Recently, my colleagues and I highlighted some haunted happenings that kicked off Cybersecurity Awareness Month with a scream. Today, I’d like to tell you a little ghost story of my own. The data is in from the Forrester Analytics Business Technographics® Security Survey, 2021. When we asked those respondents who suffered an external attack in the last year how that attack was carried out, 31% of them reported phishing. This is up from 23% in 2020 and 18% in 2019, a 13-point jump in two years — eeek!

Phishing is not a new or emerging threat, but like a pesky poltergeist, it’s a constant and consistent one. It persists whether there’s a new three-letter acronym solution being thrown at it or not. And it demands your attention. Email is still a primary form of business and marketing communication, but it’s harder to monitor due to the high degree of human involvement and interaction with the medium.

Phishing emails are crafted to look legitimatespoofed emails appear to come from known and trusted senders, and attackers dwelling in enterprises insert themselves into email threads at just the right moment to reroute financial transactions.


Our emails are vulnerable. And there’s no security buzzword bingo acronym hero to come to the rescue. There are, however, specific steps we can take to reduce the risk of email-borne attacks, so I thought I’d share a few actions and associated resources for you to review as you grapple with the ongoing threat that our emails pose:

  • Set your email security foundation with the right enterprise email security tool. As enterprises continue to move email to the cloud, email security providers are evolving to meet their clients where they are by expanding API integrations with email infrastructure to deliver complementary capabilities and an additional layer of protection. In addition, they’re expanding integrations into detection and response solutions, awareness and training platforms, and web content filtering. Vendors are also starting to build protection for messaging solutions (such as Slack and Teams), which are an increasingly important and vulnerable form of communication. Joseph Blankenship (JB) evaluated this evolving market in a Forrester Wave™ evaluation earlier this year. Use our evaluation criteria and customize the weightings (did you know clients can download a spreadsheet with all the criteria and weightings?) to better understand whether your current email security solution is keeping up with threats or if you need to make a change.
  • Follow Forrester’s best practices for phishing prevention. Despite best efforts and employee vigilance, well-crafted malicious emails will make it through your defenses, and your users will fall into the trap. JB and I laid out a set of best practices and steps covering people, process, technology, and oversight that you can review against your program.
  • Educate and test your end users humanely. As we note in our best-practices report, training end users to recognize phishing attempts and report them is critical to avoiding a major incident. Many firms regularly test the effectiveness of their training with phishing testing exercises. Results vary, as do the measures taken against employees who repeatedly fail such exercises. Principal Analyst Jinan Budge argues, and I agree with her, that overly punitive actions only serve to erode goodwill toward the security organization and do little to change behaviors. Design your awareness, training, and testing program to influence and nudge end users toward the correct behaviors with engaging content and positive reinforcement. Jinan lays out the best practices in her latest reportYou can see her discuss this important topic at our Security & Risk Forum in November. See you there!
  • Protect end users, customers, and your brand by implementing DMARC. Even the most vigilant employee or supply chain partner can fall prey to a phishing attempt if they trust that the sender is legitimate. Customers can be victims, too! If a customer believes they’ve received a promotional email from a trusted brand and wind up with an infected or bricked device, they’ll be reluctant to interact further via this medium, potentially affecting sales.

It’s time to get serious about implementing protocols that defend inboxes from trust-exploiting attacks. The Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol is a process that manages and monitors your inbox to ensure that only verified contacts are reaching users’ inboxes. Implementing DMARC is a lengthy process that requires significant maintenance, but there’s a big return on investment in fraud, liability, and brand protection, as well as the ability to be more granular when applying controls and policies down to the individual email level. Check out our research on the protective power of DMARC and how to get started. Use the implementation effort to collaborate more closely with marketing on the shared mission that is brand resilience.

Your users’ inboxes don’t have to be haunted. Prioritize email security — take the steps, apply the controls, and implement the protocols to better protect your employees and customers and, therefore, your business and brand from becoming a communication casualty.

And please send us your feedback and any success stories in the battle against phishing and business email compromise! Information sharing is critical to thwarting future attacks.