I wonder if KnowBe4 could skip the whole install process and just monitor an inbox for forwards of phishing samples. We used to have a “leavemealone@…” account that forwarded to our antispam solution. The antispam solution would then catalog the pertinent details into its filters. Our users loved it and it was very effective. I was sorry when we were forced to migrate to a new solution.
We have the Phish Alert button deployed for about 7 months now and have found it to be extremely useful. We have it dumping into a mailbox that our security team monitors and we get a ~60% rate on the KnowBe4 phishing email messages. We are averaging about 70 non-test submissions per week - a small number of which we would put in the ‘dangerous’ category. I agree that it can generate a fair amount of false submission traffic as most employees will turn in normal SPAM and marketing email, but we get malicious email turned in via this system weekly and so are willing to deal with the volume.
We are planning some activities in October to coincide with the NCSAM and want to drive the button usage to 100%; we will use this as a training effectiveness metric in our monthly security reports.
I’ve just discovered the same thing. I was hopeful that I could override the values in the users’ registry settings, but the button loader reads the button text from the KnowBe4 API each time Outlook starts, overwriting the registry values. This may be a show-stopper for us.
We’re evaluating Office 365, and I’m wondering how the button will work there. I’ve not tested it yet, but the Phish Alert button text is embedded in the manifest XML used to set it up, so I’m wondering if it would be possible to translate the text inside of the XML and install different versions for our different regional groups. (The button still calls the KnowBe4 API to fetch the underlying tooltip/description and the dialog text though, so even if the button text is translated the rest will still be in English…) Again, this might prevent us from using it at all.
It seems like a better solution would be for the KnowBe4 API to return localized text based on the locale of the email client.
This is a known issue with the current version of PAB, but is being addressed with the next version.
Josh, we actually do accept samples directly at firstname.lastname@example.org, you an always submit items there. It’s not a monitored “you get a reply” mailbox but everything in there is processed.
One thing that the PAB does that shouldn’t be overlooked, it actually takes the original message and formats it so that the headers are included. It’s difficult to get users to know that forwarding an email isn’t the same as attaching a copy. However, those headers are something that are absolutely required in order to do proper analysis.
Just seeing your post now but I can give you some answers to your questions.
The messages are identified by the existence of certain headers in the message, no headers and the button knows that it wasn’t sent by our system. It goes one step further and validates that the unique string in the header is known on our side as well.
The training reminders shouldn’t be triggering the congratulations so that’s something that will have to get looked into, I’ll make sure the right people look into this.
Thanks for the response @Greg_Kras.
On a somewhat related note… After we rolled out the Phish Alert button to a group of about 100 technical people, some of them started clicking the Phish Alert button to report spam. We currently only have these coming to an internal group, but I’m wondering: If we have these automatically sent to KnowBe4, will anything bad happen when people report spam (or just unwanted messages that might not be spam at all)?
That’s a very valid question. I think the best answer is to give you a quick explanation of how the reported messages are addressed. The first process essentially a sorting of submissions in 3 different categories; spam, phish, unknown.
The spam messages are skimmed off first because we do get a lot of those, thankfully the analyst group has been dealing with spam for decades and has methods and tools to speed up the process.
The phish emails can be recognized because we’ll see campaigns going out to a multitude of customers and patterns can be gleaned fairly quickly.
The unknown are the ones where the time is spent. These are a mix of legit emails that were erroneously flagged (people really do say “Here is the attached invoice”, attach a file, and nothing more), new phishing campaigns, and some really interesting spear fishing attempts. This bucket takes the most processing time because sometimes it’s really obfuscated as to what is actually going on. Legit emails get discarded once identified and the phish emails get tagged and tracked.
So, quick answer is that it would be nice to not get spam reported but it’s certainly something we anticipate and have workflow to address.
Thanks. That’s useful information. I hadn’t considered that the non-spam emails would create the most work for your team, but it does make sense.
Part of me wants to bring this information back to my user base, but on the other hand I don’t want to discourage anyone from reporting suspect emails. I suppose I’ll have to find a balance.
We are trying to implement the Phish Alert button now in preparation for starting our phishing simulation campaigns. It’s not going well though. It only seems to work when the client machine is off the corporate network and connected to a non-corporate WiFi. Has anyone else had this issue?
You’ll want to ensure that you can reach https://training.knowbe4.com/api/v1/phishalert/ (allow outbound connections to remote servers on port 443, that is the server URL the Phish Alert Button is trying to contact with a POST request).
You can try making that change and you should be good to go, but please let me know if you’re still having trouble. I’m happy to help!
We have been using KnowBe4 for about a year and are just considering the Phish Alert button (Lotus Notes email). The concern raised is about how much time it will take to review all that is reported/over reported - as people have said, they get legitimate emails and spam along with phishing messages. We have approximately 200 employees. Any one have an estimate of how much time is spent reviewing all that is reported?
We are using it, we have the PhishAlert button forward the email to our helpdesk which is set to automatically reply with a Thank you! and then the ticket is archived for us. Once a week we look through these emails. We have a couple trigger happy users.
We’ve deployed it organization-wide (~70 users) and we’ve had some success with it. We get a lot of junk and spam messages that aren’t phishing, but it seems that users are more comfortable reporting anything suspicious, instead of letting their curiosity get the better of them.
Since we automatically and randomly test, I’ve found that adding the button increases the likelihood that users will either ignore or report phishing emails - it seems to give them some peace of mind knowing that if it’s not phishing they will get the email sent back to them - even if it’s a few days later.
We have been using the Phish Alert button for a few months, and we are happy with it. While we do get quite a few people submitting SPAM or even just regular marketing emails, that has dropped off recently. Also, as some others have said, we’d rather that they report SPAM as phishing than being trusting and inadvertently clicking on a malicious link.
One problem we have had is that people will report our own legitimate internal emails as phishing attempts. Like when we send out a required training assignment, and they report it as phishing.
We have about 1500 users with this enabled. Clients are Windows 10 Enterprise with Office 2016. The alerts go to the offshore team and they have a standard operating procedure they follow to determine the validity. We’re receiving about 300+ alerts from users each month. Well received by the user community and would encourage deploying.
I feel like I may be in the minority here, but I don’t have any heartburn with folks using the Phish Alert button for Spam. We can certainly tell the difference here and ignore the spam, but if a user is on the fence, or can’t tell the difference, I don’t see any harm in erring on the side of caution.
We all also know that Unsubscribe buttons can be trouble, whether they are on a Spam or Phishing mail.
Yeah, I shook my head at first, but then thought “why be bothered, what’s the downside?”
We’ve released Multi-PAB, which will allow admins to create multiple PAB instances on their KnowBe4 account. Admins can then customize the button / message text for each one of the PAB instances in their KnowBe4 account settings. Through this method, you could specify different languages for the different PAB instances.
This helpdesk article goes into this feature in more detail: https://support.knowbe4.com/hc/en-us/articles/115012103388
Feel free to reach out to us at email@example.com if you have any questions, take care.
Has anyone had an issue with Outlook closing the PhishAlert button because it says it slows down Outlook opening? I know it has happened to a few of our users and normalyl requires some manual intervention to get it back up
I deployed the PAB to my executive leadership team since they are the most obvious and frequent targets. They liked it so much they asked me to deploy it to the entire company. So far, it’s worked out well. End users get a nice pat on the back when they use it during a phishing campaign it helps me to block more and more senders.
I have only ever had one problem. I have one user that the PAB will not remain enabled. I have reinstalled office, reinstalled the PAB. Nothing I have done thus far allows me to enable it for this one user. Otherwise, I like it.