Email Security Best Practices: External Mail Tagging

There are some easy email security best practices to follow when it comes to tagging emails that come in from external sources.  This has become a huge topic recently because the increase in phishing attacks has made it incredibly important for employees to know whether a particular email came from an internal sender (e.g., your boss) versus an external sender (e.g. someone pretending to be your boss).  Helping employees very easily distinguish between the two can be the difference between falling for a phishing attack versus staying safe.

External Mail Tagging

Have you seen an email whose subject line looks anything like the following examples?

Email Security Best Practices - External Message Tagging

These are each common examples of the way that savvy Google Suite administrators (or Office 365 administrators, etc) set up automatic tagging of email messages that arrive from external sources.  If you've got a screenful of emails and 13 of them have a subject line that begins with [EXTERNAL], and 7 of them have a subject line with no such preface, it's pretty darn easy for anyone (tech savvy or not) to discern which ones are from other employees inside the company.

Internal vs External: Filtering

Here's where our conversation forks to talk about both the human intuition "filtering" associated with seeing [EXTERNAL] and the technological rules-based "filtering" that can be done on messages that are marked [EXTERNAL].

Filtering with Intuition

When companies first make the move to marking emails that arrive from the outside as [EXTERNAL] -- or whatever tag they choose -- it's a great idea to ask for feedback from the team on what exactly they find themselves doing with [EXTERNAL] emails.  Salespeople and marketers might have a huge portion of their inbox that arrives as [EXTERNAL] and those messages might be completely legitimate.  Sales leads, partnership requests, marketing automation workflow messages, etc.  However, there may well be another portion of your company (perhaps your software developers) who find that almost all of their [EXTERNAL] messages are junk.  Marketing messages for unwanted services.  Unwanted recruiting inquiries.  Etc.

The question to ask these various contingents is whether/not the [EXTERNAL] tag has caused them to take certain repetitive actions manually.  For example, do the software developers typically find themselves manually deleting the bulk of emails that arrive as [EXTERNAL], whereas the marketers find themselves manually moving [EXTERNAL] partnership requests to a specific email folder.  Whatever the case, you'll know that you've made progress in terms of email security best practices when your internal groups have intelligent things to say about how the [EXTERNAL] tag has helped them build a mental model that makes it easier to triage their inbox.

Filtering with Rules

Let's raise the bar.  This part is specific to the usage pattern that a particular employee or group of employees have, but let's extend the software developer example that we used above.  Suppose that you hear from your software development folks that they are almost always deleting [EXTERNAL] messages, and it's a bit of a hassle.  Guess what?  By having the [EXTERNAL] tagging in place, you've set them up for success in being able to implement rules-based filtering in their inbox (easy for G Suite users and just as easy for O365 Users).  With a few clicks in the rules configuration, different users can sort their external messages in a way that makes sense based on the amount and legitimacy of external email that they tend to receive.  By doing so, you've implemented email security best practices in a way that serves the needs of your different constituents in a way that makes sense for each of their norms.

The Attack that Your Email Security Best Practices Avoided

Why go through all of this hassle anyway?  Sounds fancy, maybe even too fancy, right?  Wrong.  Phishing attacks are accelerating, and almost all of them involve some external message arriving in an employee's inbox, fraudulently claiming to be from some person that has authority or credibility (we cover a few of the most common spear phishing attacks here).  By marking external messages as [EXTERNAL], you send an unmissable signal to your team about the origin of the message -- a huge step towards helping employees avoid becoming the victim of a phishing attack.

Wrapping Up

Need a hand configuring O365 or G Suite to mark inbound external messages as [EXTERNAL]?  We've got you covered -- just let us know if you are ready for us to kick into gear raising your cybersecurity game and we'll get you going with a comprehensive small business cybersecurity program (including, of course, external email tagging).  Feeling adventurous and want to implement [EXTERNAL] tagging on your own?  G Suite users, here's a quick video that shows the steps to follow: