HTML e-mails are structured like classic websites: They are divided into a head and a body section. This is dangerous. In this way, experienced attackers can store their own style attributes in the head of an HMTL e-mail, which have an effect on subsequently inserted content. The style is configured in such a way that it simply hides the warning elements, the anti-phishing banner. Security researchers from Pentest-Experts Syss have described exactly how this works in detail in this article (PDF-Download, 13 Seiten, 726KB).
In a nutshell: If a company relies on anti-phishing banners, hackers can use them to inspire confidence in their own phishing emails. This is because the hidden banner signals to the recipient, “This email and its attachments can be opened without hesitation.” But that is precisely not the case.
External banners increase attention – but also harbor dangers
In principle, anti-phishing banners are a good thing. They increase the workforce’s awareness and remind them with every email that external emails can be a danger. In addition, you give the workforce security, because they know: If an external banner is displayed to me, I have to be more careful with the e-mail than internal mails.
However, anti-phishing banners are not a panacea. And that is due to two dangers:
- At some point, employees no longer notice the banners. A habituation effect occurs. E-mails without banners are opened without question. But even e-mails with banners – i.e., external e-mails – are no longer perceived as a potential threat over time.
- The e-mails can be technically manipulated. As described above, it is possible for attackers to simply hide the banners. In this way, a phishing e-mail quickly disguises itself as a supposedly secure, internal message.
One way to prevent hackers from hiding the banners is to avoid using HTML formatting in e-mails. Because: HTML offers too many possibilities for manipulation. The solution: rely on plain text e-mails – even if they don’t look as good as the HTML variants.
Conclusion: Anti-phishing banners alone are not enough!
External banners are definitely a good addition to your own security awareness strategy – but by no means a panacea. As soon as the staff relies too much on the banners, they become more of a source of danger than a contribution to security.
Our advice is to avoid HTML banners altogether. On the other hand, additions to the email subject are more difficult for criminals to trick. Basically, the banners are to be understood as a supplementary measure of one’s own information security strategy. The best protection is provided by a sustainable security culture – consisting of technical filters and scanners, a powerful reporting chain, incident response mechanisms, and professional security awareness training that shows staff exactly how to handle incoming e-mails correctly and securely.
Would you like to get a first insight into the state of awareness in your company? Then sign up for our free phishing simulation.