How LinkedIn is Working to Address Confusion Between Vendor Email and Phishing Attacks Throughout the Industry

Companies have been warning their employees about phishing and trying to train them to detect these attacks for the past decade. But companies have been hiring vendors who send email messages to their employees that look like phishing attempts for even longer, which increases employee confusion and risk to the business.

This blog post will provide sample guidelines we’ve developed and implemented at LinkedIn that other companies can adopt to prevent this inadvertent abuse by their vendors. We’ll also discuss how we are leading the formation of an industry working group to develop and promote best practices.

Phishing and the enterprise

Phishing, the practice where criminals send emails that impersonate a trusted party in order to extract confidential information from victims or convince them to take an action, has been recognized as a threat to consumers since at least the early 2000s. Spear phishing, a variation where knowledge about a specific group (like company employees) is used to craft a more effective attack against a smaller audience, has been reported since at least 2005.

All forms of phishing cost an estimated $9 billion in losses worldwide in 2016, and spear phishing is frequently used to deliver malware, spyware, and ransomware to enterprise targets. It is so successful in this regard that phishing is almost always cited as the first step in the growing number of data breach incidents in recent years. Data breaches were responsible for 740 million records being disclosed in 2015, and 1.4 billion records in 2016.

As a result of these threats, companies have been training their employees to recognize and report phishing attacks. However, when companies outsource services to third parties, these vendors prefer to communicate with employees via email. While this is convenient and economical, unfortunately, many third-party vendors frequently employ practices that are identical to those used in phishing attacks. In too many cases, these vendor messages look as or more suspicious than actual phishing messages.

Below are two messages recently received by employees at a company that provides annual anti-phishing training. Both were reported as phishing messages by numerous employees, but while one is a typical phishing message, the other is an authorized message sent by a vendor the company hired. All names and addresses have been changed, but these examples are otherwise identical to how the original messages displayed in Microsoft Outlook. Assume that your company name really is ExampleCorp, that the logo images used appear to be correct, and that your email address is employee@examplecorp.com. Can you tell the phishing message from the vendor message?

What happens when an employee reports each of these messages as phishing? For one message, they might get a “thank you” or “good job” for recognizing and reporting the threat. For the other message, which appears equally suspicious to the employee, they are told it’s a trustworthy message and to click the link. In other words, they’re being told to trust messages that all the training they’ve received tells them are suspicious, if not malicious.

What effect does this have on the employee the next time they receive what appears to be a phishing message? Will they diligently report it as a suspicious message, calmly accepting that some percentage will turn out to be legitimate? Will they be frustrated and de-motivated, and start ignoring all messages they aren’t certain about—including some important legitimate messages? Or will a few of them just start trusting all messages? After all, they’ve just been told the techniques they learned to identify dangerous messages aren’t reliable, and that they’re required to act on some of those messages as part of their job.

An industry working group

Historically, phishing has posed similar challenges for emails companies send directly to their customers. As a result, leading companies like AOL, Google, LinkedIn, PayPal, Microsoft, and Yahoo participated in industry-wide efforts to develop and promote best practices that ensure legitimate messages to customers can be readily distinguished from fraudulent impersonations. Over several years, technical standards and policy documents were developed that make these communications much safer. These included standards such as the Sender Policy Framework (SPF), Domain Key Identified Message (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC), as well as policy documents like Sender Best Common Practices and Recommendations for Senders Handling of Complaints from the Messaging Malware and Mobile Anti-Abuse Working Group (M3AAWG) industry group.

LinkedIn’s postmaster team has decided that it’s time for that kind of effort to be applied to vendor-employee communications as well. We have scheduled discussions at the February meeting of M3AAWG in San Francisco to address this topic. Participants will review and contribute to guidelines, and be able to join a working group aimed at developing a Best Common Practices (BCP) document. The guidelines below will be offered as a starting point for the working group.

Guidelines for how vendors should send email to employees
LinkedIn has developed a number of guidelines for our vendors that help avoid putting our employees at greater risk from phishing attacks.

1. Email messages should pass SPF, DKIM, and DMARC—no matter what domain they are being sent from. A message that doesn’t pass these email authentication protocols won’t be delivered to our employees.
2. Send from an @yourcompany.com address if at all possible. While not strictly required, this is the best way to show the employee that the message is an authorized internal communication, especially when the yourcompany.com domain is protected by deploying SPF, DKIM, and DMARC.
3. If you have to send from the vendor’s domain (“sender@vendor-example.com”), reference the vendor domain and/or logo in the design of the message. Acknowledging that the vendor is sending the message on your behalf may help mitigate “false positive” reports that your legitimate message is part of a phishing attack. Include their name or logo as well as your own.
4. If your vendor will be sending a message from their own domain, send an advisory message to your employees from an @yourcompany.com address. Any vendor (or attacker) can claim to have a relationship with your company, so it’s best if a fellow employee announces any mailings from a vendor. The advisory should include the following information:
   
          – Which vendor will be sending the message
          – The email address it will be sent from
          – The business reason for the mailing
          – Whether there will be links/URLs in the message
   
   Remember that point #1 applies to this advisory message, too!
   
   
5. Avoid “live” links or URLs in the message if possible. Spam and phishing messages often include “click here” links, and will use all manner of tricks to try and convince the employee to click on them. To avoid encouraging this dangerous behavior, instead describe the process they should follow. For example, “Log into the intranet portal, and click on the Policy Handbook tile.” Be aware that many email clients will scan messages for things that can be turned into links automatically, so avoid phrases like “go to www.yourcompany.com”; instead, say “go to the YourCompany website.”
6. If you must include links, use the same domain that appears in the From: address. Links in phishing messages will show one destination, but lead to another—and often, neither of them have any relationship to the purported sender of the message. So, make sure your links are clearly related to the sending domain, both in the displayed text and the target URL.
7. Include contact(s) for further information. Indicate who the employee can contact for more information, or if they have a concern about the message. Use the name of the person rather than including an email address that might be turned into a link. Phishing messages will show this type of link, but actually direct the message to a different destination, so don’t encourage the use of these links. You can also direct the employee to a company directory or internal wiki page (again, avoiding a clickable link) where they can lookup the contact person.
8. Use a limited number of vendors. If you have to tell your users to trust vendor messages, keep the set of vendors as small as possible. Do everything you can to avoid sending legitimate messages from a previously unknown vendor—see point #4 above.
9. Alert your Help Desk and Information Security team. Employees who receive your mailing may want to ask questions before they do anything with the message. Make sure that the Help Desk and security teams are expecting these questions and can provide the right answers.

This is not meant to be an exhaustive list of every possible guideline, and you may find some work better for your organization than others, but these guidelines have worked well in our experience.

Summary

Many companies that apply stringent policies to the email they send to customers allow vendors to send messages to their own employees that are indistinguishable from phishing attacks. This undermines the effectiveness of all the anti-phishing training provided to their employees, and makes the enterprise more vulnerable. It is our hope that the working group being organized at the February M3AAWG meeting in San Francisco will develop and promote industry-wide best practices to help companies close this gap and better protect their employees, information, and systems.

Acknowledgements

Fellow postmaster Malcolm Waltz helped identify the problem, and members of DMARC.org confirmed the scale. Kurt Andersen and Franck Martin, who have represented LinkedIn in the creation of technical standards and industry best practices around email, advised on how to begin addressing this issue within M3AAWG. Special thanks to Cory Scott and Sergiy Zhuk for their support in pursuing an industry-wide response.