CIVRA Get Started
How it works

Why your spam filter misses the attacks that actually hurt

June 10, 2026 4 min read The CIVRA Team
The short answer

Spam filters block bulk, known-bad email using reputation and signatures. Targeted attacks like business email compromise are low-volume, carry no malware, and use clean or look-alike domains, so they pass straight through. Stopping them requires analyzing sender identity, intent, and language — not just scanning for bad payloads.

Your spam filter is probably doing its job. The inbox is mostly clean, the obvious junk is gone, and the worst of the malware never arrives. So why do targeted attacks — the ones that actually drain bank accounts — still land?

Because spam filters and targeted attacks are playing two different games.

What a spam filter is good at

Spam and malware filters are built around volume and reputation. They are excellent at:

  • Blocking messages sent to millions of inboxes at once.
  • Catching attachments and links that match known-bad signatures.
  • Scoring senders by IP and domain reputation.
  • Filtering the statistical fingerprints of mass campaigns.

For the firehose of generic junk, this works extremely well. The economics favor the defender: bulk attacks are cheap to detect because they look like each other.

What that approach cannot see

The attacks that cost small businesses real money are not bulk. They are crafted for one recipient, and they deliberately avoid every signal a filter looks for.

  • No payload to scan. A business email compromise message is often just text — a request to change bank details or approve a wire. There is no malware and no link, so signature scanning finds nothing.
  • Clean infrastructure. The attacker uses a brand-new look-alike domain with no bad reputation yet, or a genuinely compromised supplier account with a perfect reputation.
  • Low volume. One email to your bookkeeper does not look like a campaign. It looks like Tuesday.
  • Human language, not code. The threat lives in the meaning of the message — "please update the account we pay you into" — which a reputation engine has no way to evaluate.

This is the gap. The filter asks "does this look like known badness?" The targeted attack is engineered so the honest answer is "no."

What actually closes the gap

Stopping targeted email requires looking at different signals — the ones that reveal impersonation and intent rather than malware:

  • Sender behavior and relationships. Is this the address that normally emails you, or a first-time sender wearing a familiar name? Has this "supplier" ever contacted you before?
  • Domain and identity analysis. Look-alike domains, display-name spoofing, and reply-to mismatches caught automatically, character by character.
  • Language and request analysis. Recognizing the patterns of a money request, an urgency play, or a banking change — the content that should always trigger a second look.
  • Context for the human. When something is off, the recipient sees a clear warning in the message, not a cryptic score after the fact.

None of this replaces the spam filter. It sits alongside it, covering the targeted layer the filter was never designed for.

Why small teams feel this most

Large enterprises layer on dedicated tools and staff to cover the gap. Small businesses usually have a spam filter, a busy office manager, and a lot of trust — which is precisely the profile attackers look for. The result is that the smallest teams face the same targeted threats with the fewest defenses.

A spam filter protects your inbox from the internet. It does not protect your finance clerk from a convincing email. Those are different jobs.

CIVRA exists to do the second job for teams that do not have a security department. It analyzes who is really emailing you, whether they are who they claim to be, and whether the request makes sense — then flags the dangerous ones before anyone acts. The spam filter handles the noise; CIVRA handles the email that was written specifically to fool you.

If you have ever wondered how a "clean" inbox still led to a fraudulent wire, this is the answer: the attack was never spam. It was a letter from a stranger wearing a friend's name — and it needs a tool that checks faces, not just envelopes.

FAQ

Why does spam still get through my filter?

Targeted attacks are crafted for one recipient and deliberately avoid the bulk patterns and known-bad signatures that filters rely on, so there is nothing for a reputation engine to catch.

Is a spam filter enough for a small business?

No. A spam filter handles bulk junk and malware well, but it does not stop targeted impersonation or business email compromise, which need identity- and intent-based detection.

What stops targeted email attacks?

Tools that analyze who is really emailing you, whether they are who they claim to be, and whether the request makes sense — layered on top of your existing spam filter rather than replacing it.

Do I need to replace Microsoft 365 or Google Workspace email security?

No. Their built-in filtering handles bulk threats. The gap is targeted, payload-free attacks, which a dedicated layer like CIVRA covers alongside what you already have.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts