Merriam-Webster defines “white list” as “a list of approved or favored items”. In the IT world it is a word most used in conjunction with email. Your user level or company level white list most likely includes addresses you or someone else in your company has deemed important. Or maybe it just includes senders from whom you receive numerous emails. It’s your “I must receive all email from this person or this company/firm” list. Did you know adding domains and email addresses to your white list is actually putting you and your company more at risk? Every time you add an address to a whitelist you are giving someone permission to freely enter your inbox. Bypassing all those email security measures that you are probably (hopefully) paying for.
Check this email for bad attachments? You get a free pass. This way to the inbox, ma’am.
Check this email for inappropriate content? You get a free pass. This way to the inbox, sir.
Check this email for spoofing? You get a free pass. This way to the inbox.
Liberally utilizing your company whitelist takes virus protection and content filtering out of the hands of your service provider and places it squarely on the shoulders of the end user.
Break yourself of the thought process that includes “I’ve had communication in the past with this person. It must be important.” The emails that can be the most dangerous are the ones that appear to come from a name you recognize.
So what should/can a person do?
When at all possible don’t add addresses to the company wide whitelist. Even though a sender may be important enough to warrant being added to a white list it is most likely possible that Mr./Mrs. Big doesn’t need to send email to every employee. Protect the users that may only have random communications with that sender. You can better protect your office from spoofing by letting users curate their own whitelist.
Don’t ever add entire domains to the white list. “I’ll just allow all @thelawfirmof.com addresses that’s the easiest fix.” Don’t… just don’t.
Whenever possible whitelist an IP address. IP addresses are specific to the server which sent the email message. While it’s not impossible to spoof a server address, it’s a little more advanced than spoofing an email address.
Lastly, what I choose to do personally is, treat every email with a “healthy” dose of caution/skepticism. Email from a person I have not spoken to in months or years? More caution. Email from someone I communicated with yesterday? Little less caution. You can never be too careful. Remember, you, the end user, are the most important line of defense against viruses and dangerous email.
Additional resources regarding whitelist and cybersecurity issues: