Hook, line, and
sinker: How to avoid looking ‘phish-y’
If you’re a regular reader of this blog, I
suspect you live in a state of perpetual vigilance against targeted attacks
such as phishing messages. You know that urgent sounding messages from sender
addresses that don’t look right, especially if they include attachments or
links to external sites, are to be approached with extreme caution. And yet, I
suspect you also receive a fair number of emails that are in fact from
legitimate senders who are not aware that the impression they’re giving is
incredibly “phish-y”.
It isn’t just Security Newbs who are sending
these messages, either. People and organizations that should absolutely “know
better” are also sending messages that actively groom recipients to fall victim
to malicious, targeted attacks. Security policies require consistent
application to be successful. Asking your users to make exceptions – especially
when the rules for when to make exceptions are both unspoken and
nebulous – seriously compromises their ability to follow appropriate,
security-focused guidelines.
Let’s look at a few common characteristics of
phishing emails:
·        
The
message itself arrives unexpectedly
·        
The
content of the message seems unusual
·        
It
appears to come from or cite an authoritative source
·        
It
comes from a sender other than the named authority
·        
The
text conveys a SENSE OF URGENCY!!!
·        
The
greeting is absent or generic
·        
The
message contains little to no explanation
·        
The
message contains an unusual or unexpected attachment or link
An email that contains even one of these
items is enough to make a security-conscious person feel a little wary. And yet
I often see legitimate emails that contain all of these traits, which
are commonly used in social engineering attacks. It sets a very dangerous
precedent to expect employees to accept, as normal, messages like these.
Sometimes these messages are sent directly by
actual human employees. If this is the case in your organization, it would be
beneficial to give your employees a different sort of anti-phishing training: “How
not to social-engineer your co-workers”. While this should include advice for
how to avoid sounding like an online scammer, to be most helpful, it should
also include some personnel-management advice on what to do if people are not
responding to email requests in a timely or satisfactory manner.
An increasingly common scenario is
phishy-looking emails sent by Software as a Service (SaaS) apps like those for
fax or shipping services, human resource or accounting portals, collaboration
tools, newsletters or even party planners. At a bare minimum, most of these
emails are sent from external addresses; they’re also often unexpected or
unsolicited, they contain little to no explanation, and they use a generic
greeting or no greeting at all.
The fact that these apps are sending
“corporate emails” from external addresses drastically increases the range of
“legitimate” email addresses well beyond the corporate domain. This makes it
much harder for employees to track which domains are “known” and therefore “more-trusted”
senders.
What can you do to make our emails less
phishy-looking? Here are a few things to consider:
·        
Make emails “expected”
If you’re going to send an email that requires employee action, give
them an introductory email first, which gives them some forewarning and an
explanation about what the email will contain, plus a description of what will
be expected of them upon receipt of the message. The more information you can
give them about what to expect – such as the sender’s email address, a brief
summary of the content, a distinctive greeting or sign-off, etc. – the better
able they will be to verify that the email is genuine. Understand that email
addresses are easy to spoof, so the more you can customize an email to make it
unique (rather than using basic boilerplate text), the easier it will be for
your employees to identify the message as legitimate.
·        
Keep calm 
There’s no good reason to employ social engineering tactics to create
fear in your employees. Presumably the people you hire are all responsible
adults, and you can motivate them to action by accurately describing the level
of urgency in a way that does not require panic. There are always ways to
address non-compliance in a calm, yet serious, manner; it’s not good for morale
to start with the assumption that your employees will misbehave. As much as
possible, make sure the email sender matches the message and uses an appropriate
level of authority. If you’re sending “an important message from the VP of
Paperwork,” make sure that it is actually sent by the Vice President of
Paperwork rather than someone else in the Paperwork Department. Or better yet,
ask yourself if it even needs to be sent by the VP at all, rather than simply
being a “message from the Department of Paperwork.” And for the sake of
everyone’s blood pressure, please AVOID SENDING MESSAGES IN ALL CAPITAL
LETTERS.
·        
Choose security-conscious products
Can you digitally sign or encrypt emails sent from third-party apps? Is
there an option to send them from within your own corporate domain? Can you
customize emails with your own text or a recipient’s name? Can emails be sent
in plaintext rather than using image-heavy or HTML formatted messages? These
are a few questions you should be asking when pondering implementing new SaaS
apps. Even if you have little to no choice about which new or legacy apps you
use, there may be some options available for customizing messages to make them
more “user friendly”. Make sure that people are filling out all the variables
in templates too. (How many times have you gotten an email addressed to “Dear
%RECIPIENT%”?) If no such customization options exist, you may have to rely
more heavily on forewarning employees before email campaigns are sent
out.
·        
Keep it simple
Default to using text formatting; use HTML content only if absolutely
necessary. If at all possible, recipients should not have to clink on a link or
attachment to read the substance of the message. Make it as quick and easy as
possible for your employees to get at least a basic summary of the information,
and have them go to a standard location (such as an internal company site) to
get more detailed information, rather than having to follow a link embedded in
the message.
Phishing, business email compromise (BEC), and email account
compromise (EAC) cause hundreds of millions of dollars’ worth of losses each year.
This number seems unlikely to decrease if we continue to give employees
conflicting information about how to handle suspicious emails. By making sure
the messages we send appear both trustworthy and verifiable, we can allow
employees to consistently follow anti-phishing advice and hone their instincts
for recognizing which emails are truly safe. 
Here are some additional resources on user
education and phishing, from my esteemed colleague David Harley: