This is a question that was asked by a customer who was implementing our Phish Alert Button so that employees could report phishy emails.
Greg Kras, our Chief Success Officer replied with:
"In doing some surveying of customers and folks that have constant interaction with customers it seems that strategies vary between sites but there are a few commonalities that I can share:
- Most organizations instruct their end users to err very much on the side of caution, dodgy links get reported and response team responds either automatically or manually
- Some organizations have implemented policies of “normal vendors” and created training campaigns that contain a list of known URLs as a reference that users can look at
- Some organizations have rolled out Second Chance and whitelisted the known vendors, that way users get prompted for the unknown and get a moment to pause and think*
Safe link and link re-writing services are certainly something that we’ve seen adoption of by customers but we have found that those often serve to confuse the end user as now everything “goes to the same place”.
I’m personally not a fan of reducing the already limited information a user can glean from an email, particularly since the link re-writing is typically executed a technical control that should have blocked/caught the message before getting in front of the user. I prefer URL inspection on egress if feasible.
Ultimately we always find that user education is the answer that transcends the technical controls, the more isolated the user is from making awareness driven decisions the more likely they are to be taken advantage of when the inevitable threat emerges.