How can email senders and users prevent and identify phishing emails?
Summary
What email marketers say10Marketer opinions
Email marketer from Reddit shares advice to hover over links to see the actual URL, check for misspellings or grammatical errors in emails, and be wary of requests for personal information.
Email marketer from Email Geeks shares the best practice is to trust the slam filters yet don’t click on links in an email that claims to come from the WHO or other organization unless you explicitly signed up. If it’s unsolicited yet you decide to give money or whatever, go directly to the organization’s website to give.
Email marketer from Heimdal Security Blog shares that users should use strong, unique passwords, enable multi-factor authentication, keep software updated, be cautious of suspicious links and attachments, and educate themselves about common phishing tactics.
Email marketer from KnowBe4 suggests implementing regular security awareness training for employees to educate them about phishing tactics, safe browsing habits, and proper email handling procedures.
Email marketer from Reddit explains using a password manager prevents re-use of passwords and protects against phishing sites stealing credentials, as the password manager will not autofill on fake sites.
Email marketer from Proofpoint Blog explains the importance of domain reputation in preventing phishing attacks. It highlights that senders should monitor their domain reputation, implement email authentication protocols (SPF, DKIM, DMARC), and promptly address any issues to maintain a positive sender reputation and improve email deliverability.
Email marketer from Mailjet answers that companies can use BIMI (Brand Indicators for Message Identification) to display their logo next to authenticated emails, making it easier for recipients to identify legitimate emails and avoid phishing attempts. This requires SPF, DKIM, and DMARC setup.
Email marketer from Vade Secure Blog emphasizes the importance of user education in preventing phishing. They recommend training employees to recognize phishing emails, teaching them to verify sender legitimacy, and encouraging them to report suspicious emails.
Email marketer from Information Security Stack Exchange details that email senders should configure SPF, DKIM and DMARC to prevent email spoofing and improve sender reputation. This helps ISPs identify legitimate senders and filter out phishing attempts.
Marketer from Email Geeks shares that many email clients don’t even show the from email address, so it’s all moot. They love the reporting they get from DMARC but as a tool to stop phishing it’s just not super helpful. Mentions they can buy a domain and setup DKIM/SPF/DMARC/BIMI on a dedicated IP.
What the experts say5Expert opinions
Expert from Email Geeks suggests the answers go in two directions: aggressive whitelisting and UX design in the client to help recipients identify legitimate emails. He also mentions user education as a theoretical third option but expresses skepticism about its effectiveness. Also explains that DKIM and SPF help identify mailstreams and DMARC provides a *vague* additional metadata about the stream. Large consumer ISPs are pretty damn good about using those bits of data, along with similar content fingerprints, to identify good mailstreams and bad ones. Ultimately, the expert suggests that for _most_ recipients _almost all_ the time the solution to how to spot phishing mails is "they're the ones in your spam folder".
Expert from Email Geeks explains that DMARC doesn't protect against domain spoofing or phishing.
Expert from Word to the Wise shares how to avoid credential phishing attacks by enabling two-factor authentication (2FA).
Expert from Spam Resource explains that implementing email authentication methods like SPF, DKIM, and DMARC can help email senders prevent phishing by verifying the authenticity of their messages and preventing spoofing.
Expert from Spam Resource shares that blacklisting is an old technique for blocking email, but has waned over time, however there are newer techniques and ways to utilize block lists for some email.
What the documentation says5Technical articles
Documentation from Google Support explains how to report phishing emails in Gmail by opening the email, clicking the three dots in the upper right corner, and selecting 'Report phishing'.
Documentation from Microsoft Support shares key signs of phishing attempts, including suspicious sender addresses, urgent or threatening language, requests for personal information, poor grammar, and unexpected attachments.
Documentation from the FTC explains how to recognize phishing scams, warning about emails and texts that ask for personal information, claim to be from a familiar company, or create a sense of urgency. The FTC advises to avoid clicking links or providing information and to contact the company directly.
Documentation from NIST advises users to carefully examine email headers and URLs for inconsistencies, avoid clicking on links in suspicious emails, and verify the legitimacy of requests through alternate communication channels.
Documentation from APWG explains how users can report phishing incidents by forwarding suspicious emails to reportphishing@apwg.org or using the reporting tools provided by email providers.