Suped

Why are phishing emails landing in my Gmail primary inbox?

11 Marketer opinions5 Expert opinions5 Technical articles2 Resources

Summary

Phishing emails are successfully landing in Gmail's primary inbox due to a multifaceted approach employed by attackers, combined with inherent limitations in filter technology and human vulnerabilities. Spammers actively invest in evading filters through sophisticated techniques like hashbusters, extensive testing, reputation manipulation, and the use of rotating domains and accounts. They also exploit legitimate infrastructure, sometimes successfully passing authentication checks like SPF, DKIM, and DMARC, and utilize methods like base64 encoding to obfuscate their messages. Social engineering plays a significant role in crafting convincing emails that bypass user suspicion, particularly in personalized attacks. Additionally, smaller, targeted campaigns can evade volume-based detection systems. User settings, changes in sender reputation, and zero-day exploits also contribute to filter bypass. Finally, human error, stemming from fatigue, stress, or lack of awareness, remains a crucial factor. Reporting suspicious emails, enabling multi-factor authentication, and educating users are critical for mitigation.

Key findings

  • Evolving Evasion Techniques: Spammers invest heavily in circumventing spam filters by using sophisticated techniques, including hashbusters and reputation services.
  • Legitimate Infrastructure Abuse: Phishing emails can originate from legitimate platforms, even passing SPF, DKIM, and DMARC checks, making them harder to detect.
  • Social Engineering Effectiveness: Social engineering tactics are highly effective in creating convincing phishing emails that deceive users.
  • Targeted Campaign Success: Smaller, targeted phishing campaigns often evade detection by volume-based filters.
  • Human Vulnerability: Human error and fatigue significantly increase the risk of falling for phishing scams.
  • Reporting Importance: User reporting is critical for improving the effectiveness of spam filters.
  • Compromised Infrastructure: Attackers compromise legitimate sending infrastructures to send phishing emails.
  • Personalization: Personalized phishing attacks are harder to identify.
  • Multi-Layered Attacks: Phishing attacks combine URL and attachment-based techniques.

Key considerations

  • Advanced Filter Development: Develop and deploy more sophisticated spam filters capable of detecting advanced evasion techniques and nuanced social engineering.
  • User Education Enhancement: Provide comprehensive and ongoing education to users on recognizing and reporting phishing attempts.
  • Multi-Factor Authentication Implementation: Mandate and enforce multi-factor authentication (MFA) for all accounts to mitigate the impact of compromised credentials.
  • Account Security Measures: Implement robust account security measures to prevent account compromise and unauthorized access.
  • Incident Response Planning: Establish and regularly update an incident response plan to address phishing attacks effectively.
  • Security Awareness Training: Provide ongoing security awareness training to educate employees and users about phishing risks and best practices.
  • Email Authentication Protocols: Implement and enforce email authentication protocols like SPF, DKIM, and DMARC to verify the authenticity of sending domains.
  • Email provider filter improvement: Request and provide feedback to email providers on how to enhance their filtering logic.
  • Whitelisting caution: Do not automatically trust whitelisted senders.

What email marketers say
11Marketer opinions

Phishing emails are landing in Gmail primary inboxes due to a combination of factors including evolving spammer tactics, sophisticated spoofing techniques, compromised accounts, personalized attacks, smaller targeted campaigns, and human error. Spammers are continuously adapting to bypass filters by using methods like mimicking legitimate emails, leveraging current events, and compromising trusted sources. The volume and sophistication of phishing attempts also overwhelm spam filters, and smaller, targeted campaigns often evade detection. Moreover, human factors, such as user fatigue or stress, increase the likelihood of falling for these scams. Phishers use techniques like spoofing email addresses and creating lookalike domains.

Key opinions

  • Evolving Tactics: Phishers constantly evolve their tactics to bypass spam filters, making it difficult for algorithms to keep up.
  • Sophisticated Spoofing: Phishers use sophisticated spoofing techniques, mimicking legitimate emails and domains to deceive recipients.
  • Compromised Accounts: Attackers compromise legitimate email accounts, sending phishing emails from trusted sources.
  • Personalized Attacks: Personalized phishing attacks, tailored to the recipient, are more likely to bypass spam filters due to their legitimacy.
  • Targeted Campaigns: Smaller, targeted phishing campaigns evade volume-based detection filters.
  • Human Error: Human error, influenced by fatigue or stress, increases susceptibility to phishing scams.
  • Multi-layered Attacks: Multi-layered phishing attacks combining URL and attachment-based attacks are harder to detect.

Key considerations

  • Stay Updated: Be aware of the latest phishing tactics and techniques.
  • Verify Senders: Always verify the sender's identity, especially for unusual or urgent requests.
  • Enable MFA: Enable multi-factor authentication (MFA) to add an extra layer of security to your accounts.
  • Report Suspicious Emails: Report suspicious emails to help improve spam filters.
  • Educate Users: Educate employees and users about phishing risks and best practices.
  • Implement robust security measures: Make sure your team implements a system where they can catch phishing emails before they hit inboxes.
Marketer view

Email marketer from Cloudflare explains that if an attacker compromises a legitimate email account, they can send phishing emails from a trusted source, increasing the likelihood of bypassing spam filters. These are known as Business Email Compromise (BEC) attacks.

December 2024 - Cloudflare
Marketer view

Marketer from Email Geeks shares that they were receiving phishing emails daily from January 30 to February 17, originating from services like Microsoft and Sendgrid, but have since stopped receiving them.

September 2024 - Email Geeks
Marketer view

Email marketer from Norton responds that phishing emails sometimes get through filters because the phishers are using email addresses that have been whitelisted by the recipient, or that are closely related to trusted senders.

July 2021 - Norton
Marketer view

Email marketer from Barracuda Networks explains that one factor is that multi-layered phishing attacks are combining URL and attachment-based attacks and are therefore hard to detect.

June 2023 - Barracuda Networks
Marketer view

Email marketer from Mailjet shares that personalized phishing attacks, which use information gathered about the recipient, are more likely to bypass spam filters. These attacks are tailored to appear legitimate.

August 2022 - Mailjet
Marketer view

Email marketer from Reddit shares that phishers are constantly evolving their tactics and spam filters are always trying to catch up. Some get through due to the sheer volume and sophistication of phishing attempts.

July 2022 - Reddit
Marketer view

Email marketer from Digital Guardian details that smaller, targeted phishing campaigns can sometimes evade detection because they do not trigger the volume-based filters that are designed to catch mass-produced spam.

July 2023 - Digital Guardian
Marketer view

Email marketer from StackExchange responds that spammers are adapting constantly, using current events and other tricks to get around detection. They only need a small percentage to succeed to make it worthwhile.

April 2021 - StackExchange
Marketer view

Marketer from Email Geeks shares that they've also received similar emails claiming subscription renewals and deductions, noting that Gmail will likely start filtering these as spam, as one recent email of this type was caught.

June 2022 - Email Geeks
Marketer view

Email marketer from Varonis shares that employees who are tired or stressed are more likely to fall for phishing scams, because they are not paying close attention to the details of the email.

May 2023 - Varonis
Marketer view

Email marketer from Quora shares that phishers craft emails that mimic legitimate ones, making it hard for Gmail's algorithms to differentiate. They use techniques like spoofing email addresses and creating lookalike domains.

December 2023 - Quora

What the experts say
5Expert opinions

Phishing emails bypass Gmail's primary inbox filters due to sophisticated techniques employed by spammers. These techniques include investing significant effort in evading filters, employing hashbusters, testing extensively, using reputation services, rotating domains and accounts, and using base64 encoding. Additionally, analysis shows phishing emails can originate from legitimate services like Microsoft O365, even passing SPF, DKIM, and DMARC checks. Compromised sending infrastructures and the significance of human error are also contributing factors, emphasizing the need for user education to recognize and report phishing attempts.

Key opinions

  • Filter Evasion Techniques: Spammers invest heavily in techniques like hashbusters, testing, and reputation services to evade spam filters.
  • Legitimate Source Spoofing: Phishing emails can originate from legitimate platforms, even passing standard authentication checks (SPF, DKIM, DMARC).
  • Rotation of Infrastructure: Spammers rotate domains and accounts to avoid detection.
  • Compromised Infrastructure: Attackers compromise legitimate sending infrastructures to send phishing emails.
  • Human Error Factor: Human error plays a significant role in the success of phishing attacks.

Key considerations

  • Advanced Filter Detection: Email providers need to develop more advanced filters to detect sophisticated evasion techniques, including those that pass authentication checks.
  • User Education: Educate users on how to recognize and report phishing attempts.
  • Account Security: Implement stronger security measures to prevent account compromise.
  • Incident Response: Have a clearly documented incident response process to take action on phishing attempts.
  • Stay vigilant: Encourage vigilance and caution when reviewing emails, particularly those requesting sensitive information.
Expert view

Expert from Spam Resource emphasizes the importance of educating users to recognize phishing attempts and providing them with the tools to report suspicious emails, as human error is a significant factor in successful phishing attacks.

December 2023 - Spam Resource
Expert view

Expert from Word to the Wise shares that attackers can compromise legitimate sending infrastructures, leading to phishing emails originating from seemingly trustworthy sources, making detection more challenging for filters and recipients.

February 2023 - Word to the Wise
Expert view

Expert from Email Geeks explains that spammers invest significant effort in evading filters, employing techniques such as hashbusters, extensive testing, and reputation services to create a false positive reputation.

July 2023 - Email Geeks
Expert view

Expert from Email Geeks shares analysis of a recent phishing email, noting it originated from Microsoft O365, passed SPF and DKIM checks, and even included a DMARC=pass in the ARC signature from Microsoft.

October 2022 - Email Geeks
Expert view

Expert from Email Geeks notes that spammers appear to be rotating domains and O365 accounts, and are using base64 encoding for the messages.

September 2023 - Email Geeks

What the documentation says
5Technical articles

Phishing emails are landing in Gmail primary inboxes because they bypass initial filters due to various factors. These include new phishing tactics, changes in sender reputation, and user settings overriding filters. Additionally, advanced campaigns use zero-day exploits and polymorphic malware to evade detection. Social engineering plays a crucial role in making these emails appear legitimate, reducing user suspicion. Reporting phishing emails helps improve Gmail's filters, and enabling multi-factor authentication (MFA) can protect accounts even if credentials are compromised.

Key findings

  • Filter Bypass: Phishing emails bypass initial filters due to tactics, reputation changes, and user settings.
  • Advanced Techniques: Advanced campaigns use zero-day exploits and polymorphic malware to evade detection.
  • Social Engineering: Phishing attacks incorporate social engineering to appear legitimate.
  • Importance of Reporting: Reporting phishing emails improves filter accuracy.
  • MFA Protection: Multi-factor authentication (MFA) adds an extra layer of security, even if credentials are compromised.

Key considerations

  • User Reporting: Encourage users to report suspicious emails.
  • Review User Settings: Review and adjust user email settings to strengthen filter effectiveness.
  • Implement MFA: Enable multi-factor authentication for all accounts.
  • Stay Updated: Keep software and systems updated to patch vulnerabilities exploited in zero-day attacks.
  • Training: Educate users about social engineering tactics used in phishing attacks.
Technical article

Documentation from Microsoft details that phishing emails can land in your inbox if they bypass initial filters, often due to sender reputation changes, new phishing tactics, or user settings that override filter decisions.

November 2023 - Microsoft
Technical article

Documentation from Proofpoint explains that advanced phishing campaigns use techniques like zero-day exploits and polymorphic malware to evade detection. These techniques are constantly evolving.

November 2021 - Proofpoint
Technical article

Documentation from SANS Institute shares that phishing attacks are becoming more sophisticated, incorporating elements like social engineering to make the emails seem more legitimate and bypass user suspicion.

September 2024 - SANS Institute
Technical article

Documentation from Google Support explains that users should report phishing emails to improve Gmail's filters. Reporting helps Google identify and block similar messages in the future.

January 2025 - Google Support
Technical article

Documentation from the FTC recommends enabling multi-factor authentication (MFA) which can help protect accounts even if a phishing email successfully captures login credentials, by adding an extra layer of security.

June 2022 - FTC

Related resources
2Resources

Gmail Primary Inbox: Improve Gmail Inbox Placement
Gmail Primary Inbox: Improve Gmail Inbox Placement

Learn how to reach Gmail's Primary Inbox and avoid the spam folder. See what Gmail looks at when making its email filtering decisions.

GlockApps
How to Stop Emails From Going to Promotions: 10 Effective Tips ...
How to Stop Emails From Going to Promotions: 10 Effective Tips ...

Email marketers see Gmail’s Promotions tab as a marketing black hole. Learn 10 steps you can take to stop your messages going to promotions!

MailerCheck

Related questions