As organisations set up charity funds around the world to fight Covid-19, a different sort of battle is being waged in the electronic conduits of the internet. Thousands of people around the world have fallen prey to email spoofing and covid-19 email scams during the coronavirus pandemic. It’s become increasingly common to see cybercriminals use real domain names of these organisations in their emails to appear legitimate.

In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world, requesting donations to the Solidarity Response Fund. The sender’s address was ‘[email protected]’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine. After all, the domain belonged to the real WHO.

donate response fund

However, this has only been one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the sender is using a real domain name, how can we distinguish a legitimate email from a fake one? Why are cybercriminals so easily able to employ email domain spoofing on such a large organisation?

And how do entities like WHO find out when someone is using their domain to launch a phishing attack?

Email is the most widely used business communication tool in the world, yet it’s a completely open protocol. On its own, there’s very little to monitor who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. In fact, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the leading causes of it.

In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed. SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of flaws. DMARC, which was developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and has a mechanism that sends the domain owner a report whenever an email fails DMARC validation.

This means the domain owner is notified whenever an email sent by an unauthorised third party. And crucially, they can tell the email receiver how to handle unauthenticated mail: let it go to inbox, quarantine it, or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks we face. So why doesn’t it?

Can DMARC Prevent Domain Spoofing and Covid-19 Email Scams?

Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to DNS. According to a study, only 44.9% of Alexa top 1 million domains had a valid SPF record published in 2018, and as little as 5.1% had a valid DMARC record. And this is despite the fact that domains without DMARC authentication suffer from spoofing nearly four times as much as domains that are secured. There’s a lack of serious DMARC implementation across the business landscape, and it’s not gotten much better over the years. Even organisations like UNICEF have yet to implement DMARC with their domains, and the White House and US Department of Defense both have a DMARC policy of p = none, which means they’re not being enforced.

A survey conducted by experts at Virginia Tech has brought to light some of the most serious concerns cited by major companies and businesses that have yet to use DMARC authentication:

  1. Deployment Difficulties: The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.
  2. Benefits Not Outweighing the Costs: DMARC authentication typically has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the new protocol has kept many companies from incorporating DMARC into their systems.
  3. Risk of Breaking the Existing System: The relative newness of DMARC makes it more prone to improper implementation, which brings up the very real risk of legitimate emails not going through. Businesses that rely on email circulation can’t afford to have that happening, and so don’t bother adopting DMARC at all.

Recognising Why We Need DMARC

While the concerns expressed by businesses in the survey have obvious merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks. As the coronavirus email spoofing scams have taught us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people using it grows, the chances of catching an infection go down dramatically.

There are real, viable solutions to this problem that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:

  1. Reducing Friction in Implementation: The biggest hurdle standing in the way of a company adopting DMARC are the deployment costs associated with it. The economy is in the doldrums and resources are scarce. This is why PowerDMARC along with our industrial partners Global Cyber Alliance (GCA) are proud to announce a limited-time offer during the Covid-19 pandemic — 3 months of our full suite of apps, DMARC implementation and anti-spoofing services, completely free. Get your DMARC solution set up in minutes and start monitoring your emails using PowerDMARC now.
  2. Improving Perceived Usefulness: For DMARC to have a major impact on email security, it needs a critical mass of users to publish their SPF, DKIM and DMARC records. By rewarding DMARC-authenticated domains with a ’Trusted’ or ‘Verified’ icon (like with the promotion of HTTPS among websites), domain owners can be incentivised to get a positive reputation for their domain. Once this reaches a certain threshold, domains protected by DMARC will be viewed more favourably than ones that aren’t.
  3. Streamlined Deployment: By making it easier to deploy and configure anti-spoofing protocols, more domains will be agreeable to DMARC authentication. One way this could be done is by allowing the protocol to run in a ’Monitoring mode’, allowing email administrators to assess the impact it has on their systems before going for a full deployment.

Every new invention brings with it new challenges. Every new challenge forces us to find a new way to overcome it. DMARC has been around for some years now, yet phishing has existed for far longer. In recent weeks, the Covid-19 pandemic has only given it a new face. At PowerDMARC, we’re here to help you meet this new challenge head-on. Sign up here for your free DMARC analyzer, so that while you stay home safe from coronavirus, your domain is safe from email spoofing.

According to the 2019 Cost of Data Breach Report, from Ponemon Institute and IBM Security, the global average cost of a data breach is $3.92 million!

This cyberattack business is a lucrative one. 

In fact, Business Email Compromise generates higher ROI than any other cyberattack. According to the 2019 Internet Crime Report, it reported losses of over $1.7 billion. 

Cybersecurity measures and protocols are crucial to business continuity now more than ever.

According to the Verizon 2019 Data Breach Investigations Report, 94% of malware was delivered by email.

Enter Domain-based Message Authentication, Reporting, and Conformance (DMARC). 

Yes, it’s quite a mouthful. But the time to protect your business email is now.

What is DMARC? DMARC is a relatively new technology.  It’s a technical validation policy that’s set to help protect email senders and receivers from all email spam.

dmarc illustration| DMARC,DKIM,SPF

DMARC is a solution that builds on both the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) solutions. This technology allows your organisation to publish a specific security policy around your email authentication processes and then instructs your mail server on how to enforce them.

 

DMARC has three main policy settings: 

  • Monitor policy – p=none. This policy means that no action will be taken in the light of failing the DMARC checks.
  • Quarantine policy – p=quarantine. This policy means that all emails that fail your DMARC check need to be treated as suspicious, this could see some emails landing up on your spam folder.
  • Reject policy – p=reject. This policy is set up to reject all emails that do not pass your DMARC checks.

The ways these policies are set up is entirely up to your organisation and how you want to handle unauthenticated emails.

According to the 2019 Global DMARC Adoption Report, only 20.3% of domains are publishing some level of DMARC policy of that only 6.1% have a reject policy in place.

Why DMARC is important for your business?

At this point, you’re wondering if you really need DMARC if you already have SPF and DKIM.

The short answer is yes.

But there’s more…

As of 2019, there were over 3.9 billion email accounts, and when you consider that 94% of malware attacks occurred through email, it absolutely makes business sense to do your very best to protect your email.

While the corporate uptake of DMARC has been slow, it’s essential to note that digital giants such as Facebook and PayPal have adopted DMARC technology.

  • Reporting. The reporting offered with DMARC allows your organisation greater insights into your email channels. They will help your organisation monitor what emails are being sent and received by your organisation. DMARC reports will give you insights into how your domain is being used and can play a role in developing more robust email communications.
  • Enhanced control. DMARC allows you full control over what emails are being sent from your domain. If email abuse is taking place, you will immediately see it in the report allowing you to correct any authentication issues.

Key Takeaways

We’re living in an era where cyberattacks are every businesses reality.

By not securing your email effectively you are opening your business up to all kinds of vulnerabilities.

Don’t let yours be next.

 

 

Take a look at how PowerDMARC can help you secure your business email today.

Simply click the button below to speak to an email security expert today