Recently a couple of phishing emails arrived at my inbox at the education institution where I teach. Both messages were deleted without a second thought, though I realized later that one of the phishing mails could have fooled me – had it been relevant. Purporting to be from the institution’s IT department, the offending email was exceedingly well-written and talked about how a shared storage resource had been scheduled to be taken down for routine maintenance soon. Users were asked to visit a shortened URL link (helpfully provided, of course) to let the technical team know if they want a data backup of their folders done.
I have no idea where the proffered link leads to; though I assumed that it would have tried to obtain users’ usernames and passwords at a minimum. As you can imagine, even having a fraction of users fall for such a ploy would be nightmarish, more so for an Exchange server that is administratively joined to a domain – a successful phishing attempt is all it takes to compromise an account across the entire domain.
So while not typically tagged as the duty of an email administrator, are there any strategies that administrators can employ to better defend against phishing attempts? I thought about it, and came up with a number of suggestions.
1. Design a proper template for emails from the IT department
The first recommendation that I have would be to design a proper template for official emails from the IT department. Not only will it serve to enhance the professionalism of the IT team as a whole, it is also good protection against generic phishing emails – which forms the bulk of phishing attempts. Assuming administrators are disciplined in using this template for all their correspondence and announcements, users will naturally become alerted when confronted with an email that does not use the correct template.
In fact, a proper template will also go a long way in protecting against directed attacks, a scenario where hackers work to break into a specific organization. They will first need to learn of the presence of the email template, which forms another barrier against a successful phishing attempt.
2. Establish authenticity using digital certificate and an official email address
Of course, the creation of a standard email template is somewhat akin to achieving security via obscurity. Lost and stolen laptops will quickly reveal the official email template that these hackers can then use to masquerade as an administrator. As email administrators are well aware, the real problem has to do with how easy it is to spoof the “From” address data in an email’s header.
The way to conclusively defend against phishing mails that exploit this weakness would be to tap on the use of digital certificates to establish authenticity. While it will cost to purchase valid digital certificates, I consider it to be money worth spending. Moreover, organizations can opt to implement digital signing only for key email accounts, which is a cheap yet effective way of stopping phishing in its tracks. If there is interest, I will detail the steps to sign emails with a digital certificate in my next blog. As a reference, Google has published a list of Certificate Authorities (CA) that it recognizes here.
3. Training users to detect phishing
Of course, all the security tools and measures in the world will not protect your users if they respond to every scam email or click on any proffered URL with impunity. I feel strongly that businesses should invest in some rudimentary training to equip their employees against the evolving techniques that scammers are adopting to break through the corporate inbox. Rather than wait for things to happen, email administrators should take the initiative and train users to forward messages whose origins are suspicious or dubious to them for further examination.
4. Send follow-up messages
To its credit, the email administrator in my above-mentioned anecdote reacted within the hour, and sent a warning email about the scam. While some might argue that an official follow-up encumbers the inbox with yet another message, I feel that it serves as a useful reminder against the ongoing phishing threat. In addition, it also opens up a channel for communication between the email administrator and staffers who might have fallen prey; and allow for compromised user accounts to be reset before they are exploited.