Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.
Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.
In fact, attackers don't even need to use their best, or most complex, attack methods. It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links. Remember, most cybercrime is economically motivated. It's a business and the goal is ROI (return on investment). And business is good.
It's a big problem because we are fundamentally trusting beings. I've always believed that people want to do the right thing. When it comes to people, we should assume positive intent.
However, email is not a person.
Most email isn't even sent from people, it comes from bots - some are automated mailings you subscribe to, most are not. "Bots" is short for robots, referring to programs that perform online actions including sending email.
TNO - Trust No One - is a security philosophy used on some networks. In a TNO network, the security professional builds controls assuming that any system is, or may be, owned (that means infected by a virus or otherwise controlled by an attacker). There is no trust given, nor access to any data or other resources, until positive identification can be established. While this may seem to make sense, it can be quite costly and disruptive.
When we receive and read an email, we assume it's from a person and we assume positive intent. But as mentioned above, plenty of emails are not from a person. And we know that even if it is from a person, it might not be from who you think it is.
When you open an email, and if it's legit, from a known source, with a clean link or attachment, we click.
But how about if we use a TNO approach with email?
This may sound like it will take too much time. But, if you just practice being skeptical, you'll find you just view your email through a different lens. Rather than assuming the email is good and look for signs of badness... assume the email is bad and look for signs of goodness! That really works because good stuff is countable - people tend to write in a repeatable style. Project-related emails are expected. There is a saying in security... you can't enumerate badness. That means that there is more bad stuff out there than you can count. So if we start by assuming the email is malicious and make it prove otherwise, we can more naturally protect ourselves.
Give it a try! Remember... people = good; email = bad. Have a nice day! :-)