There’s a direct correlation between data breaches and sophisticated phishing attacks. Stolen records are sold on the dark web, and then cross-referenced and merged with personal information from previous breaches. Notable data theft events from Equifax and EDGAR have made it easier for criminals to launch targeted phishing campaigns against high-value organizations. To protect against these attacks, companies need to prioritize email security and offer employees the tools necessary to make informed decisions about suspicious emails.
Our research has found that roughly half of white-collar professionals identify unsolicited email in their inboxes as “just spam,” not something malicious. In reality, workers are flooded with email attacks every week. When these sophisticated threats bypass email security tools, employees are the next line of defense. Many organizations conduct periodic security awareness training sessions live or via computer-based training platforms, often starting when an employee onboards and followed by a regular “refresh” schedule that meets compliance or insurance requirements. These sessions usually come bundled with some level of phishing simulation training so companies can measure and monitor improvements over time. Employees need the training, but it’s only part of the equation.
The pervasiveness of email, the always-on nature of modern work, and the increasing sophistication of targeted attacks make it difficult for employees to stay vigilant. And even those who are diligent find that mobile devices make it difficult to keep up with everything. Expecting them to remember all the tips and techniques isn’t realistic, and taking time to revisit recommendations or look up corporate policies in the moment interrupts work.
Security awareness training succeeds only if employees recall what they have learned when it matters. Organizations should consider augmenting standard awareness training with “in-the-moment” prompts and context to help employees make educated decisions. Tools like email banners, email “report phish” plug-ins, and warning pages can reduce employee engagement with dangerous phish. These tools reinforce good email hygiene habits and warn users when there’s something suspicious going on. By analyzing emails for questionable traits and reminding users of their security training, it’s possible to reinforce business policies at the moment when they are most relevant, such as the initiation of a wire transfer.
When implementing these tools, consider these best practices:
- Customize email banners. Generic warnings fade in the background and are easy for attackers to replicate. Instead, make banners highly specific to each given threat and brand with the company logo, which helps users understand what to look for, why it’s a threat and what to do next.
- Make banners actionable. Highly targeted attacks are difficult for even the best-trained employee to spot. Take banner customization one step further by including relevant context about the sender, such as a common sender suddenly using a new email address. Make banner warnings actionable by including reminders about business policies. For instance, if an email references financial information, include a note that outlines the wire transfer policy, reminding the employee that all financial transactions require two manager-level signatures.
- Preview suspicious links. Users ignore or bypass generic warnings about suspicious URLs, especially if they are checking email on mobile devices. Instead, leverage URL sandboxing to offer a preview of the destination of any links in a message, ideally as part of the warning so that users can see what the destination page looks like and gain the context they need to make better decisions.
- Go beyond MFA. Although multifactor authentication improves password-only authentication, it’s cumbersome to implement and disruptive to users. And when breaches reveal personal information, such as phone numbers, MFA becomes increasingly easier to bypass. Consider adding biometric-based technology to validate users based on attributes like unique typing patterns. Authentication technology that analyzes attributes like unique typing patterns has become more accessible. It’s extremely difficult to replicate, and it allows for authentication that integrates seamlessly with employee workflows. This can prevent highly targeted insider attacks that come from legitimate company email addresses that may have been compromised.
- Make reporting phish easy. In addition to having integrated phish reporting functionality, also offer a simple stoplight-level analysis of the nuances of any given email, giving employees a way to judge for themselves when emails are suspicious.
- Incorporate learnings into policy. When employees act as defenders, the security team benefits from having additional knowledge and immediate awareness of emerging threats. A largescale attack may include a link that appears safe and bypasses defenses that rely on binary evaluation based on known threats. But once inside inboxes, the attackers weaponize the link and users are at risk until the threat gets discovered. If link previews and reporting are in place, employees can identify and report threats. The security team can act quickly on this information and roll out a universal policy that automatically removes those threats from their environment.
Cybercriminals continue to leverage the increasing amount of personal and business information available after major breaches to refine their malicious tactics and target employees. However, companies can ramp up their email security efforts to include tools that help employees identify and flag social engineering and phishing attacks. These practices empower employees as a crucial line of defense against sophisticated email threats, and they also deliver the necessary flexibility for the workforce to conduct business without friction.
Matt Petrosky, vice president of customer experience, GreatHorn
