If you’re a regular reader of this blog, I suspect you live in a state of perpetual vigilance against targeted attacks such as phishing messages. You know that urgent sounding messages from sender addresses that don’t look right, especially if they include attachments or links to external sites, are to be approached with extreme caution. And yet, I suspect you also receive a fair number of emails that are in fact from legitimate senders who are not aware that the impression they’re giving is incredibly “phish-y”.
It isn’t just Security Newbs who are sending these messages, either. People and organizations that should absolutely “know better” are also sending messages that actively groom recipients to fall victim to malicious, targeted attacks. Security policies require consistent application to be successful. Asking your users to make exceptions – especially when the rules for when to make exceptions are both unspoken and nebulous – seriously compromises their ability to follow appropriate, security-focused guidelines.
Let’s look at a few common characteristics of phishing emails:
- The message itself arrives unexpectedly
- The content of the message seems unusual
- It appears to come from or cite an authoritative source
- It comes from a sender other than the named authority
- The text conveys a SENSE OF URGENCY!!!
- The greeting is absent or generic
- The message contains little to no explanation
- The message contains an unusual or unexpected attachment or link
An email that contains even one of these items is enough to make a security-conscious person feel a little wary. And yet I often see legitimate emails that contain all of these traits, which are commonly used in social engineering attacks. It sets a very dangerous precedent to expect employees to accept, as normal, messages like these.
Sometimes these messages are sent directly by actual human employees. If this is the case in your organization, it would be beneficial to give your employees a different sort of anti-phishing training: “How not to social-engineer your co-workers”. While this should include advice for how to avoid sounding like an online scammer, to be most helpful, it should also include some personnel-management advice on what to do if people are not responding to email requests in a timely or satisfactory manner.
An increasingly common scenario is phishy-looking emails sent by Software as a Service (SaaS) apps like those for fax or shipping services, human resource or accounting portals, collaboration tools, newsletters or even party planners. At a bare minimum, most of these emails are sent from external addresses; they’re also often unexpected or unsolicited, they contain little to no explanation, and they use a generic greeting or no greeting at all.
The fact that these apps are sending “corporate emails” from external addresses drastically increases the range of “legitimate” email addresses well beyond the corporate domain. This makes it much harder for employees to track which domains are “known” and therefore “more-trusted” senders.
What can you do to make our emails less phishy-looking? Here are a few things to consider:
-
Make emails “expected”
If you’re going to send an email that requires employee action, give them an introductory email first, which gives them some forewarning and an explanation about what the email will contain, plus a description of what will be expected of them upon receipt of the message. The more information you can give them about what to expect – such as the sender’s email address, a brief summary of the content, a distinctive greeting or sign-off, etc. – the better able they will be to verify that the email is genuine. Understand that email addresses are easy to spoof, so the more you can customize an email to make it unique (rather than using basic boilerplate text), the easier it will be for your employees to identify the message as legitimate.
-
Keep calm
There’s no good reason to employ social engineering tactics to create fear in your employees. Presumably the people you hire are all responsible adults, and you can motivate them to action by accurately describing the level of urgency in a way that does not require panic. There are always ways to address non-compliance in a calm, yet serious, manner; it’s not good for morale to start with the assumption that your employees will misbehave. As much as possible, make sure the email sender matches the message and uses an appropriate level of authority. If you’re sending “an important message from the VP of Paperwork,” make sure that it is actually sent by the Vice President of Paperwork rather than someone else in the Paperwork Department. Or better yet, ask yourself if it even needs to be sent by the VP at all, rather than simply being a “message from the Department of Paperwork.” And for the sake of everyone’s blood pressure, please AVOID SENDING MESSAGES IN ALL CAPITAL LETTERS.
-
Choose security-conscious products
Can you digitally sign or encrypt emails sent from third-party apps? Is there an option to send them from within your own corporate domain? Can you customize emails with your own text or a recipient’s name? Can emails be sent in plaintext rather than using image-heavy or HTML formatted messages? These are a few questions you should be asking when pondering implementing new SaaS apps. Even if you have little to no choice about which new or legacy apps you use, there may be some options available for customizing messages to make them more “user friendly”. Make sure that people are filling out all the variables in templates too. (How many times have you gotten an email addressed to “Dear %RECIPIENT%”?) If no such customization options exist, you may have to rely more heavily on forewarning employees before email campaigns are sent out.
-
Keep it simple
Default to using text formatting; use HTML content only if absolutely necessary. If at all possible, recipients should not have to click on a link or attachment to read the substance of the message. Make it as quick and easy as possible for your employees to get at least a basic summary of the information, and have them go to a standard location (such as an internal company site) to get more detailed information, rather than having to follow a link embedded in the message.
Phishing, business email compromise (BEC), and email account compromise (EAC) cause hundreds of millions of dollars’ worth of losses each year. This number seems unlikely to decrease if we continue to give employees conflicting information about how to handle suspicious emails. By making sure the messages we send appear both trustworthy and verifiable, we can allow employees to consistently follow anti-phishing advice and hone their instincts for recognizing which emails are truly safe.
Here are some additional resources on user education and phishing, from my esteemed colleague David Harley:
- https://www.welivesecurity.com/2015/05/29/phish-phood-thought/
- https://www.welivesecurity.com/2013/11/26/phish-to-phry-the-thoughtful-phisher-revisited/
- https://web-assets.esetstatic.com/wls/2013/12/The_Thoughtful_Phisher_Revisited.pdf
- https://www.welivesecurity.com/2015/01/08/phish-allergy-recognizing-phishing-messages/
- https://web-assets.esetstatic.com/wls/2012/11/PhishPhodder.pdf