The Cybercriminal's Favorite Tool Might Surprise You
When people think about cybercrime, they often picture shadowy hackers armed with complex code, supercomputers, and Hollywood-level gadgets. But the truth is far less glamorous—and far more alarming. The tool most cybercriminals rely on isn’t some sophisticated piece of technology at all. In fact, it’s something so common and deceptively simple that you probably encounter it every single day. |
Spam: Still Number One With Crooks
It's been almost 50 years since the first spam email was sent, and it's still the favorite tool of crooks and criminals online. A report from security group F-Secure says that spam is the most common method used to distribute malware, phishing attacks, malicious URLs, and scams. Read on to learn the tell-tale indicators of malicious emails, and the true origin of spam...
You've got software to protect your computer from viruses, spyware, ransomware, and rogue websites. You're careful to keep all your software up to date. Your identity theft spider sense tingles with every suspicious phone call. But then that innocent-looking email pops into your inbox. It appears to be from your friend, your bank, or your favorite online store.
I got one recently that said “A user has just logged into your Facebook account from a Samsung S25 device. We are sending you this email to verify that it is you. Thank you, Facebook Team.” It looks very much like the actual account warnings that Facebook does send out. The subject line says “Please respond immediately.”
So you click, and you've been had. Because of the sense of urgency created by this message, one might ignore the fact that it was sent from “ebxjwwptsoqwvbbqjivcqpoduuxdur.com.au” (clearly not Facebook HQ) and that there were 50-odd sketchy addresses in the Reply-to header.
Spam is still the most effective attack vector for hackers and online criminals, according to research from F-Secure. They reported that phishing, spam, and other email threats were the source of 51% of all attempted malware infections. Hopefully you were not in the 51% Club.
Fear and Familiarity
Cybercriminals capitalized on fear and confusion during the Covid-19 pandemic, and continue to use malicious email attachments containing infostealers – malware that steals passwords and other sensitive information. Facebook, Chase Bank, Microsoft, PayPal, and Bank of America are among the most frequently spoofed brands. As usual, cybercriminals are taking their cue from water -- by traveling along the path of least resistance.
F-Secure says these phishing campaigns are effective because users are already accustomed to receiving notifications... failure of delivery emails, alerts for hitting storage limits, requests for reactivation, or package delivery notfications, and ‘update your password’ emails.
Keep in mind that spam and phishing can take the form of text messages as well as email. I wrote about bogus "account services" and package delivery scams in [SCAM ALERT] Smishing is Getting Worse (what you need to know and do).
As software vulnerabilities are closed and anti-malware suites grow more capable, spam becomes relatively more effective compared to hacking and exploitation of software vulnerabilities. Spam still is infinitely scalable, too; it costs nearly nothing to blast out millions of spam emails from a compromised machine, and spambot networks of thousands of slave machines are commonplace.
While success still depends on spewing out millions of spam emails to get a handful of “bites,” spammers are constantly refining their techniques and improving their batting averages.
Why Do People Click?
According to F-Secure, here are some clues as to what makes phishing spam successful:
- The probability of a recipient opening an email increases 12% if the email claims to come from a known individual
- Having a subject line free from errors improves spam’s success rate by 4.5%
- A phishing email that explicitly states in its call to action that it is very urgent gets less traction than when the urgency is implied
Most users have finally learned not to click on email attachments sent by strangers, or any attachment that comes unexpectedly. (Hopefully that include you!) So more phishing emails include URLs instead; people are still conditioned to click on links to see where they go, especially if the link says “click on this link...”
The link often does not lead directly to a malicious site, but to an innocuous site that redirects traffic to a malicious site. That way, the bad guy avoids detection by automated analysis software that previews links and compares them to known malicious URLs.
Here are some of the most common phishing tactics:
- The Fake Tech Support scam: An email arrives with a warning that your computer has been compromised with malware, and directs you to click a Norton or McAfee link to scan your computer, or call a bogus Microsoft Tech Support phone number.
- The Suspicious Activity scam: An email claiming to be from your bank says there is suspicious or unusual activity on your account. It may ask you to respond with your username and password.
- The HR/IT scam: You get an email that appears to be from your employer's Human Resources or IT department. You may be directed to update employee information, or download an app.
- The UPS/Fedex/USPS scam: An email or text advises you that a package cannot be delivered due to incorrect shipping information. You are urgently advised to click a link or your package will be returned or discarded.
- The Amazon/Apple scam: A message informs you that you've ordered some expensive item from either Amazon or Apple, and asks you to login and confirm the purchase.
In every case, a careful examination of the sending address, or a phone call to verify the sender will reveal that it's unwise to continue. Never trust the phone number or email address provided in the message.
Another technique I've seen lately is a quick email asking "Sorry to bother you, do you order from Amazon?" If you engage with this scammer, he or she will spin a tale of how they had a problem buying an Amazon gift card for a sick friend's birthday, and ask if you would kindly do so, with a promise that you'll be reimbursed. I can't imagine who would fall for that obvious scam, but apparently there really is a sucker born every minute. A variation on this theme is an unexpected one-liner email that says something like "Hey, how are you?" or "I missed your call." Responding with this message will lead you down a path where the sender attempts to befriend you and then the scam unfolds.
A BIT OF HISTORY: I mentioned in the opening of this article that the first spam message was sent over 4 decades ago. That happened in May 1978 when a marketing executive for Digital Equipment Corporation sent an unsolicited email to 397 ARPAnet addresses, with an invitation to a product demonstration. The term "spam" was not applied to unsolicited messages until April 1993, and according to Wikipedia, is thought to derive from a Monty Python comedy sketch "in which a group of Vikings sing SPAM, SPAM, SPAM... at increasing volumes." It was adopted to refer to "unsolicited commercial electronic mail sent to a large number of addresses, in what was seen as drowning out normal communication on the internet." So now you know.
F-secure includes tips for security-conscious people in its security blog. Some recent topics include ransomware, stalkerware, and account takeover. F-Secure predicts that the use of phishing tactics as a lure, using office documents as an infection vector, and the use of cloud services to host malicious content, will likely continue.
The good news is that with education and software, we have eliminated or limited many malware attack options to spam. The bad news is that spam still works. My best advice: Think twice before you click.
Your thoughts on this topic are welcome. Post your comment or question below…
This article was posted by Bob Rankin on 22 Aug 2025
For Fun: Buy Bob a Snickers. |
![]() |
Prev Article: How Do The Spammers Get Your Email Address? |
![]() The Top Twenty |
![]() |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- The Cybercriminal's Favorite Tool Might Surprise You (Posted: 22 Aug 2025)
Source: https://askbobrankin.com/the_cybercriminals_favorite_tool_might_surprise_you.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "The Cybercriminal's Favorite Tool Might Surprise You"
Posted by:
Dave McC
23 Aug 2025
Americans learned years ago how to deal with the daily deluge of advertising that the Post Office helpfully deposited in the metal box bolted to the front of your house next to the front door. Straight from metal box to kitchen trash can was pretty much how everyone dealt with it. Now email and, increasingly, phone message apps are the modern day equivalent of the front porch metal box. Until people re-learn how to toss the junk mail into the email trash can, the spammers will continue to flourish.
A lot of email providers do a pretty good job of filtering out the junk and spam - I can't remember the last time I got a spammy email on my gMail account. A couple of years ago my ISP (Cox) dumped it's email service over to Yahoo (seriously Cox, Yahoo?). Cox did a pretty good job of filtering out the spam, but I now get anywhere from six to ten spams a day on Yahoo (hey Yahoo, you can stop anytime sending me ads asking me to upgrade to your "Premium" email service for 10 bucks a month).
Posted by:
Bon
23 Aug 2025
I got an email saying I had to update jpg app or I wouldn't be able to open any attachments in the future. I get a lot of attachments from my church. After that I got a nasty virus on my Kindle that just took over with apps that blocked out anything I tried.
Posted by:
Bon
23 Aug 2025
I got an email saying I had to update jpg app or I wouldn't be able to open any attachments in the future. I get a lot of attachments from my church. After that I got a nasty virus on my Kindle that just took over with apps that blocked out anything I tried.
Posted by:
misterfish
23 Aug 2025
Think twice before you click? Better advice - never click.
Posted by:
Phixer
23 Aug 2025
In the UK I can report these emails to report@phishing.gov.uk.
'The National Cyber Security Centre (NCSC) is a UK government organisation that has the power to investigate and take down scam email addresses and websites.'
Do you have anything similar in US?
Posted by:
Jim
23 Aug 2025
Yep, phishing email can be reported to:
reportphishing@apwg.org
I did this for a while (not spam) but the results was I started received triple the phishing emails I was previously receiving. Spammers monitoring this activity for active email addresses?????