One of the most common ways that cybercriminals infiltrate organisations and businesses is through social engineering emails. These are emails that try to trick or persuade the recipients to click on malicious links, open malicious attachments, or divulge sensitive information.
While an Email Security solution offers many protections against email-based social engineering attacks, it faces a very common issue, which can be presented as a simple question organisations and business can ask themselves when designing and/or reviewing their cybersecurity strategy: What happens when an Email Security solution is presented with a new sender, who sends an email that meets the following criteria?
- Sent from a reputable mail service.
- The sender’s domain is verified.
- The email seemingly does not contain malicious content.
- The email includes a single sentence with no seemingly malicious intent.
This is where the social engineering threat attempts to bypass technical controls and endeavors to exploit the recipient’s awareness. To combat this threat, many organisations use email security controls such as “External tagging”, which adds a tag or a banner to any email that originates from outside the organisation. The intention is to alert the users to be more cautious and vigilant when dealing with external emails.
However, external tagging has some limitations that may reduce its effectiveness or even introduce new risks, most notably:
- Tagging Fatigue – Tagging fatigue is similar to the concepts of “MFA fatigue” and “alerting fatigue”. It refers to the natural human component of becoming less attentive to habitual/repetitive tasks. In this context, the tagging of what is generally the majority of received emails, based on a static and binary attribute (external or not), can cause users to start ignoring the tags or banners or pay less attention to them.
- Insider Risk – If an attacker manages to breach the organisation’s email server or gain access to an employee’s mailbox, they can send emails without any tags or banners, making them appear more trustworthy and credible. This can increase the chances of success for social engineering emails that are sourced from and target internal resources.
To address these limitations, organisations should consider implementing other email security controls that can compliment external tagging or even replace it in some cases. Examples of these controls are:
- Cybersecurity Awareness training: This is a fundamental and essential control that aims to educate users to tactics and techniques employed by malicious actors, with tailored and engaging training campaigns. These campaigns can also include simulated attacks, to identify improvement areas within the organisation or business.
- Threat/Context-based awareness tags/banners: This is a more advanced and dynamic control that adds tailored tags or banners based on the content and context of the email, rather than just the source. For example:
- When an email is sent from a newly registered domain
- When an email is sent from an impersonated domain (i.e. g0ogle.com)
- When the sender is requesting return contact via another communication method
- Onboarding emails and monthly reminders: This is a simple and effective control that aims to reinforce and refresh the users’ awareness and knowledge of email security. Onboarding emails are sent to new employees when they join the organisation and introduce them to the email security policies and best practices. Reminder emails are sent to all employees on a regular basis (but not too frequent) and remind them of the existing security controls and/or email-based awareness tips.
Most importantly, users should be reminded to scrutinise all emails, regardless of their source.
Talk to Exigence about Email Security!
As with all security controls, organisations and businesses should initially and continuously assess the effectiveness of a control, within the context of their environment and always ensure to factor the considerations and limitations. For further information. Talk with our team to find out more.