.png)
One of the questions we hear all the time is: “We have spam filters—so why are these phishing emails still getting through?” Sometimes, it’s said with a little more heat:
“Why don’t these security tools actually work?”
Yesterday, I received an email that appeared to come from Walgreens, urging me to redeem a large number of rewards points before they expired. Classic phishing move: promise of money, paired with urgency.
I thought this would be a great opportunity to break it down and show how these scams work in the real world.
On the surface, there’s nothing unusual about the email. It looks like the kind of rewards message we’ve all seen dozens of times from loyalty programs.
But a few red flags stood out right away.
- The “reward” was wildly inflated - nearly 100 times more than the typical dollar or two I might actually earn from Walgreens.
- Plus, I have two email security warnings in place that flagged the message as suspicious and not really from Walgreens. "You don't usually receive emails from this sender"
When I looked in my spam filter, I saw that there were actually several of the same message over the past few days. Most were blocked, but two got through. How does it happen?
Cybercriminals don’t send one email and wait. They send hundreds or thousands - often using slightly different sender addresses or completely new websites each time. These are what we call “burner domains” - throwaway websites set up quickly and cheaply (or compromised domains), used just long enough to get around detection.
Even the best email security tools (like Barracuda) rely on patterns and reputation to catch threats. But when attackers use a brand-new website or domain name that hasn’t been flagged yet, it can slip through. Think of it like a zero-day threat - not because it’s using fancy malware, but because it’s too new to be recognized as dangerous yet.
By the time the system learns it’s a scam and blocks it, the attackers have already moved on to the next fake domain.
🐱🐭 It’s a Game of Cat and Mouse
-
🔒 You block one domain…
-
🎣 They spin up another one - within minutes.
-
📬 The email looks legit. No red flags. It gets through.
This is why it’s so important to have a layered defense:
-
Strong email filtering (check ✅)
-
Regular security updates (check ✅)
-
User security awareness (absolutely essential)
The people reading emails are the last line of defense. One click on the wrong link can still bypass all the tech.
🧠 Bottom Line:
Even smart systems can be tricked. The key is being prepared, staying alert, and making sure your team knows how to spot suspicious messages - even when they “look normal.”
There’s no silver bullet when it comes to cybersecurity. Real protection comes from a layered defense - a combination of smart technology, strong policies, and informed users working together to reduce risk.
Want help training your team or reviewing your defenses? We’re happy to help - no pressure, just good advice. Book a Meeting
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.
https://www.linkedin.com/in/annwesterheim/ Let's connect!