The hidden value of historic communications in email security
Very rarely in life is certainty guaranteed. Almost every decision we make is made imperfectly, without complete knowledge and based on a gut-checked risk assessment. When it comes to protecting your organization from phishing attacks, this still rings true. Yet, most email security providers still see through a black-and-white lens and act in terms of absolute certainty. As a result, they effectively protect against the known bad, but let unfamiliar threats slip right through.
Employees at every level of your company are making hundreds of email decisions every day -- open this, delete that, respond to this, leave that for tomorrow. With so much inbox noise, a potential phishing email can infiltrate easily -- and can impact an entire organization profoundly.
The solution to this problem is not to block a larger amount of emails. However, many organizations still focus on this metric (i.e. quantity many emails were quarantined). An increase in filtered perceived threats only sends people on wild goose chases, with time lost digging through their spam folders or quarantines looking for mislabeled legitimate communications - and can still leave the real threats lurking in their inboxes.
The most effective solution for organizations is to arm users with better contextual information around the unknown emails they receive. Naturally, with greater knowledge comes better decisions. This information falls into two key categories that open up security solutions to the many shades of gray that phishing emails present: individual history with the sender, and your internal colleagues’ history with the sender. By equipping your end users with this context and awareness, you can effectively turn them into valuable guardians of your critical data and systems.
First and foremost, have a critical look back at your individual history with the sender. Phishers work under the assumption that most users aren’t acutely aware of their own history of correspondence with specific domains and sender email addresses. Therefore, security solutions that are suspicious by design are the most effective. If a message enters your inbox from a name, brand or company domain you think you recognize -- check the email address closely. Even if the sender appears familiar, new and different email addresses should always be treated with an extra dose of caution.
Phishing attacks frequently spoof these known domains by altering just one or two letters, taking advantage of the human 'Typoglycemia' phenomenon -- the widely-accepted theory that the average person will fail to notice slight spelling errors or misplaced letters. As such, an added layer of vigilance is essential. It’s incredibly simple for a cybercriminal to register a new domain, set up valid G Suite or Office 365 accounts against it, and impersonate a known user scraped from your company’s LinkedIn profile. Your users need to be mindful of what’s lurking underneath that mask. When an email manages to look like it’s coming from a colleague or partner, but is really coming from an address they’ve never seen before, an individual’s communication history has to be top of mind at all times. This helps users decide how and whether or not to respond to the email. Some important factors to consider when evaluating an email:
- Have you communicated with this sender name before?
- Have you communicated with this sender and this email address before?
- Have you communicated with this company name before?
- Have you communicated with this domain before?
- Internal Colleague’s History with the Sender
Having said that, as in life, there is such a thing as too much information. Too many phishing notices and false positives turn functional information into a monotonous annoyance. Being inundated by potential threat warnings can actually train your brain to ignore them. Having this additional historical context can help to alleviate 'alert fatigue' among your users, and can guide them towards better email decisions.
The second contextual component to consider when determining risk is your organizational email history. Email addresses and domains of vendors, clients, business partners and others that are frequent communicators with your company do not typically need to be flagged for closer review. Having access to this information can provide greater context as to an email’s legitimacy. It’s important to keep in mind that just because a message is coming from a sender or domain you have never personally communicated with before does not mean it is malicious. However, it does allow the user to take more precaution when interacting with that email.
The factors considered when assessing historic company communications are the same as with your individual historic communication: sender name, sender email address, company name and company domain. Having access to company communication history broadens the context for each of your users, reducing unnecessary warnings and making it more likely that when an email is flagged as potentially suspicious, the warning is taken seriously.
As an organization, you can’t prevent every phishing attack from reaching your end users, and it’s also not in your best interest to start blocking every message coming in from an unfamiliar address. What you can do is give people the information, through historic communication, to make smarter risk-based assessments. With this insight, they can make better informed decisions for each email that reaches their inboxes, based on the added context to improve their level of scrutiny. It’s entirely possible for people in your organization to turn from vulnerable targets to valuable defenders, successful in their role as the 'last line of defense' against phishing.
Matt Petrosky is the Vice President of Customer Experience at GreatHorn. Matt is a versatile leader with 15+ years in technology organizations, designing products and customer experiences, most recently in the rapid growth cybersecurity industry.