Errors and Opportunities: When Users Get Woke to the Threats in Their Inboxes
Errors and Opportunities: When Users Get Woke to the Threats in Their Inboxes

Over the past few years, more and more companies and organizations have incorporated new-school security awareness training into security posture, rightly recognizing that their employees are the last line of defense against increasingly sophisticated and aggressive phishing campaigns that deliver all manner of threats to employees' inboxes. This type of security awareness training is dubbed "new-school" because it combines more traditional training modules with simulated phishing attacks to train employees to spot incoming threats and reinforce key lessons from that training, all the while providing IT staff the tools to continually assess the effectiveness of that training.

Many organizations also supplement these training modules and simulated phishing campaigns with Outlook add-ons such as the Phish Alert Button (PAB) to close the loop by empowering employees to report phishing emails that land in their inboxes directly to IT security staff.

Companies and organizations that roll out security awareness training programs for their employees are rightly concerned that employees learn to identify and properly handle actual malicious emails. When starting a security awareness training program for your organization, however, you should recognize that you are dealing with non-tech savvy users who are not used to thinking about computer security threats in any kind informed, systematic fashion. Consequently, they occasionally need a little help distinguishing real threats from the mass of junk email and other background noise that floods their inboxes on a daily basis.

In what follows, we take a look at some of the common problems that employees struggle with when they begin learning to recognize potentially malicious emails. What seems obvious to experienced IT staff will not be so obvious to employees who are just having their eyes opened to the bewildering array of threats they will encounter. Thus, you can expect a number of rookie errors on the part of your employees -- mistakes that are easily addressed when you are anticipating and prepared for them. Indeed, the mistakes your employees make can be just as revealing and insightful as their successes. Towards the end we will also discuss several strategies that you can use can ease your employees' transition to a more security-aware state of mind.

Monsters Everywhere

Although most of your employees will be at least vaguely aware that there are "bad" emails arriving in their inboxes, for some the process of going through security awareness training can be an arresting, even shocking experience. What results can be a kind of free-floating paranoia. Where prior to training these employees remained blissfully ignorant of the dangers posed by some incoming emails, those same employees will, following their first encounter with security awareness training, begin seeing monsters lurking behind every email.

It is not unheard of, then, to see some newly trained employees flagging completely innocent emails such as this routine alert from Microsoft Exchange as a potential threat:

Experienced IT staff will note that malicious actors do routinely spoof just this very Exchange alert email, providing a malicious link within the email to direct employees interested in increasing the capacity of their email boxes to web pages that perform credentials phishes. But there is no such malicious link in the above email, however.

As with so many of the other mis-flags we will discuss, this kind of error actually presents an opportunity to educate struggling employees further, fine tune their ability to distinguish between dangerous emails and completely innocuous ones, and offer them more concrete strategies for sniffing out potential threats.

Junk Mail Madness

By far the most common problem that your employees will experience is confusing junk emails and outright spam with actual malicious phishing emails. All too many employees are operating with an overly simplistic set of mental categories for understanding of the kinds of emails flowing into their inboxes. In the minds of these employees there are just two kinds of emails: "good" emails, which are relevant and useful to their jobs, and "bad" emails, which range from time-wasting internal chatter to annoying junk mail and even alarmingly malicious phishes baiting potential marks into downloading and executing the latest ransomware variants.

Anyone working in a modern, computerized office setting will be familiar with the steady stream of pitches arriving from all manner of companies pushing products and services online. For most of us, these emails are a minor annoyance -- distracting clutter to be pushed out of the way as quickly as possible.

If you've rolled out an Outlook add-on such as the Phish Alert Button (PAB), however, such emails can become even more of a nuisance when your employees begin flagging them as potential phishes, as they force your IT staff to dig through large numbers of non-threatening junk emails in order to identify actual threats sitting in your employees' inboxes. And when your organization is just one click away from a downtime disaster, you don't need this kind of noise.

Employees should be able to distinguish between spam emails and phishing emails. Although they may "feel" the same to many employees (both are unsolicited and unhelpful), there are key differences. Spam, of course, is commercial. Phishing is criminal. If an unsolicited email is attempting to sell you on a product or service, then it's spam. If, by contrast, an email attempts to trick you into performing a potentially dangerous action such as clicking a link, opening an attachment, or responding with confidential information that could compromise the security of the larger organization, then it's phishing, and your employees need to be able to recognize when emails present such outright threats.

Hitting the Links

One of the more useful strategies your employees will learn in their security awareness training is link hovering -- hovering the mouse pointer over links embedded in emails to see what web sites and pages those links actually point to.

As simple and useful as link hovering can be, some of your employees may be less than diligent when it comes to adopting it as a habitual practice when dealing with actual emails. And that can mean failing to distinguish between spoofed Docusign phishing emails -- one of the more popular social engineering hooks currently in use -- and completely legitimate Docusign emails such as the following:

While some employees may simply be too impatient to inspect embedded links carefully, others might be unfamiliar with the conventions of URLs and thus be unable to make sense of them in a useful fashion. Your employees should be able to pick out the base domain in a URL and be familiar with the domains of web sites they regularly visit as part of their jobs (including the domains of your own company or organization). If they can also be taught how to recognize an internal URL and distinguish it from a URL that points to a resource outside of the company's own network, so much the better.

Action, Action, Action

Phishing emails are all about actions -- bad actions. The bad guys want your employees to click a link, open an attachment, enter credentials, kick off wire transfers, or supply the bad guys with sensitive or confidential information that can be exploited for financial gain. Although that seems a rather obvious fact about phishing emails to experienced IT pros, employees going through security awareness training may occasionally forget that basic truth when dealing with unexpected, but completely legitimate emails.

As with the Microsoft Exchange and Docusign emails we looked at earlier, the bad guys do actually spoof FedEx in malicious emails. Your employees may even have encountered fake FedEx phishing emails. This email, however, is not one of them, and you don't even need to hover your mouse over a link or inspect the headers to figure out it is not malicious. We know it's not malicious because these kinds of alerts from FedEx are simply informational. They do not ask readers to take any action.

When dealing with employees who are deeply suspicious of the provenance of an alleged phishing email, a gentle nudge ("What is this email asking you to do that's potentially dangerous?") is sometimes all it takes to get them refocused on more concrete aspects of the email.

Common Mis-Flags

An Outlook add-on like the Phish Alert Button (PAB) allows you to see in near real time not only what threats your employees are encountering in their inboxes but also which employees might need additional help in distinguishing between real threats and innocent (if annoying) emails. When reviewing alleged phishing emails shared with us by customers through the PAB, we see some types of emails being mistakenly flagged by newly trained employees again and again.

1. Spam digest emails

Many email security solutions send out spam digest or similar spam notification emails, and you can expect some employees to flag these emails as potential threats -- probably because they see references in them to other emails that likely are actual threats.

As with most other mis-flags, this error represents a learning opportunity for employees who may need a short refresher on what these spam digest emails are and how they can be used to manage their email accounts.

2. LinkedIn emails

Most, if not all, of your employees will have LinkedIn accounts, and that means they may be receiving a steady stream of invites, messages, and other notifications through LinkedIn. While LinkedIn can be useful for social networking, some employees may regard LinkedIn emails as a nuisance and be tempted to flag them as potential threats.

If any of your employees are sounding the alarm over routine LinkedIn emails, that's a good sign that they may need some assistance managing their accounts so that LinkedIn becomes more of a useful asset and less an annoying distraction.

3. Secure/Encrypted emails

Many businesses (especially those in the financial industry) routinely make use of secure email services offered by companies such as Cisco or Proofpoint, to name two of the more popular ones. If your company or organization uses a secure email service, or if your organization's partners, clients, or customers regularly send secure emails to your employees, you don't want your employees to balk at opening them.

Your employees should be familiar with secure email services -- particularly those in use by their employers and its customers, clients, and partners -- be able to recognize them for what they are and distinguish them from the occasional phishing email that spoofs these services. As discussed earlier, good email habits like URL hovering can be particularly useful in sorting the good from the bad.

4. Mass emails

Many businesses and organizations use a variety of outside companies to provide critical services such as Help Desk management, CRM, ERP, and HRM. If your company or organization uses such services, your employees should be familiar with them as well as the emails they can expect to receive from the outside companies providing these services.

This is particularly true when your organization is rolling out a new service, which will often involve an initial email blast to employees across a department or even your entire organization. Many of these emails will be asking employees to click links to register for accounts, provide basic information, and step through introductory presentations. As with other types of new and unexpected emails, there will be some employees who may flag these emails as potential threats.

Again, this kind of mis-flag offers you a teachable moment -- an opportunity to review basic strategies for handling suspicious emails and reinforce good email vetting habits like URL hovering. Additionally, the roll-out of a new third-party service should be a prompt for your IT organization to coordinate more closely with other departments (especially HR) to ensure that the initial roll-out is well-understood and properly anticipated by all involved parties.

Expect the Unexpected

As we have seen in so many of the situations discussed above, the process of stepping your employees through security awareness training can be a learning experience not only for the employees being trained and phished with simulated malicious emails, but for your IT staff as well, who will inevitably become familiar with the mistakes employees tend to make as they become more knowledgeable about previously unfamiliar threats and acquire new skills designed to help them recognize threats when they see them.

We have found that such mistakes -- innocent emails mis-flagged as threats, confusion over the difference between spam and phishing -- are a natural part of the learning process and can be effectively handled through several simple strategies.

First, reinforce the most common red flags to look for when confronted with suspicious or potentially threatening emails. When non-technically savvy users succumb to free floating paranoia or mis-analyze innocent emails, that's usually because they are relying almost entirely on uninformed, misguided gut instincts instead of concrete tools of analysis. Even after such concrete tools are presented in training, they need to be reinforced with employees until these tools -- like link hovering -- become habitual parts of their email vetting routine.

Second, focus on common social engineering hooks. Anyone familiar with the day-to-day rhythm of phishing campaigns these days knows that the bad guys tend to use variations on the same social engineering schemes over and over, even if the payloads tied to those schemes evolve over time to evade security software. For example, one of the more common ones lately has been the "email account deactivation" phish:

Talk to your users about the common social engineering hooks that your staff regularly encounters. Provide examples. And point out the tell-tale signs that should tip readers off that these emails are malicious and not what they might initially appear to be.

Third, ensure your employees are familiar with the routine emails they can expect to receive as a part of their job, be they from other employees and internal systems...

...or external partners, clients, and customers:

If your users cannot recognize a legitimate email from your organization's Helpdesk for what it is and distinguish between it and a crudely spoofed phishing email announcing a "mandatory software update" to be installed on their PCs, then your IT staff has big problems on its hands.

Conclusion

Weird things can happen when everyday users get woke to the security threats lurking in their inboxes. As much as we might hope that every employee being stepped through security awareness training would turn into a seasoned security pro overnight, the reality is that each trainee will go through a growing process. Expect the occasional stumble. Anticipate that some users will tilt at the occasional windmill.

New-school security awareness training is designed to give you and your IT staff a wealth of tools and strategies to deal with wayward, struggling users. Use simulated phishing campaigns to measure the effectiveness of your training program and identify employees who need more help. Use the Phish Alert Button (PAB) to start a dialogue with your users and convert mis-flagged innocent emails into learning opportunities.

At the end of the day, you and the rest of your IT organization need users who are alert and on the lookout for new threats that could take down your organization. New school security awareness training gives you everything you need to convert security liabilities (clueless users not woke to the threats in front of them) into security assets: woke users who work in partnership with your IT organization to shut down threats before they result in serious downtime or the loss of critical information, financial resources, and the hard-earned reputation of your organization.