After 30 years of using the Internet and trying many communication formats, e-mail is still my favorite. However, e-mail has many problems. Spam is just annoying, but phishing and especially, spear phishing attacks can also be dangerous. A recent security training, and a Twitter thread I started about it, changed my mind completely about how I treat these harmful e-mails.
The old way
While most spam and some phishing can easily be filtered, spear phishing messages are unique by their nature. The way they try to trick users into clicking URLs, giving out sensitive data is improving each year. Of course, using e-mails as my primary communication form also means that most of the time it takes me less than a second to realize that an e-mail is problematic. For most of the past three decades, my immediate reaction was deleting these e-mails.
A couple years ago, my employer recommended opening a ticket if I run into a phishing e-mail. However, the problem with this is that tickets add a big overhead both to the reporter and to the department handling them. Which meant that I reported only a few tricky cases each year, when it took me more than a couple of seconds to decide that an e-mail is problematic. For the rest, I kept deleting them, as it allowed me to avoid the overhead of ticketing.
Recently, I participated in a security training course where I was asked to report any kind of phishing e-mail to IT security. I was really surprised. Reporting everything has a huge overhead. Is it really necessary? I asked my Twitter followers, many of them working in infosec, and I also asked our IT department. The short answer from both of them was yes, because of two reasons.
First of all, as someone who spent almost three decades in infosec, I have no problem identifying problematic e-mails. But there are a lot more people without this experience. Reporting even trivial phishing e-mails can help saving these people from opening or responding to problematic e-mails.
The good news is that while previously, we needed to use a ticketing system to report problematic e-mails, now it’s just a simple click in the e-mail client. Most of the overhead is gone, so I just need to make sure that instead of deleting the e-mail right away, I report it instead.
Secondly, reporting all phishing e-mails also helps security to estimate the size of the attack and how much it is targeted. Reporting also means that instead of just defending myself, I can help to defend the rest of the users as well. As the security team can see the problematic e-mails on a centralized dashboard, they can identify phishing campaigns early, and so they can delete problematic e-mails from most users’ mail box, even before they could open them.