Posts

One of the easiest ways to put yourself at risk of losing your data is to use email. No, seriously — the sheer number of businesses that face data breaches or get hacked because of an email phishing scam is staggering. So why do we still use email, then? Why not just use a more secure mode of communication that does the same job, only with better security?

It’s simple: email is incredibly convenient and everyone uses it. Pretty much every organization out there uses email either for communication or marketing. Email is integral to how business works. But the biggest flaw of email is something that’s unavoidable: it requires humans to interact with it. When people open emails, they read the contents, click on links, or even enter personal information. And because we don’t have the time or ability to carefully scrutinize every email, there’s a chance that one of them ends up being a phishing attack.

Attackers impersonate well-known, trusted brands to send emails to unsuspecting individuals. This is called domain spoofing. The recipients believe the messages to be genuine and click on malicious links or enter their login information, putting themselves at the attacker’s mercy. As long as these phishing emails continue entering people’s inboxes, email won’t be totally safe to use.

How Does DMARC Make Email Secure?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol designed to combat domain spoofing. It uses two existing security protocols—SPF and DKIM—to protect users from receiving fraudulent email. When an organization sends email through their domain, the receiving email server checks their DNS for a DMARC record. The server then validates the email against SPF and DKIM. If the email successfully authenticates, it gets delivered to the destination inbox.

 

 Look up and generate records for DMARC, SPF, DKIM and more with Power Toolbox for free!

 

Only authorized senders are validated through SPF and DKIM, which means if someone tried to spoof their domain, the email would fail DMARC authentication. If that happens, the DMARC policy set by the domain owner tells the receiving server how to handle the email.

What is a DMARC Policy?

When implementing DMARC, the domain owner can set their DMARC policy, which tells the receiving email server what to do with an email that fails DMARC. There are 3 policies:

  • p=none
  • p=quarantine
  • p = reject

If your DMARC policy is set to none, even emails that don’t pass DMARC get delivered to the inbox. This is almost like not having a DMARC implementation at all. Your policy should only be set to none when you’re just setting up DMARC and want to monitor the activity in your domain.

Setting your DMARC policy to quarantine sends the email to the spam folder, while reject outright blocks the email from the receiver’s inbox. You need to have your DMARC policy set to either p=quarantine or p=reject in order to have full enforcement. Without enforcing DMARC, users receiving your emails will still receive emails from unauthorized senders spoofing your domain.

But all of this raises an important question. Why doesn’t everyone just use SPF and DKIM to verify their emails? Why bother with DMARC at all? The answer to that is…

DMARC Reporting

If there’s one key shortcoming of SPF and DKIM, it’s that they don’t give you feedback on how emails are being processed. When an email from your domain fails SPF or DKIM, there’s really no way to tell, and no way to fix the issue. If someone’s trying to spoof your domain, you wouldn’t even know about it.

That’s what makes DMARC’s reporting feature such a game-changer. DMARC generates weekly Aggregate Reports to the owner’s specified email address. These reports contain detailed information about which emails failed authentication, which IP addresses they were sent from, and lots more useful, actionable data. Having all this information can help the domain owner see which emails are failing to authenticate and why, and even identify spoofing attempts.

So far, it’s pretty clear that DMARC benefits email recipients by protecting them from unauthorized phishing emails. But it’s the domain owners that are implementing it. What advantage do organizations get when they deploy DMARC?

DMARC For Brand Safety

Although DMARC wasn’t created with this purpose, there’s one major advantage organizations stand to gain by implementing it: brand protection. When an attacker impersonates a brand to send malicious emails, they’re effectively co-opting the brand’s popularity and goodwill to peddle a scam. In a survey conducted by the IBID Group, 83% of customers said that they’re concerned about purchasing from a company that was previously breached.

The intangible elements of a transaction can often be as powerful as any hard data. Consumers put a lot of trust in the organizations they buy from, and if these brands become the face of a phishing scam, they stand to lose not only the customers who got phished, but many others who heard about it in the news. Brand safety is fragile, and must be guarded for the sake of the business and the customer.

 

There’s more to brand safety than just DMARC. BIMI lets users see your logo next to their emails! Check it out:

 

DMARC enables brands to take back control of who gets to send emails through their domain. By shutting out unauthorized senders from exploiting them, organizations can ensure only safe, legitimate emails go out to the public. This not only boosts their domain’s reputation with email providers, but it also goes a long way in ensuring a relationship built on trust and reliability between the brand and consumers.

DMARC: Making Email Safe for Everyone

DMARC’s purpose has always been greater than helping brands safeguard their domains. When everyone adopts DMARC, it creates an entire email ecosystem inoculated against phishing attacks. It works exactly like a vaccine — the more people that enforce the standard, the smaller the chances of everyone else falling prey to fake emails. With each domain that gets DMARC-protected, email as a whole becomes that much safer.

By making email safe for ourselves, we can help everyone else use it more freely. And we think that’s a standard worth upholding.

 

 

This article will explore how to stop email spoofing, in 5 ways. Imagine you get to work one day, settle down at your desk, and open up your computer to check the news. Then you see it. Your organization’s name is all over the headlines — and it’s not good news. Someone launched an email spoofing attack from your domain, sending phishing emails to people all over the world. And many of them fell for it. Your company just became the face of a huge phishing attack, and now no one trusts your security or your emails.

This is exactly the situation that employees of the World Health Organization (WHO) found themselves in during the Covid-19 pandemic in February 2020. Attackers were using the WHO’s actual domain name to send emails requesting people to donate to a coronavirus relief fund. This incident is hardly an isolated one, however. Countless organizations have fallen victim to very convincing phishing emails that innocuously ask for sensitive personal information, bank details, or even login credentials. These can even be in the form of emails from within the same organization, casually asking for access to a database or company files.

As much as 90% of all data loss incidents have involved some element of phishing. And yet, domain spoofing isn’t even particularly complex to pull off. So why is it able to do so much damage?

How Does Domain Spoofing Work?

Domain spoofing attacks are pretty simple to understand.

  • The attacker forges the email header to include your organization’s name and sends fake phishing emails out to someone, using your brand name so they trust you.
  • People click on malicious links or give away sensitive information thinking it’s your organization asking for them.
  • When they realize it’s a scam, your brand image takes a hit, and customers will lose trust in you

 

You’re exposing people outside (and inside) your organization to phishing emails. Even worse, malicious emails sent from your domain could really hurt your brand reputation in the eyes of customers.

So what can you do about this? How can you defend yourself and your brand against domain spoofing, and avert a PR disaster?

How to Stop Email Spoofing?

1. Modify Your SPF Record

One of the biggest mistakes with SPF is not keeping it concise. SPF records have a limit of 10 DNS Lookups to keep the cost of processing each email as low as possible. This means that simply including multiple IP addresses in your record could make you exceed your limit. If that happens, your SPF implementation becomes invalid and your email fails SPF and might not get delivered. Don’t let that happen: keep your SPF record short and sweet with auto SPF flattening.

2. Keep Your List of Approved IPs up-to-date

If your organization uses multiple third-party vendors approved to send email from your domain, this is for you. If you discontinue your services with one of them, you need to make sure you update your SPF record, too. If the vendor’s email system is compromised, someone might be able to use it to send ‘approved’ phishing emails from your domain! Always make sure only third-party vendors still working with you have their IPs on your SPF record.

3. Implement DKIM

DomainKeys Identified Mail, or DKIM, is a protocol that gives every email sent from your domain a digital signature. This allows the receiving email server to validate if the email is genuine and if it’s been modified during transit. If the email has been tampered with, the signature doesn’t get validated and the email fails DKIM. If you want to preserve the integrity of your data, get DKIM set up on your domain!

4. Set The Right DMARC Policy

Far too often, an organization implements DMARC but forgets the most important thing — actually enforcing it. DMARC policies can be set to one of three things: none, quarantine, and reject. When you set up DMARC, having your policy set to none means even an email that fails authentication gets delivered. Implementing DMARC is a good first step, but without enforcing it, the protocol is ineffective. Instead, you should preferably set your policy to reject, so emails that don’t pass DMARC are automatically blocked.

It’s important to note that email providers determine the reputation of a domain name when receiving an email. If your domain has a history of spoofing attacks associated with it, your reputation goes down. Consequently, your deliverability takes a hit too.

5. Upload Your Brand Logo To BIMI

Brand Indicators for Message Identification, or BIMI, is an email security standard that uses brand logos to authenticate email. BIMI attaches your logo as an icon next to all your emails, making it instantly recognizable in someone’s inbox. If an attacker were to send an email from your domain, their email wouldn’t have your logo next to it. So even if the email got delivered, the chances of your customers recognizing a fake email would be much higher. But BIMI’s advantage is twofold.

Every time someone receives an email from you, they see your logo and immediately associate you with the product or service your offer. So not only does it help your organization stop email spoofing, it actually boosts your brand recognition.

Sign up for your free DMARC analyzer today!

 

Email phishing has evolved over the years from gamers sending prank emails to it becoming a highly lucrative activity for hackers across the world.

In fact, in the early to mid-’90s AOL experienced some of the first big email phishing attacks. Random credit card generators were used to steal user credentials which allowed hackers to gain wider access into AOL’s company-wide database.

These attacks were shut down as AOL upgraded their security systems to prevent further damage. This then led hackers to develop more sophisticated attacks using impersonation tactics which are still widely used today.

If we jump forward to today, the impersonation attacks most recently affecting both the White House and the WHO prove that any entity is at some point or another is vulnerable to email attacks.

According to Verizon’s 2019 Data Breach Investigation Report, approximately 32% of data breaches experienced in 2019 included email phishing and social engineering respectively.

With that in mind, we’re going to take a look at the different types of phishing attacks and why they pose a huge threat to your business today.

Let’s get started.

1. Email spoofing

Email spoofing attacks are when a hacker forges an email header and sender address to make it look like the email has come from someone they trust. The purpose of an attack like this is to coax the recipient into opening the mail and possibly even clicking on a link or beginning a dialogue with the attacker

These attacks rely heavily on social engineering techniques as opposed to using traditional hacking methods.

This may seem a rather unsophisticated or ‘low-tech’ approach to a cyberattack. In reality, though, they’re extremely effective at luring people through convincing emails sent to unsuspecting employees. Social engineering takes advantage not of the flaws in a system’s security infrastructure, but in the inevitability of human error.

Take a look:

In September 2019, Toyota lost $37 million to an email scam.

The hackers were able to spoof an email address and convince an employee with financial authority to alter account information for an electronic funds transfer.

Resulting in a massive loss to the company.

2. Business Email Compromise (BEC)

According to the FBI’s 2019 Internet Crime Report, BEC scams resulted in over $1.7 million and accounted for more than half cybercrime losses experienced in 2019.

BEC is when an attacker gains access to a business email account and is used to impersonate the owner of that account for the purposes of causing damage to a company and its employees.

This is because BEC is a very lucrative form of email attack, it produces high returns for attackers and which is why it remains a popular cyber threat.

A town in Colorado lost over $1 million to a BEC scam.

The attacker filled out a form on the local website where they requested a local construction company to receive electronic payments instead of receiving the usual checks for work they were currently doing in the town.

An employee accepted the form and updated the payment information and as a result sent over a million dollars to the attackers.

3. Vendor Email Compromise (VEC)

In September 2019, Nikkei Inc. Japan’s largest media organization lost $29 million.

An employee based in Nikkei’s American office transferred the money on instruction from the scammers who impersonated a Management Executive.

A VEC attack is a type of email scam that compromises employees at a vendor company. Such as our above example. And, of course, resulted in huge financial losses for the business.

What about DMARC?

Businesses the world over are increasing their cybersecurity budgets to limit the examples we’ve listed above. According to IDC global spending on security solutions is forecasted to reach $133.7 billion in 2022.

But the truth of the matter is that the uptake of email security solutions like DMARC is slow.

DMARC technology arrived on the scene in 2011 and is effective in preventing targeted BEC attacks, which as we know are a proven threat to businesses all over the world.

DMARC works with both SPF and DKIM which allows you to determine which actions should be taken against unauthenticated emails to protect the integrity of your domain.

READ: What is DMARC and why your business needs to get on board today?

Each of the above cases had something in common… Visibility.

This technology can reduce the impact email phishing activity can have on your business. Here’s how:

  • Increased visibility. DMARC technology sends reports to provide you with detailed insight into the email activity across your business. PowerDMARC uses a powerful Threat Intelligence engine that helps produce real-time alerts of spoofing attacks. This is coupled with full reporting, allowing your business greater insight into a user’s historical records.
  • Increased email security. You will be able to track your company’s emails for any spoofing and phishing threats. We believe the key to prevention is the ability to act quickly, therefore, PowerDMARC has 24/7 security ops centers in place. They have the ability to pull down domains abusing your email immediately, offering your business an increased level of security.
    The globe is in the throes of the COVID-19 pandemic, but this has only provided a widespread opportunity for hackers to take advantage of vulnerable security systems.

The recent impersonation attacks on both the White House and the WHO really highlight the need for greater use of DMARC technology.

 

In light of the COVID-19 pandemic and the rise in email phishing, we want to offer you 3 months FREE DMARC protection. Simply click the button below to get started right now 👇

 

 

As organisations set up charity funds around the world to fight Covid-19, a different sort of battle is being waged in the electronic conduits of the internet. Thousands of people around the world have fallen prey to email spoofing and covid-19 email scams during the coronavirus pandemic. It’s become increasingly common to see cybercriminals use real domain names of these organisations in their emails to appear legitimate.

In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world, requesting donations to the Solidarity Response Fund. The sender’s address was ‘[email protected]’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine. After all, the domain belonged to the real WHO.

donate response fund

However, this has only been one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the sender is using a real domain name, how can we distinguish a legitimate email from a fake one? Why are cybercriminals so easily able to employ email domain spoofing on such a large organisation?

And how do entities like WHO find out when someone is using their domain to launch a phishing attack?

Email is the most widely used business communication tool in the world, yet it’s a completely open protocol. On its own, there’s very little to monitor who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. In fact, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the leading causes of it.

In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed. SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of flaws. DMARC, which was developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and has a mechanism that sends the domain owner a report whenever an email fails DMARC validation.

This means the domain owner is notified whenever an email sent by an unauthorised third party. And crucially, they can tell the email receiver how to handle unauthenticated mail: let it go to inbox, quarantine it, or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks we face. So why doesn’t it?

Can DMARC Prevent Domain Spoofing and Covid-19 Email Scams?

Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to DNS. According to a study, only 44.9% of Alexa top 1 million domains had a valid SPF record published in 2018, and as little as 5.1% had a valid DMARC record. And this is despite the fact that domains without DMARC authentication suffer from spoofing nearly four times as much as domains that are secured. There’s a lack of serious DMARC implementation across the business landscape, and it’s not gotten much better over the years. Even organisations like UNICEF have yet to implement DMARC with their domains, and the White House and US Department of Defense both have a DMARC policy of p = none, which means they’re not being enforced.

A survey conducted by experts at Virginia Tech has brought to light some of the most serious concerns cited by major companies and businesses that have yet to use DMARC authentication:

  1. Deployment Difficulties: The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.
  2. Benefits Not Outweighing the Costs: DMARC authentication typically has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the new protocol has kept many companies from incorporating DMARC into their systems.
  3. Risk of Breaking the Existing System: The relative newness of DMARC makes it more prone to improper implementation, which brings up the very real risk of legitimate emails not going through. Businesses that rely on email circulation can’t afford to have that happening, and so don’t bother adopting DMARC at all.

Recognising Why We Need DMARC

While the concerns expressed by businesses in the survey have obvious merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks. As the coronavirus email spoofing scams have taught us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people using it grows, the chances of catching an infection go down dramatically.

There are real, viable solutions to this problem that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:

  1. Reducing Friction in Implementation: The biggest hurdle standing in the way of a company adopting DMARC are the deployment costs associated with it. The economy is in the doldrums and resources are scarce. This is why PowerDMARC along with our industrial partners Global Cyber Alliance (GCA) are proud to announce a limited-time offer during the Covid-19 pandemic — 3 months of our full suite of apps, DMARC implementation and anti-spoofing services, completely free. Get your DMARC solution set up in minutes and start monitoring your emails using PowerDMARC now.
  2. Improving Perceived Usefulness: For DMARC to have a major impact on email security, it needs a critical mass of users to publish their SPF, DKIM and DMARC records. By rewarding DMARC-authenticated domains with a ’Trusted’ or ‘Verified’ icon (like with the promotion of HTTPS among websites), domain owners can be incentivised to get a positive reputation for their domain. Once this reaches a certain threshold, domains protected by DMARC will be viewed more favourably than ones that aren’t.
  3. Streamlined Deployment: By making it easier to deploy and configure anti-spoofing protocols, more domains will be agreeable to DMARC authentication. One way this could be done is by allowing the protocol to run in a ’Monitoring mode’, allowing email administrators to assess the impact it has on their systems before going for a full deployment.

Every new invention brings with it new challenges. Every new challenge forces us to find a new way to overcome it. DMARC has been around for some years now, yet phishing has existed for far longer. In recent weeks, the Covid-19 pandemic has only given it a new face. At PowerDMARC, we’re here to help you meet this new challenge head-on. Sign up here for your free DMARC analyzer, so that while you stay home safe from coronavirus, your domain is safe from email spoofing.

According to the 2019 Cost of Data Breach Report, from Ponemon Institute and IBM Security, the global average cost of a data breach is $3.92 million!

This cyberattack business is a lucrative one. 

In fact, Business Email Compromise generates higher ROI than any other cyberattack. According to the 2019 Internet Crime Report, it reported losses of over $1.7 billion. 

Cybersecurity measures and protocols are crucial to business continuity now more than ever.

According to the Verizon 2019 Data Breach Investigations Report, 94% of malware was delivered by email.

Enter Domain-based Message Authentication, Reporting, and Conformance (DMARC). 

Yes, it’s quite a mouthful. But the time to protect your business email is now.

What is DMARC? DMARC is a relatively new technology.  It’s a technical validation policy that’s set to help protect email senders and receivers from all email spam.

dmarc illustration| DMARC,DKIM,SPF

DMARC is a solution that builds on both the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) solutions. This technology allows your organisation to publish a specific security policy around your email authentication processes and then instructs your mail server on how to enforce them.

 

DMARC has three main policy settings: 

  • Monitor policy – p=none. This policy means that no action will be taken in the light of failing the DMARC checks.
  • Quarantine policy – p=quarantine. This policy means that all emails that fail your DMARC check need to be treated as suspicious, this could see some emails landing up on your spam folder.
  • Reject policy – p=reject. This policy is set up to reject all emails that do not pass your DMARC checks.

The ways these policies are set up is entirely up to your organisation and how you want to handle unauthenticated emails.

According to the 2019 Global DMARC Adoption Report, only 20.3% of domains are publishing some level of DMARC policy of that only 6.1% have a reject policy in place.

Why DMARC is important for your business?

At this point, you’re wondering if you really need DMARC if you already have SPF and DKIM.

The short answer is yes.

But there’s more…

As of 2019, there were over 3.9 billion email accounts, and when you consider that 94% of malware attacks occurred through email, it absolutely makes business sense to do your very best to protect your email.

While the corporate uptake of DMARC has been slow, it’s essential to note that digital giants such as Facebook and PayPal have adopted DMARC technology.

  • Reporting. The reporting offered with DMARC allows your organisation greater insights into your email channels. They will help your organisation monitor what emails are being sent and received by your organisation. DMARC reports will give you insights into how your domain is being used and can play a role in developing more robust email communications.
  • Enhanced control. DMARC allows you full control over what emails are being sent from your domain. If email abuse is taking place, you will immediately see it in the report allowing you to correct any authentication issues.

Key Takeaways

We’re living in an era where cyberattacks are every businesses reality.

By not securing your email effectively you are opening your business up to all kinds of vulnerabilities.

Don’t let yours be next.

 

 

Take a look at how PowerDMARC can help you secure your business email today.

Simply click the button below to speak to an email security expert today