We all know DMARC is the first line of defense against phishing attacks. This globally recognized protocol was created to stop exact domain impersonation in its tracks, meaning cybercriminals can’t use your domain to phish your employers, customers, and supply chain.
But while DMARC (Domain-Based Message Authentication, Reporting, and Conformance) plugs a big hole in the cyber-armor of businesses, it doesn’t solve every problem. Phishing emails that impersonate a business’ exact domain are often the most successful. But when cyberattackers can’t use this avenue on a DMARC-secure business, they can still use lookalike domains and create convincing messages by leveraging social engineering. And of course, they can always send phishing emails from businesses or suppliers without a strong DMARC policy too.
How can businesses best help their employees to spot phishing attacks?
There are a multitude of measures businesses can put in place on top of the basics like DMARC to strengthen their security posture. One such method popular with businesses is Security Awareness or Phishing Training. But while this may be a good additional measure, research has continuously cast a shadow over its effectiveness, with one study showing that employees forget guidance within just six months. A more traditional way to help protect employees from receiving phishing emails is by leveraging a Secure Email Gateway (SEG), but these certainly aren’t bulletproof either.
Verizon hit the nail on the head in their 2021 Annual Data Breach Report. It highlighted how ‘It’s important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions.’ This echoes what many are now asking: when phishing emails do break through business defenses, is enough being done to prevent recipients from making the mistakes that lead to breaches?
It's important to progress from the traditional security awareness model to that of using behavioral science to change their habits that lead to attack path breaking actionsVerizon Annual Data Breach Report 2021
Advanced threat protection (ATP) may just answer this call, offering businesses a more intuitive approach to email security. Whereas an SEG or spam detector acts as a firewall, threat protection software detects problems within an email based on its content and sender, often using Artificial Intelligence to assess the email’s DNA. It then notifies the recipient of any danger. But how effective is it in changing the way employees interact with and respond to potentially malicious emails?
In this blog, we cover the key findings of our research into the impact of advanced threat protection (ATP) - more specifically OnINBOX’s contextualized banners and traffic light indicators - on how employees interact with suspicious emails, and whether this technology could be key to breaking the behavior pathways that end in breaches.
What are traffic light indicators, and how do they work?
About our research
We asked 437 people aged 18 - 60+, across the US and UK to take part in the study. Participants - all professionals from junior to executive level - were first asked to identify the fake email (or phish) with no assistance, and then again with help from OnINBOX’s warning banners and traffic light indicators. We looked at how these visual aids changed how participants interacted with emails, and whether they were effective in altering participant behavior pathways and helping to identify an attack.
Without banners and indicators, 39% of participants failed to spot the phishing email
As a baseline, we first asked participants to identify the fake email with no assistance from banners or indicators. Here, we not only found that 39% of participants failed to spot an attack, but a worrying 42% of C-level participants failed too. Considering a significant number of phishing and BEC attacks are aimed at CEOs and other senior staff (i.e. whaling), this suggests gaping vulnerabilities higher up in organizations, and attackers are ready and waiting to take advantage of these.
Warning banners and indicators altered the behavior of 87% of participants
In our study, the presence of warning banners and red indicators had an unequivocal influence on how participants interacted with suspicious emails. When presented with a warning banner and 2 red indicators, 71% of participants changed their behavior. When faced with 3, this skyrocketed to 87%. In each instance, a proactive step was taken by the participant to question the email’s legitimacy, prompted by the banners and indicators in place.
Even when not red, the traffic light indicators prompted caution
We generally observed that the stronger the warning was, the stronger the response became. But even when there was no immediate danger, the presence of indicators continued to encourage users to stop and think before acting. 46% of participants changed their behavior (wanted to learn more or report) even when there was no red alert or banner present. What’s more, we found that even if an email looked safe (all green indicators), participants still stopped to think, with 12% opting to learn more about the email’s security profile. Ultimately across all scenarios, there was some desire to learn more before acting, implying a positive influence on participant behavior.
Overall, green indicators gave users more confidence
We found that the presence of 3 green indicators gave 83% of participants confidence in an email’s legitimacy. While the primary purpose of banners and traffic light indicators is to stop employees from interacting with malicious emails, they clearly help employees to have confidence in the emails which are legitimate too. What’s more, 76% agreed the banners were not intrusive.
Employees (and employers) saw value in OnINBOX banners and indicators
Within the research, we asked participants how they felt about the banners and indicators. We found that an overwhelming 84% either agreed or strongly agreed that they would influence the decision to act on an email. A further 96% of all participants said they would support a buy decision, and the percentage of senior executives in businesses with 1000+ and 5000+ employees who agreed was even higher.
The results are conclusive
When we consider that the average office worker receives 121 emails every day, is it really feasible to expect these employees to single-handedly vet and check the security profile of each and every one? The simple answer is no. When businesses do this, they’re leaving a wide margin for vulnerability and error, and it’s no coincidence that so many cybercriminals take advantage of this to get past defenses and compromise business data, finances, and reputation.
Across our study, we found that the presence of the indicators in any capacity made the participants change their course of action, stop, and think. But as well as breaking their chain of behavior, what was interesting was that throughout the experiment, participants demonstrated a thirst for knowledge, with as many as 47% of participants wanting to learn more, particularly when the banners indicated danger. This highlights how ATP indicators and banners can work in unison with the benefits other measures like training bring to the table, providing consistent, everyday reminders, and actively changing employee behavior, whilst plugging the gaps where other measures fall short.
While the best defense in the war against email phishing scams like BEC will always be a layered one, it’s clear that looking forward, businesses need to shift their position to see the value of breaking the chains of behavior that lead to disaster. Businesses shouldn’t be relying on employees to catch every threat, not when there’s the technology available to do just this. With an ATP product like OnINBOX, employees don’t have to evaluate the threat of these emails on their own, instead, they can rely on having that in-email expert technology to do this, and businesses overall are better protected from the effects of phishing.
Want to see how OnINBOX could work for your business?