Because email is a major ticket channel, tickets are subject to email phishing attacks. Email spoofing is a form of phishing attack where an attacker attempts to trick a victim into thinking a message came from a trusted source. The email might also try to lure the recipient into clicking a link or attachment that takes them to a fraudulent web page or deploys malicious software on their system.
One of the best defenses against email spoofing is your front-line staff working on tickets. While some spoofing attempts are clearly recognizable, accurately recognizing every attempt is not possible for busy agents working in fast-paced environments. Zendesk helps by flagging comments sent by a user whose identity may have been spoofed. These flags notify agents when a potential attack has been detected in a ticket conversation.
This article covers the following topics:
Understanding the email spoofing flags in tickets
Zendesk displays a warning icon () beside each comment in a ticket conversation that might be an email phishing attempt. Flags display only for ticket comments that were created from email. They don't display for comments created from other channels such as messaging, chat, Web Widget, or the help center request form.
The flag brings attention to the potential risk without affecting the workflow of your end users and agents. The ticket is not flagged in any ticket views. You cannot remove the flag.
Click the warning icon () to display the warning message. You can also hover over the warning flag for more information. The following four email spoofing messages might appear.
- Possible "Reply to end user" spoof: If the agent replies to the comment, the
reply might not be sent to the displayed end user. Mismatched From: and
Reply-To: headers are a common attribute of email used legitimately by many
individuals and organizations. Zendesk only flags the comment when there is
suspected malicious intent.
- Possible "Reply to agent" spoof: If the agent replies to the comment, the reply
might not be sent to the displayed agent. See Working with email address conflicts in ticket replies
for more information.
- Potential comment spoof: The comment might not have been sent by the displayed
email address, or email authentication might have failed. See Understanding the sender authentication
flag for more information.
- Possible "Other user update": An unknown user who isn't a CC on the ticket might
have joined the conversation with a comment. See Configuring CC and follower
permissions for more information.
Actions agents can take on flagged comments
- Solving the ticket with due caution
- Marking the ticket as spam and suspending the user
- Reassigning the ticket to a security group for further review