Something’s “Phishy”! Part Three

You can have the best security in place, but it means nothing if an employee simply gives access to a threat actor or sends them information.

In Part 1 and Part 2, we talked about why phishing is still a serious issue and how it works. In our final part of the series, let's talk about what to do about it!

Be sure to read the other parts as you prepare to level up your defenses because we cover some things you probably didn’t know you needed to know about phishing emails and similar types of cyber-attacks that are designed to trick your users.

We won’t get deeply technical as we look at how to protect yourself. However, you may find you need help, so we'll share some things below that will help get you started down the right path.

Part 3: We’re Going to Need a Bigger Boat

Our first two parts covered the basics of what a phishing email is, how prevalent they are today, and how they work.

Now, it’s time to talk about fighting back and protecting our businesses.

Can We Keep Malicious Emails Out?

Not always…

Our choices around cyber risk tolerance forces us to find a balance between being too efficient and opening up areas of risk or locking things down so much that we can’t operate our business effectively.

Email filters and other tools can scan messages and keep them being delivered from users, but you can only do so much. The tighter the security around email, the more likely IT will be overwhelmed with false positives that send safe emails into a quarantine that have to be manually released.

‘Known malicious’ messages or links should absolutely be removed from inboxes. However, when there is not great confidence by a scan that an email is malicious, it is best to bring awareness to the user (often through a banner) that they need to proceed with caution.

A new problem starts to surface with ‘banner fatigue’ when users start ignoring such messages because they constantly see them.

"If a majority of your email activity is external – then you’re going to see messages constantly warning you of “External Senders.” So smart banners are needed to give in-the-moment education to users about what is triggering the risk, more than just someone being an external sender."

An email filter may flag things like the language commonly used in social engineering, un-recognized senders, suspicious links, files, and more. AI really helps these tools perform better, but it’s not perfect, and some things, like new techniques, can slip through.

Even still, some messages may not get ‘bannered.’ One way this can happen is when someone uses a trusted person’s email account and sends a link that is unrecognized or that points to a new malicious site that these tools are unaware of – so they don’t know to block it.

To this point, there is no silver bullet. Your email security tools are needed to be just one of the many layers you consider in your security strategy – in addition to training users to be more aware and diligent.

How Can We Be More Effective in Protecting Ourselves?

Set Your Email Security Configurations

Email security configurations can make it harder for your email account to be impersonated. These are used to establish trust with your email system and others you communicate with, so this can also improve email deliverability.

The three configurations to implement are:

• SPF (Sender Policy Framework) – which controls who can send messages from your email domain
• DKIM (DomainKeys Identified Mail) – provides trust to recipients that your email actually came from your domain
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) – Combines the other configurations as an extra layer in case one of the above fails

These configurations are public-facing (that’s how the recipient’s email can tell if it should trust you). You can go to a site like MXToolbox.com to run searches for these different settings to be in place. I would only need to know your email address to search for the status of these, and scripts can be created to do this quickly across a large number of email addresses in a list.

Because it is publicly available information, this also means that the threat actors can easily tell if you’re missing any of these security configurations. This may tell them it’s possible to impersonate you, but a bigger concern is that they may assume that you have other missing security practices.

In most cases, they’d automate all of this. It’s not time-consuming to identify you as low-hanging fruit!

To set these configurations, it’s not too complicated but will require help from the IT Admin and your Domain Management System (where you set up your website and DNS settings). And, if you’re not very technical, you’ll want help to make sure it’s all done correctly, or you could create an issue that keeps others from getting your emails.

Review Email Security Settings

Inside of your email system, as an Admin, you will have different permissions and policies you can turn on to help protect users. Where the above configurations are public-facing, these are settings that determine how emails are handled internally.

If you’re a Microsoft email user, your Microsoft Secure Score recommendations will guide you through many of the settings you want to review.

Regardless of your email system, here are a few things you may want to look for:

• Safe link rewriting
• Improve automated message handling practices, especially around junk, spam, and malicious messages.
• Set controls for how to handle messages that appear to be spoofed or impersonated.
• Control the sensitivity around phishing detection and other security practices.

There’s a lot to look for here, and it may depend on what other compensating controls are in place with other email security tools you use.

Bonus: Turn off the ability to create rules that forward emails outside of your organization. In a Business Email Compromise (BEC), attackers may often create somewhat of a backdoor access to seeing and intercepting messages after you’ve booted them out by having emails just sent over to them by a forwarding rule.

Email Filters and Security Tools

To really take it further, more advanced tools exist that can act as either a gateway that messages must pass through, or some live in your inbox and use AI and other tools to seek out suspicious messages.

As noted before, too tight of security here can make it difficult on IT – we don’t want to always have to release emails that were incorrectly identified as malicious.

While there are many options here, these are a few of the key capabilities to look for:

• Scans emails prior to releasing them to users
• Quarantines known malicious emails
• Banners suspicious messages (the smarter, the better to fight user fatigue and remind users of training)
• Identifies a senders’ history with you as a form of established trust
• Identifies possible spoofed emails/names like others you have corresponded with
• Confirms the sending email system is secured and trustworthy
• Sandboxes suspicious links or files to test them safely
• Allows users to report phish (so other emails can be removed for other users)
• Gives the users in-the-moment email analysis tools to determine what they should trust

Train Your Employees and Test Their Knowledge

In the end, emails will end up in front of your users. Nothing noted above is going to be a silver bullet, so we need to make sure our frontline is ready.

Keep in mind that the techniques and strategies used in social engineering and phishing attacks aren’t limited to email. We need users to know what threats exist on the phone, by text, scanning QR codes, on social media, instant messaging apps, and other areas where a bad actor may try to trick someone.

Training that includes Simulated Phishing (in addition to simulating voice calls and other forms of common attacks on users) can be one of the most effective ways to reduce the potential cost of a data breach.

Take a look at where Training sits according to IBM’s 2024 Cost of a Data Breach Report:

As you can imagine, not all training is equal.

To get the most out of training, a robust training course once per year is great, but pepper in shorter training lessons throughout the year.

Done effectively, you can help users keep awareness top of mind (especially knowing that Social Engineering and Phishing is more likely to be a problem during busier and more distracted times).

Design your program to fit your industry and specific business practices by talking about the types of risks you have, how an attack may occur, and what’s common for businesses like yours.

And keep it timely! When you have shorter and more frequent training engagements, you can talk about current techniques and seasonal risks.

The ideal approach would include a short training lesson and phishing simulations done on a monthly basis.

Bonus: Focus your training on building a strong culture around security. Consider how you use positive and negative enforcement. Build this from the top down and ensure to lead by example. Get your users bought into the security practices by helping them understand they have role to play and what it would mean for them to have an attack.

Culture is another topic that we’ll have to dig into deeper at another time, but if you want to make an impact on your organization’s culture around security, you’ll want to learn more about some of the things RLS Consulting is doing. See below!

Want Help?

RLS Consulting can help you here in several ways. Reach out if you’d like to learn more about email security configurations, email security tools, or ways to effectively train your staff on what to watch for.

We just launched new services to conduct phishing simulations and training, so now is a great time to explore ways to protect one of your highest areas of risk!

You can learn more at SecureMyStaff.com