In this article, you will learn everything about the Email Fraud Prevention functionality.
1. Description
2. How does Email Fraud Prevention work?
3. Email Fraud Prevention view
4. Email Fraud Prevention settings
DESCRIPTION
Email Fraud Prevention scans and prevents email fraud by intercepting inbound emails that are passing through Email Security, comparing them with pre-registered signatures, and detecting whether changes have been made or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
HOW DOES EMAIL FRAUD PREVENTION WORK?
The service starts when you enable the Email Fraud Prevention checkmark in the Network Settings -> Email Protection -> Email Security -> Email Fraud Prevention.
The functionality will intercept every email that is passing through the Email Security filtering and send it for validation.
If deemed fraudulent, the email will be actioned depending on what action is selected in the Action on Detection.
EMAIL FRAUD PREVENTION view
The Email Protection - Email Fraud Prevention page is split between 2 views: Homepage and Details. The Homepage displays the Summary Report (the scanned emails and their resolution for the last 90 days), the User Anomalies (the number of potentially malicious emails based on Artificial Intelligence - determined outliers at the user level for the last 90 days), the Domain Status (the domains that have EFP configured).
The Total Malicious number from the Summary Report represents the total number of emails that have type EFP and were Quarantined (status “Quarantine”).
On the bottom, you see charts describing the following information:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
- Modified or Malicious attachment
Clicking the lower tiles graphs' info points (Targeted Spear Phishing, Targeted Fraud, Spear Phishing, Phraseology attempt, or General Fraud and Modified or Malicious attachment), redirects the dashboard user to a pre-filtered Details view, containing the emails that meet the corresponding criteria.
The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.
The Details view displays all the information collected by the Email Fraud Prevention in your organization. The collected information refers to the emails scanned by the anti-fraud engine. On the top, you see a statistic regarding the number of Scanned emails, the number of Outliers, and the number of Fraud emails.
The collected information is placed in the following views: Inbound and Domain Status, which are shared views with Email Security.
-
Inbound
This view displays a table with the following details: Hostname, To, From, Header From, Timestamp, Subject, Type, Status, and Details.
There is an Advanced filter button, which when clicked, will reveal some filtering options: Domain, To, From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.
The Type submenu has automatically assigned the EFP type, and it cannot be changed.
The EFP Rule category submenu has the following categories:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
- Modified or Malicious attachment.
Release - this action will release the selected email in case it has been quarantined and you think is safe;
Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report;
More details for the emails that fall under User Anomalies can be seen on the Triggered rules. These details pertaining to emails falling under the rule category “AI outliers”, can be visualized in a “process tree” visualization by pressing the View triggered rules button in the EFP Inbound view.
The outliers that our Email Fraud Prevention Neural Network can spot are comprised in one of the following 7 categories:
- Suspicious Links: counts the number of URLs identified as suspicious by our detection engine;
- Clickbait Detection: the neural network assesses whether content is designed as clickbait or not;
- Language Analysis: identifies the language used in the email and compares it with the typical languages used within the company;
- Attachment Analysis: evaluates attachments based on their potential malicious character;
- Text Analysis: identifies potential fraudulent words from the email's content;
- HTML Analysis: singles out HTML templates and tags the ones that deviate from the norm;
- Timing Analysis: looks at the distribution of common times when emails are sent and received by the company;
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
EMAIL FRAUD PREVENTION settings
Email Fraud Prevention - enables or disables the Email Fraud Prevention filtering engine on the selected domain;
Action on detection - allows you to choose an action for every type of classification (None, Quarantine, Tag Subject, Reject).
- Reject will reject the email without storing it on the HEIMDAL Servers;
- Quarantine will quarantine the emails and will store them for 90 days on the HEIMDAL Servers;
- Tag Subject will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #;
- None will make the emails pass unaltered through the Email Fraud Prevention engine.