Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails

["Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>]

Hello,

  We’ve done the same thing (adding “[EXTERNAL]” to the subject line of incoming emails) here at Main Line Health for 
nearly a year now.

  We run regular internal phishing tests and based on metrics we’ve noticed that the subject line addition hasn’t 
noticeably affected failure rates of people clicking links or opening attachments.  It has positively affected rates of 
reporting suspicious e-mail to our help desk, however, so the value was unexpected but clear.  Adding hints to external 
scam emails is often enough to tip users off and spur them to action, which is obviously beneficial for remediation.

  This added subject line component has also been extremely effective in preventing targeted spearphishing and CEO 
fraud (the “hey CFO, this is the CEO and I need $10,000 transferred today” type).

  The main issue with tagging external e-mail is the reliance on so many authorized external providers for supporting 
services.  The subject line tag can confuse many users and cause them to ignore legitimate e-mail from external 
providers.  I’ve heard stories of some users who write e-mail filter rules to automatically bin anything tagged as 
external.

Cheers,
Justin C. Klein Keane MA MCIT CEPT C|EH
Security Architect
Main Line Health Information Technology
https://www.mainlinehealth.org/
klein_keanej () mlhs org<mailto:klein_keanej () mlhs org>
484-596-2203

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cecka, 
Benjamin
Sent: Wednesday, February 08, 2017 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Notifications of external emails

Since August we’ve been phished persistently and we also implemented the “[EXTERNAL]” subject prefix on all of our 
inbound email. We also had some resistance but it hasn’t gotten to the point where we felt the need to reconsider. It 
took a few days of adjusting as some internal email was being flagged incorrectly and there was objection to flagging 
student messages and some hosted web applications. All in all there was also positive feedback and the campus seems to 
have adjusted well to it.

Best regards,
Ben Cecka
Director, Infrastructure & Security

Information Technology
Clark College
(360) 992-2194

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Wednesday, February 8, 2017 7:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Notifications of external emails

This is more to combat the traditional “HR is validating your last paycheck. Click the link and enter your account 
info” type of phishing. Something procedural will get generally ignored by many departments when sending out emails, so 
we’re looking for something more automatic.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=qqcbk_QeabW4Z7GBhIMNtn_B7aQjktEuWNmUvrzri9o&r=T6Gkm-QA6wMUGmtyL0hrMz5ZqqoLGv5jfrNlZvfp68Q&m=1GTP0L_mzw6mWxEm7U1NORO6yQJPhjYRueWi_x-0Q9o&s=dr8v0gbs_qYPJXRXaMW7cvLPH-BQo12zWBwT56W1BoA&e=>
[cid:image001.gif@01D28202.41D4DB60]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Napier, 
Mark E
Sent: Wednesday, February 8, 2017 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Notifications of external emails

What about encouraging or requiring your users to use S/MIME to sign their emails? That would also cover the situation 
in which a machine on the internal network is engaged in pushing. (In most cases, anyway)

--
Mark E. Napier   MIS, CIPT
Deputy Director of Information Technology /
Chief Information Privacy and Security Officer
School of Informatics and Computing
Indiana University








On Feb 8, 2017, at 9:57 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU<mailto:tcarter () austincollege edu>> wrote:

We are trying to combat phishing by making users more aware of emails that come from outside campus vs internal emails. 
We’ve trialed using a mail rule to modify the subject line and prepend a flag (like “EXTERNAL:” or similar) but users 
complained it caused confusion (?) and they didn’t like emails to be modified. I suspect a disclaimer added to the body 
of the message would be either ignored or disliked for the same reasons.

Has anyone else done something to somehow flag external emails? What was the feedback? How well does it work?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=qqcbk_QeabW4Z7GBhIMNtn_B7aQjktEuWNmUvrzri9o&r=T6Gkm-QA6wMUGmtyL0hrMz5ZqqoLGv5jfrNlZvfp68Q&m=1GTP0L_mzw6mWxEm7U1NORO6yQJPhjYRueWi_x-0Q9o&s=dr8v0gbs_qYPJXRXaMW7cvLPH-BQo12zWBwT56W1BoA&e=>
<image001.gif>