OnINBOX Survey Red Sift

Breaking the chain: can email banners and indicators change the behavior that leads to breaches?

We all know DMARC is the first line of defense against phishing attacks. This globally recognized protocol was created to stop exact domain impersonation in its tracks, meaning cybercriminals can’t use your domain to phish your employers, customers, and supply chain.

But while DMARC (Domain-Based Message Authentication, Reporting, and Conformance) plugs a big hole in the cyber-armor of businesses, it doesn’t solve every problem. Phishing emails that impersonate a business’ exact domain are often the most successful. But when cyberattackers can’t use this avenue on a DMARC-secure business, they can still use lookalike domains and create convincing messages by leveraging social engineering. And of course, they can always send phishing emails from businesses or suppliers without a strong DMARC policy too.

How can businesses best help their employees to spot phishing attacks?

There are a multitude of measures businesses can put in place on top of the basics like DMARC to strengthen their security posture. One such method popular with businesses is Security Awareness or Phishing Training. But while this may be a good additional measure, research has continuously cast a shadow over its effectiveness, with one study showing that employees forget guidance within just six months. A more traditional way to help protect employees from receiving phishing emails is by leveraging a Secure Email Gateway (SEG), but these certainly aren’t bulletproof either. 

Verizon hit the nail on the head in their 2021 Annual Data Breach Report. It highlighted how ‘It’s important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions.’ This echoes what many are now asking: when phishing emails do break through business defenses, is enough being done to prevent recipients from making the mistakes that lead to breaches?

It’s important to progress from the traditional security awareness model to that of using behavioral science to change their habits that lead to attack path breaking actions

Verizon Annual Data Breach Report 2021

Advanced threat protection (ATP) may just answer this call, offering businesses a more intuitive approach to email security. Whereas an SEG or spam detector acts as a firewall, threat protection software detects problems within an email based on its content and sender, often using Artificial Intelligence to assess the email’s DNA. It then notifies the recipient of any danger. But how effective is it in changing the way employees interact with and respond to potentially malicious emails?

In this blog, we cover the key findings of our research into the impact of advanced threat protection (ATP) – more specifically OnINBOX’s contextualized banners and traffic light indicators – on how employees interact with suspicious emails, and whether this technology could be key to breaking the behavior pathways that end in breaches. 

What are traffic light indicators, and how do they work?

How do OnINBOX banners and indicators work?

About our research

We asked 437 people aged 18 – 60+, across the US and UK to take part in the study. Participants – all professionals from junior to executive level – were first asked to identify the fake email (or phish) with no assistance, and then again with help from OnINBOX’s warning banners and traffic light indicators. We looked at how these visual aids changed how participants interacted with emails, and whether they were effective in altering participant behavior pathways and helping to identify an attack. 

Without banners and indicators, 39% of participants failed to spot the phishing email

As a baseline, we first asked participants to identify the fake email with no assistance from banners or indicators. Here, we not only found that 39% of participants failed to spot an attack, but a worrying 42% of C-level participants failed too. Considering a significant number of phishing and BEC attacks are aimed at CEOs and other senior staff (i.e. whaling), this suggests gaping vulnerabilities higher up in organizations, and attackers are ready and waiting to take advantage of these.

Warning banners and indicators altered the behavior of 87% of participants

In our study, the presence of warning banners and red indicators had an unequivocal influence on how participants interacted with suspicious emails. When presented with a warning banner and 2 red indicators, 71% of participants changed their behavior. When faced with 3, this skyrocketed to 87%. In each instance, a proactive step was taken by the participant to question the email’s legitimacy, prompted by the banners and indicators in place. 

OnINBOX technology changed the behaviour of 87% participants.

Even when not red, the traffic light indicators prompted caution 

We generally observed that the stronger the warning was, the stronger the response became. But even when there was no immediate danger, the presence of indicators continued to encourage users to stop and think before acting. 46% of participants changed their behavior (wanted to learn more or report) even when there was no red alert or banner present. What’s more, we found that even if an email looked safe (all green indicators), participants still stopped to think, with 12% opting to learn more about the email’s security profile. Ultimately across all scenarios, there was some desire to learn more before acting, implying a positive influence on participant behavior.

OnINBOX example indicators

Overall, green indicators gave users more confidence 

We found that the presence of 3 green indicators gave 83% of participants confidence in an email’s legitimacy. While the primary purpose of banners and traffic light indicators is to stop employees from interacting with malicious emails, they clearly help employees to have confidence in the emails which are legitimate too. What’s more, 76% agreed the banners were not intrusive.

OnINBOX green indicators email security ATP
Red Sift Study 39% participants failed to spot a phishing attack without OnINBOX technology.

Employees (and employers) saw value in OnINBOX banners and indicators

Within the research, we asked participants how they felt about the banners and indicators. We found that an overwhelming 84% either agreed or strongly agreed that they would influence the decision to act on an email. A further 96% of all participants said they would support a buy decision, and the percentage of senior executives in businesses with 1000+ and 5000+ employees who agreed was even higher.

96% Red Sift's OnINBOX study participants support a buy decision

The results are conclusive

When we consider that the average office worker receives 121 emails every day, is it really feasible to expect these employees to single-handedly vet and check the security profile of each and every one? The simple answer is no. When businesses do this, they’re leaving a wide margin for vulnerability and error, and it’s no coincidence that so many cybercriminals take advantage of this to get past defenses and compromise business data, finances, and reputation.

Across our study, we found that the presence of the indicators in any capacity made the participants change their course of action, stop, and think. But as well as breaking their chain of behavior, what was interesting was that throughout the experiment, participants demonstrated a thirst for knowledge, with as many as 47% of participants wanting to learn more, particularly when the banners indicated danger. This highlights how ATP indicators and banners can work in unison with the benefits other measures like training bring to the table, providing consistent, everyday reminders, and actively changing employee behavior, whilst plugging the gaps where other measures fall short.

While the best defense in the war against email phishing scams like BEC will always be a layered one, it’s clear that looking forward, businesses need to shift their position to see the value of breaking the chains of behavior that lead to disaster. Businesses shouldn’t be relying on employees to catch every threat, not when there’s the technology available to do just this. With an ATP product like OnINBOX, employees don’t have to evaluate the threat of these emails on their own, instead, they can rely on having that in-email expert technology to do this, and businesses overall are better protected from the effects of phishing.

Want to see how OnINBOX could work for your business? 

PUBLISHED BY

Sabrina Evans

4 Oct. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more