Automatic Analysis of Scam Emails
Abstract
Email and email security have been the main topics of this master thesis. The thesis considers how an organization works with email security and security culture, the email specifications, threat agents, vulnerabilities and attacks distributed via email. Several technological security features are standard in email systems nowadays. Technological evolution and development give better solutions for filtering and rejecting malicious email. However, new vulnerabilities are exploited and new attacks take place. Some email containing malware, phishing, or scam will probably get through to end-users inboxes. The only truly effective protection found is to promote email security and make email users aware of the potential threats.
Today there are no good solutions for dealing with email that have passed these technical security measures. As a part of the organizations work to improve security culture, a functionality for users to report suspicious emails has been developed. This enables users to directly report suspicious emails to IT security personnel by a simple click of a button. However, as of now, it us up to the IT security personnel to manually perform analysis on the reported emails. This takes time, and the amount of reported emails increases every week.
To improve email security and reduce time spent on manual analysis there is potential for handling such email in a smarter way. One solution is to automate the process of analysing the suspicious emails reported. This automation tool could help IT security personnel reduce risks and provide information to other users so that measures could be taken to stop malicious email.
Results from data analyses and hypotheses testing show that it would be beneficial with better information to the users, and to implement some added functionality to the reporting of suspicious emails. This would better achieve the intention of having users report suspicious email as a part of the email security work. An automated system for extracting and parsing reported emails can be used for alerting users and informing system administrators. Further, with few modifications, this system could be used with data from the reported emails to proactively block or filter future emails before they reach end-users' inboxes.