email trackers are used for legitimate purposes, malicious spymail has emerged as a big problem for business. According to a June 2016 FBI report email scams have inflated 1,300% since 2015, resulting in $3 billion in losses by more than 20,000 companies. MailControl's internal data indicates that 40% of all email contains tracking code, and nearly 1% of that code is "high risk."
In addition to adding cost, Everton explained, spymail trackers can increase liability, expose corporate data, and help pretexters and phishers by revealing employee behavior and protocols.
SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)
According to a MailControl study in 2016 the majority of spymail is or appears to be legitimate email. "It's not caught by spam filters because it's not supposed to be." MailControl's software detects a diverse array of email and spymail trackers and provides the company with insights about the email ecosystem.
Spymail commonly tracks how many times an email is opened, if and how readers engaged with email links, the device used to read the email, and the location of the recipient. The company found that spymail is frequently used to customize phishing messages for specific targets.
Everton pointed to the Clinton campaign email hack as an example. Hackers allegedly fooled and phished campaign staffers after studying their personal Gmail habits. "Phishing tactics today are pretty sophisticated," he said. "Even though most people know to avoid downloading attachments and clicking links in email from unknown senders, [phishing email] often looks legitimate because it's been customized for the recipient."
MailControl's data found three primary email tracker types:
Bulk Marketing trackers
Examples of legitimate email trackers include Constant Contact and MailChimp. These applications are used for email marketing campaigns and generally monitor reader response rate. Company tracking methods are generally disclosed to the public.
Behavioral Marketing trackers
Like Bulk Marketing trackers, Behavioral Marketing is above the board and tracks email and web behavior using cookies. These trackers gather data used to serve custom advertising.
Individually Targeted trackers
These trackers are created for a single target or a small list of specific recipients. Information gathered by these trackers can be deep and detailed. Data from these trackers is often combined with other analysis tools to create a detailed profile of the target.
SEE: Russian hack almost brought the U.S. military to its knees (CBS News)
Everton advised that "the safest course [for business] is to disable hidden tracking for all inbound business emails, regardless of source or tool." Companies should also perform routine cyber-awareness employee training, establish protocols for approved mobile applications, and always be skeptical of all inbound email.
"The best thing you can do is be aware that even though email feels like an island apart from the rest of the web, it's just as vulnerable to monitoring and crude hacks," Everton warned. "The more you know about your email the better."
- Experts predict 2017's biggest cybersecurity threats (TechRepublic)
- Poll: What new cybersecurity trends will dominate 2017? (TechRepublic)
- 2017 cybercrime trends: Expect a fresh wave of ransomware and IoT hacks (TechRepublic)
- Visualizing the Russian cyberattack (TechRepublic)
- Gallery: The 10 biggest business hacks of 2016 (TechRepublic)
- Interview with a hacker: S1ege from Ghost Squad Hackers (TechRepublic)
- Interview with a hacker: Gh0s7, leader of Shad0wS3c (TechRepublic)
- Five essential cybersecurity audiobooks (TechRepublic)
- Five essential cybersecurity podcasts for IT professionals (TechRepublic)
- Cyberwar: The smart person's guide (TechRepublic)
- How to safely access and navigate the Dark Web (TechRepublic)
- IT Security in the Snowden Era (ZDNet)
- Russia's role in political hacks: What's the debate? (CNET)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.