Stop training your employees to fall for phishing attacks

Training your employees how to recognize and avoid phishing only works if trusted emails don’t look the same as criminals'.

phishing man with life saver sinking danger helpless

I recently received an email from an address I didn’t recognize, that purported to be from a trusted authority, using urgent language to insist that I open an unexpected attachment. Clearly, this message must be a phishing attack that I deleted immediately, right?

As you may have guessed, after careful research I found that it was a legitimate message that did include important information, even if it was significantly less urgent than the message’s wording implied. I also found that people who should absolutely “know better” are sending messages that actively groom recipients to fall victim to phishy messages. The only way that “avoid phishing” tips work is if actual trusted authorities don’t use the same techniques as criminals.

Let’s look at a few common “how to recognize phish” tips that the message in question fell afoul of:

  • The message itself is unexpected
  • It appeals to a sense of authority
  • It comes from a sender other than the named authority
  • The text conveys a sense of urgency
  • The greeting is absent or generic
  • The message contains little to no explanation
  • The message contains an unexpected attachment

This list of traits is more than enough to set a security-conscious employee’s hair on end. And yet, this sort of email is distressingly common.

Sometimes these messages are sent directly by actual human employees who could benefit from a slightly different variety of anti-phishing training. Perhaps more commonly, they are sent by Software as a Service (SaaS) apps like those for fax or shipping services, human resource or accounting portals, collaboration tools, newsletters or even party planners. This drastically increases the range of “legitimate” email addresses well beyond the corporate domain, thus making it much harder for employees to track which domains are “known” and therefore “more-trusted” senders.

What can we do to make our emails less phishy-looking? Here are a few things to consider:

  • Forewarning to make emails “expected”: If you’re going to send an email about shipping, event planning or other things requiring employee action, let them know ahead of time. The more info you can give them about what to expect – such as the sender’s email address, a brief summary of the content, etc. – the better able they will be to verify that the email is genuine. Understand that email addresses are easy to spoof, so the more you can customize an email to make it unique (rather than using basic boilerplate text), the easier it will be for your employees to identify as being legitimate.
  • Keep calm: There’s no good reason to employ social engineering tactics to create fear in your employees. Presumably the people you hire are all responsible adults, and you can motivate them to action by accurately describing the level of urgency in a way that does not require panic. As much as possible, make sure the email sender matches the message and uses an appropriate level of authority. If you’re sending “an important message from the VP of Bureaucracy,” make sure that it is actually sent by the Vice President of Bureaucracy rather than someone else in the Bureaucracy Department. Or better yet, ask yourself if it even needs to be sent by the VP at all, rather than simply being a “message from the Department of Bureaucracy.” And for the sake of everyone’s blood pressure, please avoid sending messages in all capital letters.
  • Favor security-conscious products: Can you digitally sign or encrypt emails from your third-party apps? Can you send them from within your own corporate domain? Can you customize them with your own text or a recipient’s name? Can emails be sent in plaintext rather than using image-heavy or HTML formatted messages? These are a few questions you should be asking when pondering implementing new SaaS apps.
  • Keep messages simple: Default to using text formatting; use HTML content only if absolutely necessary. If at all possible, recipients should not have to clink on a link or attachment to read the substance of the message. Make it as quick and easy as possible for your employees to get at least a basic summary of the information, and have them go to a standard location (such as an internal company site) to get more detailed information, rather than a link embedded in the message.

Phishing, business email compromise (BEC), and email account compromise (EAC) cause hundreds of millions of dollars’ worth of losses each year, and this number seems unlikely to decrease if we continue to give employees conflicting information about how to interact with email safely. By making sure all correspondence follows good security hygiene advice, we can allow employees to consistently follow anti-phishing advice and hone their instincts for recognizing which emails are truly safe.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)