How can email senders and users prevent and identify phishing emails?

Summary

Preventing and identifying phishing emails requires a layered approach involving senders, email providers, and end-users. Senders should implement robust email authentication methods like SPF, DKIM, and DMARC to verify their identity and domain reputation. BIMI can enhance trust by displaying brand logos. User education and security awareness training are essential for recipients to recognize phishing tactics such as suspicious sender addresses, urgent language, or requests for personal information. Utilizing password managers, enabling multi-factor authentication, and regularly updating software are critical security practices. From a technical standpoint, aggressive whitelisting and improved UX design in email clients can aid in identifying legitimate emails. Blacklisting, while historically used, is becoming less effective. Users are encouraged to trust spam filters but still exercise caution, and to report phishing incidents through provided channels. Finally, verifying requests directly and examining email headers offer additional layers of security.

Key findings

  • Email Authentication: SPF, DKIM, and DMARC are critical for senders to verify identity and prevent spoofing, although DMARC alone isn't foolproof.
  • User Awareness: User education and training are essential for recognizing phishing attempts through suspicious indicators.
  • Password Security: Password managers and strong, unique passwords mitigate credential theft from phishing sites.
  • Multi-Factor Authentication: 2FA provides an extra layer of security against credential phishing.
  • Domain Reputation: Monitoring and maintaining a good domain reputation is crucial for deliverability and preventing association with phishing.
  • Spam Filters: Trusting spam filters is generally safe, but caution is still advised for unsolicited emails.
  • BIMI Implementation: Companies can use BIMI to display their logo next to authenticated emails, making it easier for recipients to identify legitimate emails and avoid phishing attempts. This requires SPF, DKIM, and DMARC setup.

Key considerations

  • DMARC Limitations: DMARC alone doesn't fully prevent spoofing, requiring a broader security approach.
  • UX Design Challenges: Creating effective UX for identifying legitimate emails is difficult and requires specialized expertise.
  • User Education Efficacy: The effectiveness of user education varies, and it cannot be the sole defense against phishing.
  • Blacklisting Decline: Blacklisting is becoming less effective as phishing tactics evolve.
  • Client Limitations: Some email clients may not show the full 'From' address, hindering visual inspection.
  • Aggressive Whitelisting: Implementing aggressive whitelisting presents political and logistical challenges.
  • Evolving Threats: Phishing techniques are continually evolving, requiring constant updates to security measures and education.

What email marketers say
10Marketer opinions

Preventing and identifying phishing emails requires a multi-faceted approach involving both email senders and recipients. Senders should focus on implementing email authentication protocols (SPF, DKIM, DMARC) to verify their identity and improve domain reputation, which helps ISPs filter out malicious emails. They should also consider using BIMI to display their brand logo and conduct regular security awareness training for employees. Recipients should be cautious, verify sender legitimacy, and be wary of suspicious links and requests for personal information. Using password managers, enabling multi-factor authentication, and keeping software updated are also effective strategies.

Key opinions

  • Email Authentication: SPF, DKIM, and DMARC are essential for senders to verify their identity and prevent spoofing.
  • Domain Reputation: Monitoring and maintaining a positive domain reputation improves email deliverability and helps prevent phishing attacks.
  • User Education: Training employees and educating users on phishing tactics is crucial for identifying and avoiding phishing emails.
  • Password Security: Using strong, unique passwords and password managers helps prevent credential theft from phishing sites.
  • Multi-Factor Authentication: Enabling multi-factor authentication adds an extra layer of security to protect against unauthorized access.
  • BIMI Implementation: BIMI helps users quickly identify legitimate emails by displaying brand logos, increasing trust and reducing phishing risks.

Key considerations

  • Client Limitations: Some email clients may not display the sender's full email address, limiting the effectiveness of visual inspection for phishing attempts.
  • Slam Filters: Trusting spam filters is generally safe, but users should still exercise caution and not click on unsolicited links, even from seemingly legitimate organizations.
  • Employee Training: Regularly update security awareness training programs to reflect current phishing tactics and ensure employees stay informed.
  • Sender Vigilance: Email senders must actively monitor and address any issues affecting their domain reputation to maintain deliverability.
  • Direct Verification: When in doubt, users should always verify requests directly with the organization through official channels, rather than relying on email links or attachments.
Marketer view

Email marketer from Reddit shares advice to hover over links to see the actual URL, check for misspellings or grammatical errors in emails, and be wary of requests for personal information.

December 2023 - Reddit
Marketer view

Email marketer from Email Geeks shares the best practice is to trust the slam filters yet don’t click on links in an email that claims to come from the WHO or other organization unless you explicitly signed up. If it’s unsolicited yet you decide to give money or whatever, go directly to the organization’s website to give.

March 2022 - Email Geeks
Marketer view

Email marketer from Heimdal Security Blog shares that users should use strong, unique passwords, enable multi-factor authentication, keep software updated, be cautious of suspicious links and attachments, and educate themselves about common phishing tactics.

December 2021 - Heimdal Security Blog
Marketer view

Email marketer from KnowBe4 suggests implementing regular security awareness training for employees to educate them about phishing tactics, safe browsing habits, and proper email handling procedures.

November 2022 - KnowBe4
Marketer view

Email marketer from Reddit explains using a password manager prevents re-use of passwords and protects against phishing sites stealing credentials, as the password manager will not autofill on fake sites.

July 2024 - Reddit
Marketer view

Email marketer from Proofpoint Blog explains the importance of domain reputation in preventing phishing attacks. It highlights that senders should monitor their domain reputation, implement email authentication protocols (SPF, DKIM, DMARC), and promptly address any issues to maintain a positive sender reputation and improve email deliverability.

May 2024 - Proofpoint Blog
Marketer view

Email marketer from Mailjet answers that companies can use BIMI (Brand Indicators for Message Identification) to display their logo next to authenticated emails, making it easier for recipients to identify legitimate emails and avoid phishing attempts. This requires SPF, DKIM, and DMARC setup.

September 2024 - Mailjet
Marketer view

Email marketer from Vade Secure Blog emphasizes the importance of user education in preventing phishing. They recommend training employees to recognize phishing emails, teaching them to verify sender legitimacy, and encouraging them to report suspicious emails.

September 2021 - Vade Secure Blog
Marketer view

Email marketer from Information Security Stack Exchange details that email senders should configure SPF, DKIM and DMARC to prevent email spoofing and improve sender reputation. This helps ISPs identify legitimate senders and filter out phishing attempts.

June 2023 - Information Security Stack Exchange
Marketer view

Marketer from Email Geeks shares that many email clients don’t even show the from email address, so it’s all moot. They love the reporting they get from DMARC but as a tool to stop phishing it’s just not super helpful. Mentions they can buy a domain and setup DKIM/SPF/DMARC/BIMI on a dedicated IP.

August 2021 - Email Geeks

What the experts say
5Expert opinions

Preventing and identifying phishing emails involves a multifaceted approach focusing on email authentication, user experience, and additional security measures. While DMARC alone doesn't guarantee protection against spoofing, implementing SPF, DKIM, and DMARC is crucial for senders to verify their authenticity and improve sender reputation. Aggressive whitelisting and improved UX design in email clients can also help recipients identify legitimate emails. While user education is often suggested, its effectiveness is debated. Enabling two-factor authentication is a direct way to protect against credential phishing attacks. Blacklisting is a legacy antispam technology but is in decline.

Key opinions

  • Email Authentication is Key: SPF, DKIM, and DMARC implementation are crucial for email senders to verify the authenticity of their messages and prevent spoofing.
  • DMARC Limitations: DMARC alone does not protect against domain spoofing or phishing but is a key part of a holistic anti-phishing strategy.
  • UX Importance: Improved UX design in email clients is essential to help recipients distinguish legitimate emails from phishing attempts.
  • Two-Factor Authentication: Enabling two-factor authentication (2FA) provides an additional layer of security against credential phishing attacks.
  • Spam Filters Effectiveness: Most phishing emails end up in the spam folder.

Key considerations

  • Aggressive Whitelisting: Implementing aggressive whitelisting, potentially at a government-mandated level, may face political challenges and patchy deployment.
  • UX Design Challenges: Designing effective UX to help users identify legitimate emails requires expertise that is often lacking in those mitigating email threats.
  • User Education Skepticism: Relying solely on user education may be insufficient due to the varying levels of technical expertise and awareness among users.
  • Blacklisting Limitations: Blacklisting is a legacy technology that has waned in effectiveness over time, newer technigues should be considered.
Expert view

Expert from Email Geeks suggests the answers go in two directions: aggressive whitelisting and UX design in the client to help recipients identify legitimate emails. He also mentions user education as a theoretical third option but expresses skepticism about its effectiveness. Also explains that DKIM and SPF help identify mailstreams and DMARC provides a *vague* additional metadata about the stream. Large consumer ISPs are pretty damn good about using those bits of data, along with similar content fingerprints, to identify good mailstreams and bad ones. Ultimately, the expert suggests that for _most_ recipients _almost all_ the time the solution to how to spot phishing mails is "they're the ones in your spam folder".

October 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that DMARC doesn't protect against domain spoofing or phishing.

June 2022 - Email Geeks
Expert view

Expert from Word to the Wise shares how to avoid credential phishing attacks by enabling two-factor authentication (2FA).

April 2023 - Word to the Wise
Expert view

Expert from Spam Resource explains that implementing email authentication methods like SPF, DKIM, and DMARC can help email senders prevent phishing by verifying the authenticity of their messages and preventing spoofing.

July 2021 - Spam Resource
Expert view

Expert from Spam Resource shares that blacklisting is an old technique for blocking email, but has waned over time, however there are newer techniques and ways to utilize block lists for some email.

October 2023 - Spam Resource

What the documentation says
5Technical articles

Preventing and identifying phishing emails involves a combination of user awareness and reporting mechanisms. Key indicators of phishing attempts include suspicious sender addresses, urgent or threatening language, requests for personal information, poor grammar, and unexpected attachments. Users should avoid clicking links or providing information in suspicious emails and instead verify requests through alternate communication channels. Reporting mechanisms include using the 'Report phishing' feature in email clients like Gmail and forwarding suspicious emails to dedicated reporting addresses such as reportphishing@apwg.org.

Key findings

  • Report Phishing: Reporting phishing emails helps improve detection and prevention efforts.
  • Suspicious Indicators: Recognizing key indicators like suspicious sender addresses and urgent language is crucial for identifying phishing attempts.
  • Verification: Verifying requests through alternate communication channels helps confirm legitimacy and avoid phishing scams.
  • Avoid Clicking Links: Users should avoid clicking on links in suspicious emails to prevent malware infections and credential theft.

Key considerations

  • Email Headers: Examining email headers for inconsistencies requires technical knowledge and may not be feasible for all users.
  • Evolving Tactics: Phishing tactics are constantly evolving, so users must stay informed about the latest scams and techniques.
  • User Vigilance: Preventing phishing relies heavily on user vigilance and critical thinking, which can be challenging in high-pressure situations.
  • Tool Availability: Utilizing the reporting features provided by email clients and security tools aids in community defense.
Technical article

Documentation from Google Support explains how to report phishing emails in Gmail by opening the email, clicking the three dots in the upper right corner, and selecting 'Report phishing'.

August 2024 - Google Support
Technical article

Documentation from Microsoft Support shares key signs of phishing attempts, including suspicious sender addresses, urgent or threatening language, requests for personal information, poor grammar, and unexpected attachments.

July 2024 - Microsoft Support
Technical article

Documentation from the FTC explains how to recognize phishing scams, warning about emails and texts that ask for personal information, claim to be from a familiar company, or create a sense of urgency. The FTC advises to avoid clicking links or providing information and to contact the company directly.

November 2022 - FTC
Technical article

Documentation from NIST advises users to carefully examine email headers and URLs for inconsistencies, avoid clicking on links in suspicious emails, and verify the legitimacy of requests through alternate communication channels.

October 2024 - NIST
Technical article

Documentation from APWG explains how users can report phishing incidents by forwarding suspicious emails to reportphishing@apwg.org or using the reporting tools provided by email providers.

February 2025 - APWG