Phishing scams abound and the hope is our users use their security awareness training to pause and inspect each email in their inbox before taking action. However, there are times when security falls by the wayside: users are in a rush or they have a mountain of email to get through. So, how do we protect our users from phishing?

The truth is, you can’t eliminate all phishing messages from getting to your users. First, train them to recognize suspicious communications, make low risk decisions and, in essence, be on alert for unexpected emails/messages. Second, implement controls that reduce the impact of falling for a phish.

Notification Banners

While you cannot (and wouldn’t want to) block all outside senders, users can be alerted to the fact that an email originates from outside the organization. An email from a sender outside the organization might have the following notification banner: “This email originated from outside your organization. Do not click links or open attachments unless you recognize the sender and know the contents are safe.” (Despite the warning, there is no hard control over their choice to act on an email.)

Verification for Unrecognized Login Attempts

Hard controls do exist to limit unauthorized access and they can be implemented by your IT department. One control is an automatic additional login prompt when logging in from an unrecognized device or location. Login occurs only after a code delivered via text message, e-mail, or authenticator app prompt is inputted.

Two-Factor Authentication

Another access control measure is Two-Factor Authentication with a checkbox to remember a device for 30 days. Multi-factor logins keep attackers out even with the account holder’s password. The checkbox to remember a device means that users logging in from the same device won’t be prompted for a login code during that 30 day period. This option temporarily eliminates the extra step (which some users consider a burden) of authentication for a month at a time.

The notification banner encourages users to pay attention to email senders which should reduce the success of phishing attempts. The automatic additional login prompt and required 2FA are access controls that do not depend on user awareness. Training users to be wary of a popular attack vector (email) is important, but awareness should be paired with additional protections.