According to a recent report by corporate investigations and risk consulting firm Kroll, UK businesses are the second biggest victims of cybercrime in the world, with 92 per cent of executives saying they had experienced an attack or information loss in the last year. Phishing is one of the most common types of cyberattack, with 30 per cent of phishing emails getting opened, according to Verizon’s Data Breach Investigations Report. It’s the easiest way to hijack accounts – as happened to Hillary Clinton’s election campaign chairman John Podesta last year.
Even tech giants like Facebook and Google aren’t immune. Last month it emerged the tech giants were conned out of more than $100 million (£77m) each in an elaborate phishing scam involving forged email addresses and fake invoices from suppliers. It’s straightforward and relatively easy to steal someone’s online identity: with just a few lines of code, it’s possible to ‘borrow’ email addresses and create malicious emails that appear genuine.
Crucially, these scams do not involve hacking or password theft. A basic understanding of web protocols and simple tools such as telnet, and finding the name of the individual being impersonated (usually from LinkedIn) is enough for the attack to be successful. To make matters worse, email servers and spam filters are often duped into trusting these emails because, unlike traditional phishing attacks, the sender’s email address looks legitimate.
As this tactic can be used on most email addresses, it’s easy to see how employees can be tricked into believing emails purporting to be from an important customer, partner or senior manager are genuine, especially when some email apps automatically include the perceived sender’s image.
Email: the backdoor to your business
We trust email providers to effectively handle security of our email identities online, but these scams highlight a fundamental problem with the way email relay has worked since the dawn of the Internet. It doesn’t matter whether your company has a strong security and password policy, or if it has enabled two-factor authentication (2FA) on employees’ accounts. All of this can be sidestepped by exploiting the basic weakness in email: that it’s easy for a criminal to impersonate a trusted employee or partner and trick the recipient into opening the message, which in turn opens the door to further compromises of your business’ security.
However, just because this weakness is part of the way the Internet works, doesn’t mean that it’s not fixable. There is an email authentication protocol known as Domain-based Message Authentication, Reporting and Conformance (DMARC), which prevents anyone from impersonating your email domain, making it impossible for hackers to send fake emails to your clients; it also blocks malicious emails from your inbox.
An article on the Gov.uk website explains how the protocol works in detail, but in brief DMARC works by verifying if an email was sent from an authorised IP address, and also if the email has been signed by the same domain it was sent from, or from a domain that is authorised to send on behalf of that domain. These two factors are combined to authenticateemails, and to set rules about how receiving servers should treat mails if they fail the authentication checks.
DMARC has proved so successful that HMRC has introduced it across its entire organisation, while the National Cyber Security Centre, the UK and Australian governments, and the U.S. Federal Trade Commission are among DMARC’s growing list of advocates.
Deploying DMARC
So if DMARC delivers such effective protection against phishing scams and malicious emails, why don’t email providers offer it as a standard service? The simple answer is that they can’t. DMARC configuration is the responsibility of the business email’s domain owner – not the email provider. To ensure DMARC protects a domain, all other email providers used, such as G Suite, MailChimp and SendGrid, must be correctly configured. The vast majority of businesses have to set up DMARC for themselves to protect their emails.
In the past this would have been a lengthy, costly and frustrating process, as the protocol is complex to implement. However, there are now solutions available that enable firms to set up DMARC and run it on a self-service basis, making its protection much more widely accessible.
In conclusion, DMARC protects domains and offers security against email-related cybercrime and spam, helping to stop fraudsters in their tracks. And security isn’t the only benefit. DMARC breeds confidence and builds better relationships between email senders and recipients. By securing your domain with DMARC, email servers – and the receivers themselves – know that any emails sent from your addresses can be trusted.
Check the current status of your organisation’s email domain using the tool at https://ondmarc.com/, and start increasing your email security and deliverability.
[su_box title=”About Rahul Powar” style=”noise” box_color=”#336588″][short_info id=’102482′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.