Frustrating, isn't it?
You design a powerful anti-phishing program, secure funding from your executive board, provide world-class training. You do everything right…
Oh, your users are probably spotting phishing emails. After all, they've engaged with the training, and seem to be taking it seriously.
But no matter how many times you remind them, they just won't report those phishing emails.
The Backbone of Anti-Phishing
In our last post, we talked about why users should not simply be asked to delete suspected phishing emails. Instead, we noted the importance of setting up a central repository for reported phishing emails, which can be used in a whole variety of ways to strengthen your anti-phishing program.
Among other things, reported phishing emails can:
- Inform improvements to technical security controls
- Give users an easy win and keep phishing top of mind
- Provide an opportunity for you to quarantine similar emails
- Inspire your own realistic phishing simulations
But in order for all this to be possible, you need to persuade your users to promptly and consistently report emails they believe may be malicious.
Here's where we hit a problem.
The Logical Approach Won't Work
If you need to see an email received by someone else, what's the logical thing to do? Simple: Ask them to forward it to you.
Unfortunately, there are three issues with this approach:
1) Users have to remember an email address
No matter how much you'd like them to, most of your users won't write your phishing inbox address on a post-it note stuck to their monitors. That means in order for them to report a suspected phish, they'll need to dig out their notes from your last training session or search around for your guidance documentation. In practice this won't happen, and only a small proportion of incoming phishing emails will be reported.
You can also prepend all incoming emails to your employees, which will add a simple notice at the top of every email. Including an email address to forward these emails to, plus a line of instruction, will both increase forwarded email sends and act as an easy alternative to softward and add-ons.
2) It can be slow
It might seem odd to suggest a process which takes a maximum of 10 seconds is too long. But, as research and experience have taught us, it is too long, and the number of reported phishing emails you see will be substantially less as a result.
3) Forwarded emails are far from perfect
Perhaps the biggest issue with forwarded phishing emails is that they aren't a perfect copy of the original email. Not only are forwarded emails missing their original header, which is a valuable source of intelligence, their formatting is often disturbed, and it can be more difficult to track down legitimate sender info.
A Better Way
So if forwarding isn't the answer, how can you obtain faithful representations of the phishing emails received by your users?
Again, the answer is simple, just not necessarily easy to put into practice. What you really need is for users to save a copy of suspected phishing emails and send it to you via email attachment. This approach perfectly preserves the content, formatting, and metadata from each sample, ensuring your analysts have everything they need to work with.
You can see the problem here, can't you? If asking users to forward emails to you is too slow and cumbersome, asking them to send saved copies of emails is never going to work. Instead, what you need is a process which achieves the same result, but which can be completed automatically at the click of a button.
To that end, you have two options:
1) Add a button to your corporate email client
Installing an add-in for your corporate email client is the most obvious solution, and also the most direct. An add-in can quite easily be developed to automatically package up suspicious emails and send them to a pre-programmed address, resulting in a simple one-click process for users, and ensuring analysts receive everything they need.
2) Use a mail server add-in
Unfortunately, for many organizations, physically installing code on each endpoint is a no-no, either because it's impractical, or because it's deemed an unnecessary complication. In these cases, there's a second option: mail server add-ins.
Instead of adding a button to your email client's toolbar, this method manifests as a button sitting between the sender/subject area and the email body:
Image above is a real phishing sample received by Stacey Shelley, VP Marketing at PhishLabs.
Ultimately, whichever of these approaches you opt for, the result is the same: The simplest possible process for users and the best possible outcome for analysts.
Best Practice Across the Board
As you've no doubt gathered by now, putting together a powerful anti-phishing program isn't going to happen overnight. If you're really serious about fighting the threat posed by phishing, each aspect of your program must be carefully considered and planned to ensure the desired outcomes are achieved.
To find out more about how a world-class anti-phishing program can be developed, register for our free on-demand webinar: Best Practices for Enterprise Phishing Protection.