Outsmarting phishing, the Mailpass way

Outsmarting phishing, the Mailpass way

George Molina

May 17, 2024

May 17, 2024

Imagine an inbox that doesn’t scan your emails to show you ads, is unbelievably simple to use, and is free from phishing and spam.

We think that sounds like a pretty good idea. So much so that we went ahead and built one specifically for SMEs to be able to both securely manage their SaaS accounts and never have to worry about getting phished from fake domains posing as their platforms again. Let me explain.

When we set out to build Mailpass, we didn’t want to just make another expensive email client replacement. We think there’s enough of those out there, and none of them address the daily trust exercise of not being 100% certain that every message you receive from the tools and services you use to get your work done is legit. 

While companies of all sizes are at risk of phishing attacks, it’s the underdogs, startups and SMBs that bear the brunt of the pain as the bigger players can afford enterprise level security and protection. If you’re a founder, or team lead you probably feel this pain more than most. You have a thousand things to worry about, and being a reluctant IT admin is probably one of the lower ones on your priority list. 

The difficult truth however is that phishing remains a genuine concern. In 2023 we saw another year of increased attacks when compared to the year prior. And what are some of the options pushed towards underfunded and understaffed teams? Phishing exercises and tighter spam filters. Not only are we bored just thinking about another awareness training, these measures simply aren’t effective  spare a thought for the new joiner that onboards the day after the phishing exercise. 

While it probably would have been easier to accept that this is just the way things are when it comes to phishing, we felt the need to do something about it. Let’s dive into these two "solutions" to understand why.


Phishing simulations are broken

Encountering an email from a phishing exercise is often a forgettable experience. You’re looking for an email and a new message pops into your inbox. The fonts are off, the request enclosed has nothing to do with your work, and you don’t recognize the sender. You report it to your admin and you get a Slack message soon after; “Nice one catching the phishing email!”. You return a sympathetic thumbs up emoji and swiftly try to get back to what you were trying to do in the first place.

Do we really think this is working? 

The truth is, templated emails from phishing simulation platforms simply don’t prepare employees for the sophisticated spear phishing attacks that end up doing the most damage. We’re no strangers to some of these offerings which we’ve encountered via both private and government led initiatives. These supposed solutions are always woefully inadequate in terms of either the relevant ‘off the shelf’ templates available, or the amount of time it takes an admin to set up the “realistic” exercise.

With prohibitive pricing that can range upwards of thousands of dollars per year, reluctant IT admins may understandably choose to allocate their limited resources in other ways, often aiming for a more pragmatic alternative like adjusting the company email’s spam filters.


Like playing catch 22? Let’s talk about dialing up your spam filters

Admins will often hear that tuning up your email provider's spam filters in an effort to stop the malicious messages from reaching you in the first place, is the next best option.

While providers like Gmail already use spam filters that they claim block up to 99.9% of spam from reaching you, a quick Google search will show you that doesn’t seem to be the case, in practice. Some even claim Gmail’s filtering has gotten worse

For those reluctant IT admins who wade into the world of spam filter tinkering, the following incredibly intuitive instructions await them:

A quick scan of the setting options provided may, understandably, leave you with some questions. What does “be more aggressive” exactly mean? If I send spam to administrative quarantine by default, do I now need to stay on top of everyone’s spam? How can I be 100% sure I won’t miss an important message if I switch any of these on? 

If you ask anyone who has had the privilege of becoming acquainted with these filters like we have, you’ll often hear that the choice ultimately falls between choosing the lesser of two evils. Turn the settings on, and they usually turn out to be overly restrictive. Admins start getting questions from teammates asking if an email they were expecting might be in quarantine due to one of these filters being triggered. Keep them off, and future security audits may question why you haven’t had them on this whole time, or worse, a real phishing attack may come through and cause havoc. 

The question we ask ourselves is: Do founders and reluctant IT admins really have time for this? What’s the point even, if spam and phishing emails still get through anyways?

Make way for Mailpass

After you’ve spent thousands of dollars on ineffective phishing simulations and recovered from getting lost in the spam filter underworld, you may reach the same conclusion we have: The options available to small businesses today in the fight against phishing aren’t cutting it. 

For these reasons and more, we’re building Mailpass. 

With Mailpass, you can register for and receive communications from SaaS tools (think Figma, Hubspot, AWS, etc.) to shared or personal inboxes in the platform. Our inboxes are protected by PassGuard, a novel approach to secure messaging which ensures you never have to worry about a spoofed email from your SaaS platforms again. 

As much as we love escape rooms, we’re also not in the business of leaving you to navigate the maze of spam filter settings. Smart defaults are baked into our platform and ensure that reluctant IT admins and employees alike don’t need to overthink things to stay safe. Your team members will thank you when they’re not reporting yet another awfully templated phishing email, and admins get a unified platform that makes security decisions for them based on industry best practices you can trust. 

By the way, every Mailpass account (not just an admin’s!) comes protected by industry leading security with passkeys, at no additional cost. We believe in a future free of phishing and as part of our mission to make security accessible and effective for all, we’ll never charge extra for features that make your organization safer. 

If you’re a startup or growing team who could use a hand with phishing and company accounts, drop us a message at hello@mailpass.com to learn more. We’re here to be part of the solution.