Should you warn users when they receive an external message?


I've been asked a few times what I think about organizations that add warnings to messages that their users receive when the message is sent to them from outside the organization. That is, some organizations create Exchange Transport Rules (ETRs) when the message is received outside the organization. This might look something like this:

This is an external message

Or, sometimes it's bolded:

This message came from outside the organization

Or, sometimes it's bold and red:

This message came from outside. Please exercise caution when opening attachments.

Or, sometimes it's bold, red, and contains asterisks:

*** This message came from outside. Please be careful when replying to it ***

I was on a call recently, and a customer asked me what I think about this. I've also been on internal email threads where it similarly comes up. And also, would we ever consider adding this to Safety Tips?

My view on warnings of this type is one of mixed feelings.

The advantages of warning on external messages

On the one hand, I get why a company would do this. The majority (but not 100%) of phishing attempts come from outside the organization. Phishers are trying to get users to click on links; open attachments; or reply back with sensitive information such as HR personnel files, or making wire transfers. So, by adding these disclaimers, they are trying to get users to be more vigilant and pay attention to the fact that the message comes from the outside, and therefore might be suspicious.

The drawbacks of warning on external messages

On the other hand, I'm not sure how effective this is for actually changing user behavior.

The majority of external messages that land in your inbox are legitimate. I get plenty of spam but nearly all of it goes to Junk, or is rejected at the network edge and I never see it. Almost everything I see in my own inbox is fine, and it's like this for the majority of people.

By adding disclaimers to messages when they are external, the user learns to associate the warning at the top with something that is not malicious. By seeing so many benign messages with a warning, the user has been trained to ignore them since they were providing no value (that is, being careful on external messages yielded the same results as not being careful on internal messages). And then, when a malicious message actually does arrive from the outside, because they've been conditioned to seeing warnings on messages without any malicious content, the average user still goes ahead and clicks on the link or opens the attachment. And therefore, the external warning has added no value.

It's kind of like Syndrome from the movie The Incredibles. His evil plan was to give everyone super powers, because when everyone was super, no one would be.

My own experience

Speaking for myself, I recently noticed (!) in Outlook that when I sent emails to external people, it warns me:

And here's what it looks like in Outlook Web Access:

Even for me, I wasn't really paying attention to those warnings because (a) they look similar to other notifications that I get in the email client (e.g., Out-of-Office replies), and (b) virtually all external messages that I send are legitimate.

When it comes to Safety Tips, we are hyper-aware that we don't want to overtip because of exactly this problem. People complain regularly when a message arrives with the red fraud detection tip - even when the message truly is fraudulent! On the other hand, there is a lot of spoofing email out there that contains this tip and the message content is "legitimate", so we do have evidence that people don't want noisy notifications.

We've also experimented by adding a safety tip to a few more scenarios, and tested it internally. It was a gray safety tip and examined communications between people and added a tip when it deviated from an established pattern.

The feedback from that experiment was not positive. Even though it was only a gray tip, people didn't like it. It was unclear to them that the the tip was adding any value in the case when a message was not suspicious, and that turned out to be the majority of the cases.

So, the moral of the story is: Warn users when you have something to warn. The criteria has to be specific.

But maybe there's a place for warning on external messages?

I guess the answer to the question of what I think about external warnings on all messages is: Your mileage may vary.

  • Perhaps it works for some users who get so few external messages that it'll work for them since they don't normally need to differentiate between external and internal
    .
  • Perhaps it works for to add warnings but suppress them when it comes from a trusted source (that is, adding an exclusion to the ETR). But then this forces you into maintaining allow lists, and this list will become long and hard to maintain
    .
  • Perhaps users really do pay attention to it and alter their behavior internally. That may be, but I've seen more evidence that it works when you use it sporadically rather than regularly

But having said all that, you may still find it useful to add these external warnings.

<shrug>

If that's what you want to do, it's up to you.


Comments (0)

Skip to main content