This glossary contains explanations and additional information about the messages displayed in Trustifi’s security awareness Smart Banners, including explanations about why each message is considered positive or negative.
If you received an email with the Trustifi security awareness positive or negative tips and you want to learn more about it, please look for the messages you’ve received below and see the relevant explanations.
If you need any further help in understanding the Smart Banners, please contact us at support@trustificorp.com
Negative feedback
The email was sent from a personal email address
The email was sent from a personal email addressThis means the sender is using a personal email address typically hosted at free email services like gmail.com or Yahoo, as opposed to a business or corporate email address.
Personal email addresses are generally considered to be less safe since spammers and attackers often use them due to the ease with which personal email addresses can be created and discarded.
The email came from an external source
The sender of the email is not part of your domain or your organization.
An external sender is not necessarily a cause for concern but should be considered especially if the sender claims to be someone in your organization.
The sender’s email address is different from the reply-to address
A sender’s “Reply-to” address is the email address that is used when replying to their emails. This message notifies that, in the case of this sender, the email address you will be replying to is not the same as the email address the email was sent from.
This is not necessarily an indication of any kind of attack, as many marketing services (for example) configure their emails this way, however, it could also be suspicious as spammers and attackers often use a different reply-to address.
The sender’s email/reply-to domain was recently created
This message indicates that the domain which used in the sender’s email address or their reply-to address has only recently been created.
A newly created email domain could be a potential sign of danger since the domain does not have any proven reputation and attackers often create new domains to carry out phishing/spam attacks.
The sender has no valid MX record
An MX record indicates which email server incoming emails should be delivered to. This message indicates that the email address/domain associated with the sender has no valid MX record.
The lack of an MX record for the sender may indicate their email address has been faked, or that they are using an email address that has not been properly configured. Both are potential signs of phishing or spam.
This is the first email from this sender
There are no past records in Trustifi to indicate you’ve ever received an email from this sender.
You should always be careful of emails from first-time senders since spam emails and phishing attacks most often come from people you had no previous contact with.
The domain of one of the links in the email has been recently created
This message indicates that, while analyzing the links in the email body, it was found that at least one of the link domains has been recently created.
Similarly to the sender’s domain, a link from a newly created domain could be a suspicious sign as phishing links are often hosted on newly created domains.
The sender used a VPN to send this email
This message indicates that the sender has sent this email using a Virtual Private Network, or VPN. This means the email was not received from the original network of the sender, but rather it was routed through a network in a different location or email server.
Many people use VPNs for a variety of reasons which are not necessarily malicious, however, attackers or spammers may also use a VPN to hide their identity.
The sender used Tor to send this email
Tor is a browser that redirects the user’s traffic via a series of open-source and independent services, which help hide the user’s identity while using it.
Similarly to VPNs, many people may choose to use Tor for any reason, however, you should note if an email was sent using Tor since it may mean the sender would like to hide their identity for potentially malicious reasons.
The message has been classified as a potential Pre-Vishing attack
A “Pre-Vishing” attack is a type of phishing email that typically does not contain any harmful payload like malware, however, it attempts to convince the user to call the attacker over the phone – which is where the attacker would perform their extortion or attack (“Voice phishing” or “Vishing”).
The message has been classified as a reconnaissance (pre-attack)
Before conducting a phishing campaign, some attackers may choose to send reconnaissance emails that are meant to check if the recipient’s mailbox is active and if the intended recipient reads their emails.
A pre-attack or reconnaissance email will typically be completely blank, or it may contain very few words or an image. The email will also often contain some kind of method of tracking to see if the recipient has read the email.
This email may be attempting to spoof a known brand or service
Some attackers may try to convince the recipients of their emails that the email was sent from a known and trusted brand or service like Google, Microsoft, Amazon, etc.
One of the ways to perform this type of attack is by creating phishing emails with content similar to official emails from these brands or services. If you see this message, it means that Trustifi’s AI has reason to believe the content of this email is meant to fake an official service email from a known brand.
The sender appears to be impersonating a known brand
Similar to the message explained above, this message also indicates an attempt to impersonate a known and trusted brand or service.
This message specifically states that the sender’s name or email address is designed to appear similar to that of a known brand, which is meant to build trust on the recipient’s side.
Look closely at the sender’s email address – official brand emails should come from real and official email addresses and domains. Some attackers may even create fake domains that look similar to official brands, but not quite the same.
The sender appears to be impersonating a known contact
This message indicates a potential attempt to impersonate one of the recipient’s known contacts, which is detected when the sender’s name matches that of a known contact but the sender’s email address is different from that of the contact.
Attackers often fake their sender name to match that of a known contact to conduct impersonation attacks which can lead to phishing/extortion. However, it is also possible the sender is the same person as the known contact, just using a different (legitimate) email address that is not listed in the recipient’s contact list.
The sender used special characters for impersonation
Technically known as a “Homoglyph attack”, some attackers try to avoid detection of impersonation by using similar-looking characters. For example -“Trustifi” can be spoofed this way by using a lowercase L instead of the 2nd “i” letter, like so – “Trustifl“. These tactics often go unnoticed by recipients and can lead to the attacker successfully impersonating a known person or service to conduct phishing attacks.
The message could be a Business Email Compromise (BEC) attack
A Business Email Compromise (BEC) attack is a type of scam/extortion email in which the sender usually pretends to be someone else (or takes over someone’s mailbox) and sends emails requesting sensitive business information or requesting the recipient to perform certain actions.
For example, the attacker may pretend to be a senior manager like a CEO or CFO, and request a lower-level employee to send money to a specific bank account.
If you see this message in an email, it means that Trustifi’s AI has determined with a high degree of certainty that the content of the email resembles a BEC attack.
The message has been classified as spam
Simply put, this message indicates that Trustifi’s AI has determined with a high degree of certainty that this email is spam.
As opposed to graymail (detailed below), spam emails are almost always malicious in nature and very often lead to scams, attempts of extortion, and phishing.
The message has been classified as graymail
Similarly to the message detailed above about spam – this message indicates that the email was determined to be graymail by Trustifi’s AI.
Graymail is most often marketing material or newsletters – emails that some may classify as spam but others may be interested in receiving.
Graymail emails are almost never malicious, unlike spam (detailed above).
The sender’s reputation was found to be bad
This message indicates that Trustifi has conducted a check of the sender’s reputation, and found it to be negative. A sender’s reputation can become negative if they have a history of sending emails that were flagged as spam or phishing by their recipients.
In some cases, senders may get a negative reputation even if they only send legitimate emails, and a bad reputation does not immediately mean the email is an attack. However, the sender’s reputation should definitely be considered if the legitimacy of the email is in question.
Positive feedback
The email was sent from a known contact
The email was sent from a known contactThis message indicates the message was sent from someone who is in your contact list.
Emails from people in your contact list are generally considered to be safer since the identity of the sender is known and a known contact is far less likely to send malicious content or spam.
However, caution should still be applied since the sender’s mailbox may have been compromised, or a trusted contact may still forward potentially dangerous content by mistake or without notice.
The email was sent from a trusted contact
This message is similar to the one above, however in this case the contact was specifically marked as “trusted” by your administrator or IT team.
Emails from trusted contacts are considered even safer than emails from “regular” contacts and you are more likely to have a relationship with them, however the potential risks specific above regarding contacts still apply here.
The email was sent internally
If you see this message, the email was sent from within your own organization or domain.
Emails sent internally warrant a higher level of trust than emails sent from external senders, however if you see suspicious content in an internal email you should still avoid it and contact your admin or IT team.
The email was sent from a trusted domain
Trustifi allows organizations to define which domains are their “trusted” domains, and emails coming from these domains are validated thoroughly to determine the source of the email is legitimate.
If you see this message on an email, it means the email came from a domain that is marked as “trusted”, and that it was validated the email came from a legitimate source and was not spoofed or faked.
The email was sent from a top domain
This message indicates the email came from a domain that is ranked high in the list of domain popularity and traffic.
Top domains are usually very secure and emails coming from these domains is typically considered to be safe.
The email was sent from a known brand/service
This message indicates that Trustifi recognizes this email came from an officially known brand or service and was not faked or impersonated.
Emails coming from official brands or services like Google, Microsoft, Amazon, etc. are generally considered to be safe and secure.
The email was sent using Trustifi
Emails that are sent using Trustifi’s systems should be treated with a high level of trust, since Trustifi scans and monitors all outbound traffic to make sure the systems are not used to send spam or phishing.
The sender’s identity has been allowlisted
This message indicates that the sender has been added to the allowlist either by the recipient or by an admin.
Assuming the recommended best practices for allowing listing are followed, such senders should be considered trusted and safe.