Attacks on global brands such as eBay, PayPal and Amazon get a lot of news coverage, and each time this happens, the brand suffers. Often the source of corruption, unbeknownst to the organisation, is an email that appears to have come from the company, but instead was sent by a criminal source aimed at illegally soliciting sensitive information.
This practice, commonly known as phishing, is typically carried out by "email spoofing." With increasing frequency, these criminals are no longer targeting just top brands, but also setting their sights on small and medium-sized businesses. As larger organisations adopt security strategies to prevent these attacks, hackers are moving down the road to easier targets.
No company is immune to a spoofing attack. Most large organisations and B2C companies are already taking steps to resolve this issue. It's important that B2B, as well as medium and small businesses also protect themselves. Smaller businesses are especially vulnerable because, too often, they assume they aren't big enough to draw hackers' attention, and they haven't adopted the security strategies needed to fight this type of cybercrime.
Launchpad for bigger attacks
The flaw in that kind of thinking is that hackers don't care about the size of a business, they only care about vulnerability. They can get plenty of loot from mounting a series of attacks on vulnerable small and medium-sized businesses, and then use that data to launch an attack against a larger target. In the meantime, they've collected your employee and customer data, banking information and passwords, and they've compromised your brand.
Hackers use spoofing to make an email message look like it's from a sender the recipient knows or trusts to trick them into opening it. They simply edit an email address to make it look like it came from the sender's email account, so that when it's opened, it can infect the recipient's system with malware, or provide a pathway for the hacker to steal credit card data, passwords or other personal and financial information.
They can do this because email doesn't support authentication, allowing any criminal to send an email purporting to be from your company or brand.
DMARC: fighting back
Such phishing is without doubt a growing trend, and to combat the spoofing threat, 15 email services providers, financial firms and message security companies – including AOL, Google, Microsoft, Return Path and Yahoo – founded DMARC.org, a working group to create standards to reduce the threat posed by phishing, spam and other messaging abuses.
Domain-based Message Authentication, Reporting and Conformance (DMARC) standardises the way recipient email servers perform email authentication using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms. The organisation was launched in January 2012 and now protects 60% of global consumer email inboxes, and 80% in the United States.
Large organisations, including such top brands as Twitter, Amazon, eBay, Facebook and PayPal have adopted DMARC to combat spoofing with relatively good levels of success. According to DMARC.org, Outlook.com reported a 50% drop in reported phishing in 2013 due, in part, to DMARC. Additionally, more than 25 million email messages spoofing PayPal were rejected during the 2013 Christmas buying season.
What DMARC provides these organisations is visibility into whether their email is authenticating – proof that the email is coming from your own domain and not some other unauthorised domain that only looks like your site. Without DMARC, there is no visibility, and senders remain unaware of authentication problems because they have no way to get feedback about potential email spoofing, or to determine what to do with those emails – whether to block them or quarantine them somewhere.
As hackers troll for easier targets, it is vital for businesses of all sizes to protect their brands by adopting DMARC. Although most people today know not to open questionable attachments or click on suspicious links, spoofers have become so good at what they do that their targets can be easily fooled into believing an email is legitimate.
If you don't make it tough for other people to spoof your email, you're not only letting down your customers – who will stop trusting any email from your company – you're putting your brand at costly risk. By adopting DMARC, you can protect your customers against email spoofing, ensure they are getting your brand's legitimate messages, and help them to trust that when a message from your company appears in their inbox, it is a valuable email.
As you adopt DMARC, it's also important to make sure that your third-party marketing vendors, who send emailed marketing pieces such as newsletters to your customers on your behalf, also setup SPF and DKIM.
Importance of email
Email is still an important avenue of communication for businesses to maintain existing customer relationships and develop new ones. Unfortunately, it's also a widespread target for cybercriminals to cause irreparable damage to a brand. Any time a successful technology is adopted, it breeds creativity in criminals. As DMARC becomes more widely adopted, not just by large organisations, but also by small and medium-sized businesses, cybercriminals will look for other areas to exploit.
Are you responsible for ensuring that emails sent on behalf of your company are legitimate, and not coming from a spoofer? Do you have a fiduciary responsibility to customers who are negatively impacted by a spoofer's email appearing to be from your company? Let's assume you are a nation state issuing currency to be used by citizens. Is the government responsible for ensuring the currency cannot be easily counterfeited? If the answer is yes, then the same goes for your corporate email, too.
No company should allow spoofers to diminish customer trust in its brand. By adopting DMARC and implementing email authentication standards you can help thwart the attacks that could be the downfall of your business.
For more information, go to DMARC.org.
- Florian Malecki is International Product Marketing Director, Dell Security
from TechRadar