How to Defend Growing Sophistication of Email Attacks
A multi-layered security approach is necessary to feel fully protected, but “locking the front door” (aka DMARC) is essential for this strategy, says Seth Blank, chief technology officer at Valimail.
In its humble beginnings, no one foresaw the scale of the internet, nor how foundational to businesses and business transactions email would become. As it evolved, email continued doing what it was designed to do: helping people communicate with each other electronically.
And then, in the late 1990s and early 2000s, the internet took off. Emails flew through cyberspace — but suddenly, people’s inboxes were overflowing with junk emails. 2003 brought about the first law establishing the US’s first national standards for sending commercial email: the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act.
It was an excellent start to reining in a deluge of unwanted spam by:
- Prohibiting the inclusion of misleading or deceptive information and subject headings.
- Requiring identifying information like return addresses in email messages.
- Prohibiting companies from continuing to send emails to recipients who had explicitly indicated they did not want to keep getting messages.
While extremely valuable, laws don’t address the underlying technical challenges that allow such problems to thrive. At the same time these laws were being developed, email authentication was born to manage this deluge of spoofing and, later, phishing.
The first email authentication protocol was Sender Policy Framework (SPF), which was formalized in 2004 and officially published as RFC 4408 in 2006. This technical standard was designed to protect mail systems from spoofing. SPF is aimed to stop any random mail system from being able to send as anyone else by allowing a domain to specify which IP addresses it sends mail from. SPF is a protocol with tremendous nuance and some tricky edge cases, such as forwarded mail — but it started a chain reaction to develop additional protocols and defenses to strengthen authentication further and stop spoofing and phishing.
Why was that important? Because there was no concept of trust with email to begin with. Emails lacked authentication, and you could pretend to be anyone. To send a spoof email, you connected to any email system, provided whatever From and To addresses you wanted, typed the message, and sent it.
Unfortunately, it’s still just as easy to send spoofed messages. However, there are tools to protect companies from spoofing that abuses their domain names. Domain-based Message Authentication, Reporting, and Conformance (DMARC) prevent cybercriminals from impersonating a company and sending phishing emails on its behalf if the company is at DMARC enforcement.
Cybercriminals have fully embraced and exploited email’s weaknesses, finding many opportunities to hijack domains and cause millions of dollars in damage, and reputational and brand damage. But companies do have solutions to protect their email ecosystem.
The Most Common Phishing Attacks
Every year sees many published data breach reports, and the numbers are consistent. Between 90% and 95% of cyberattacks in any given year start with emails. While these attacks take many forms, what’s the same is that the sender is pretending to be someone they’re not. When business emails get compromised, financial fraud becomes easy to execute. Several different email scams are most commonly used today: phishing, spear phishing, and spoofing.
Phishing
In phishing scams, cybercriminals pose as legitimate institutions, organizations or companies and extract sensitive or private information from receivers via legitimate-looking email requests. Once the information is in their possession, these hackers use it to commit identity or financial theft. Phishing attempts also are leading vectors for distributing malware and ransomware by asking unsuspecting recipients to click a hyperlink or download a file. The computer can become infected with malicious software that reroutes personal information and sensitive data to the hackers as soon as the action occurs.
Spear phishing
This social engineering attack targets individuals and has a specific goal: to convince (or trick) someone into doing the wrong thing. When successful, these attacks can net a lot of money from an unsuspecting victim. It works because it takes advantage of something you were planning to do. Hackers impersonate a legitimate person — someone you trust — asking you to take a specific action.
For example, a few years ago, the Ottawa city treasurer received a spoofed email impersonating the manager of the City of Ottawa, asking him to wire-transfer almost USD 98,000 into a fraudulent account. The Office of the Auditor General identified the attack as a widespread “fake CEO scam” scheme.
This type of attack, called “whaling,” specifically uses spoofed email addresses to target high-profile or senior executives with access to sensitive company information and resources. Because the city processes over 350,000 payments valued at $3 billion annually, it was easy for this phishing scam to slip through the controls meant to catch illegal activities.
Spear phishing and whaling are effective, targeted, and precise attacks that work. Businesses must validate the sender identity of messages.
See More: Google Chrome Trounced by Mozilla, Safari, and Microsoft Edge in Blocking Phishing Sites
Shut the Front Door
We achieve herd immunity as an email ecosystem when most domains have strong email authentication. It acts as a vaccine for the rest of the ecosystem. Once we have authenticated domains, messages without authentication can start being ignored, ensuring hackers can’t use others’ domains to commit fraud. The more domains that have that protection, the more level the playing field. Knowing the validated identity of a sender is paramount to good security — and good compliance, too.
Think of DMARC as the front door. This email authentication policy and reporting protocol keep the “burglars” out. It’s the first step in securing your home. What if you had cameras everywhere, bars on the windows and locks on the filing cabinet — but your front door wasn’t locked? Anyone could walk in and use a crowbar to break into the filing cabinet.
A house with a locked door is no longer an easy target for thieves. While thieves can use other attack routes, it’s easier to move on to a different house without a front door. The data supports this: domains without DMARC are attacked at 4 times the volume of those without it. The threat profile and focus change when companies lock the door via email authentication. Cybercriminals would rather target a company that’s more easily exploited.
The Problem with Phishing
Phishing is problematic because it escapes most modern defenses. Cyberhackers are constantly evolving their approaches to counter the reason we use. The average phishing attack lasts only 12 minutes — and it might be the only time a hacker uses that particular attack.
You can educate yourself and your employees on ways to avoid email and phishing scams. Knowing what they look like will help, as do the following tips:
- If you’re in doubt, don’t click a link.
- If something sounds too good to be true, it probably is.
- Double-check sender URLs and addresses because spoofed emails and websites look nearly identical to the original and require you to pay close attention.
- Look for errors in the email copy. Legitimate companies proofread their communications. Hackers generally don’t.
However, the issue with these tips is that while they’re good to follow, people make mistakes. Even experts overlook things. Preventing phishing does require a multi-layered strategy. Phishing awareness is part of that defense, but it’s not the center. The best security advice is to stop the phishing messages before they’re even in a user’s inbox. The best advice is to lock your front door. DMARC is the lock on the front door.
What steps have you taken to defend against growing email attacks? Let us know on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
