Paubox blog: HIPAA compliant email made easy

Are email warning tags effective?

Written by Kapua Iao | January 22, 2021

Email warning tags are alerts attached to the top of an email. They typically include the word "External" or "Caution" and remind recipients to verify an email’s source before opening a message. Nowadays, cyberattacks are a daily occurrence. Hackers regularly use  phishing emails and malware to steal sensitive data such as protected health information (PHI).

 

RELATED: Phishing Attacks Wreck Havoc on Healthcare Providers

 

Warning tags are one of several methods to prevent malicious attacks. Let’s first explore why blocking methods are necessary before scrutinizing the use of email warning tags. Finally, let’s conclude with what healthcare covered entities (CEs) should focus on instead: employee training combined with HIPAA compliant email.

 

Cyberattacks: an unfortunate daily occurrence

Email is a valuable communication tool because of how easily people can connect to others worldwide. But such technological advancements boost not only interconnectedness but also the risk of cyberattack. This trend became even worse last year with frequent Coronavirus-related attacks that preyed on stressed and worried people.

 

RELATED: Global Surges in Ransomware Attacks Q3 2020

 

It was especially problematic for CEs who generally avoided a digital transformation until forced into remote working due to the pandemic. Unfortunately, a combination of human error and new technologies is the reason organizations must implement stringent cybersecurity practices.

 

Phishing email attacks

Malware (or malicious software) describes any intrusive software that aims to help a cyberattacker gain access to a computer or a network.

 

RELATED: What Is a Data Breach?

 

A phishing email is one of the primary methods to disseminate malware. The idea is to trick victims into sharing private information (e.g., PHI) or access. Some phishing attacks are mass distributed (through spam) while others are part of a targeted campaign (through spear phishing). Spam attacks take less planning and go after anyone, while spear phishing takes forethought (i.e., social engineering) and focuses on specific victims. For example, whale phishing targets a higher up, while business email compromise impersonates someone in authority in order to target lower-level employees.

 

RELATED: Report Reveals Business Email Compromise Techniques, Success

 

Display name spoofing occurs when a hacker copies someone’s display name, making an email look as if it comes from a trusted (often internal) source. Many people fall victim to this type of spoofing because:

 

  • Tired and unaware employees tend to overlook a wrong email address
  • By default, smart device apps display a name rather than an email address
  • Anyone can create an email address through free email service providers (e.g., Yahoo or Google), using any name

 

Presently, falling for these types of scams is too easy. This is why it is important to plan and coordinate a layered cybersecurity approach.

 

So are email warning tags effective?

Organizations use email warning tags to combat such phishing attacks. The tags can be configured through most email providers such as Google or Microsoft. They notify users that an email comes from outside of an organization or network and should be scrutinized. It is necessary to understand, however, that seeing an email warning tag does not mean an email is malicious. Rather, it warns a user to verify a source and pay attention. For example, you receive an email from your manager with the subject "Needs verification." As you are about to click on the included link, you notice the "External" warning tag. It is at this point that you check the email address and notice it isn’t from someone in your organization. Therefore, seeing such tags means asking:

 

  • Is the email actually from someone you know?
  • If not, were you expecting an email from outside your organization?
  • Does the message make sense? Does it only ask you to click on a link?
  • Can you easily search for the person who sent the email?

Unfortunately, specialists worry that such tags reinforce lazy user awareness. Furthermore, some victims might not even notice the tag. Or even worse, the email address may be spoofed as well (such as info@paub0x.com instead of info@paubox.com). Also, warning tags might be viewed as excessive and cause complaints from users since the warning is added to each and every email sent from outside. Finally, an email warning tag does not stop a phishing email from reaching its intended victim, as described in this Reddit thread. In other words, external warning tags are not as effective as believed.

 

Best email security practices

For CEs protecting and safeguarding PHI, the focus of email security must be on employee training combined with HIPAA compliant email.

 

RELATED: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance

 

Continuous, up-to-date training encourages employees to recognize and block malicious emails. And HIPAA compliant email, such as Paubox Email Suite Premium, provides a necessary brick wall between users and phishing emails before such attacks become a problem. Paubox Email Suite Premium not only provides users with TLS email encryption but also strong inbound security to stop harmful emails from reaching an inbox. In fact, Paubox’s ExecProtect was built to combat display name spoofing by checking the display name and email address against a list of employees you provide.

 

RELATED: Enforcing Email Policies with ExecProtect

 

Any display name that does not match the email tied to it is immediately quarantined. It’s simple, effective, and it works. In addition, our Paubox Email Suite Premium includes email data loss prevention (DLP) which blocks employees from transmitting sensitive data outside of your corporate network. So rather than modifying an email and hoping that employees pay attention, combine necessary training with strong inbound email security and DLP for robust protection.

 
Try Paubox Email Suite Premium for FREE today.