Spam filters have made it really easy to keep malicious emails out of your inbox, but it’s by no means impervious. If you need a reason always to exercise caution when opening an email despite it getting past security, you only need to look at email salting attacks.
Email Salting Attacks Hide Scams From Spam Filters
As reported by Cisco Talos, email salting attacks allow scammers to sneak their emails past spam filters and have them land in your inbox. It works by adding junk text that confuses spam checkers, while presenting the email in a way where humans can’t see the additional flak.
When a spam email checks an email, it will dig through its HTML code to see what it’s saying. You, the reader, don’t see the HTML; you instead see what the HTML creates when your browser turns all that code into something more palatable for humans.
Email salting works by adding junk text into an email to break up the words. That way, the spam filter doesn’t “see” what the scammer is trying to do. However, the scammer uses sneaky tricks to make it so the junk text doesn’t appear when you read the email, leaving just the words they want you to read.
Here’s an example that Cisco Talos spotted: in this email, the scammer wanted to impersonate Wells Fargo. However, if they just wrote “Wells Fargo,” the spam filter will detect and catch the scam attempts. Instead, the scammers added junk text in the middle of the words “Wells” and “Fargo” and then set the additional text to zero width.
That way, when the spam filter scans the email, it sees this:
WEqcvuilLLS FAroyawdRGO
But because the junk text has zero width, it doesn’t display when you read the email, leaving you with:
WELLS FARGO
Bam: now the scammer can impersonate Wells Fargo without the spam filter catching on.
Another example involves the scammer adding Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between each letter in a word. Because they’re characters, the spam filter reads them when judging if something is spam or not. However, because these characters represent zero space, they don’t appear when the email is rendered, meaning that you see the word just fine without any breaks in it.
These examples demonstrate that you should never blindly believe an email, even if it dodges your spam filter and arrives in your inbox. Always double-check the sender and the content before clicking on any suspicious links, and check out these examples of fraud and phishing emails to watch out for.