Imagine you get to work one day, settle down at your desk, and open up your computer to check the news. Then you see it. Your organization’s name is all over the headlines — and it’s not good news. Someone launched an email spoofing attack from your domain, sending phishing emails to people all over the world. And many of them fell for it. Your company just became the face of a huge phishing attack, and now no one trusts your security or your emails.
This is exactly the situation that employees of the World Health Organization (WHO) found themselves in during the Covid-19 pandemic in February, 2020. Attackers were using the WHO’s actual domain name to send emails requesting people to donate to a coronavirus relief fund. This incident is hardly an isolated one, however. Countless organizations have fallen victim to very convincing phishing emails that innocuously ask for sensitive personal information, bank details or even login credentials. These can even be in the form of emails from within the same organization, casually asking for access to a database or company files.
As much as 90% of all data loss incidents have involved some element of phishing. And yet, domain spoofing isn’t even particularly complex to pull off. So why is it able to do so much damage?
How Does Domain Spoofing Work?
Domain spoofing attacks are pretty simple to understand.
- The attacker forges the email header to include your organization’s name and sends fake phishing emails out to someone, using your brand name so they trust you.
- People click on malicious links or give away sensitive information thinking it’s your organization asking for them.
- When they realize it’s a scam, your brand image takes a hit, and customers will lose trust in you
You’re exposing people outside (and inside) your organization to phishing emails. Even worse, malicious emails sent from your domain could really hurt your brand reputation in the eyes of customers.
So what can you do about this? How can you defend yourself and your brand against domain spoofing, and avert a PR disaster? Here are X ways you can avoid email spoofing:
One of the biggest mistakes with SPF is not keeping it concise. SPF records have a limit of 10 DNS Lookups to keep the cost of processing each email as low as possible. This means that simply including multiple IP addresses in your record could make you exceed your limit. If that happens, your SPF implementation becomes invalid and your email fails SPF and might not get delivered. Don’t let that happen: keep your SPF record short and sweet.
2. Keep Your List of Approved IPs up-to-date
If your organization uses multiple third party vendors approved to send email from your domain, this is for you. If you discontinue your services with one of them, you need to make sure you update your SPF record, too. If the vendor’s email system is compromised, someone might be able to use it to send ‘approved’ phishing emails from your domain! Always make sure only third party vendors still working with you have their IPs on your SPF record.
DomainKeys Identified Mail, or DKIM, is a protocol that gives every email sent from your domain a digital signature. This allows the receiving email server to validate if the email is genuine, and if it’s been modified during transit. If the email has been tampered with, the signature doesn’t get validated and the email fails DKIM. If you want to preserve the integrity of your data, get DKIM set up on your domain!
4. Set The Right DMARC Policy
Far too often, an organization implements DMARC but forgets the most important thing — actually enforcing it. DMARC policies can be set to one of three things: none, quarantine, and reject. When you set up DMARC, having your policy set to none means even email that fails authentication gets delivered. Implementing DMARC is a good first step, but without enforcing it, the protocol is ineffective. Instead, you should preferably set your policy to reject, so emails that don’t pass DMARC are automatically blocked. It’s important to note that email providers determine the reputation of a domain name when receiving an email. If your domain has a history of spoofing attacks associated with it, your reputation goes down. Consequently, your deliverability takes a hit too.
Brand Indicators for Message Identification, or BIMI, is a email security standard that uses brand logos to authenticate email. BIMI attaches your logo as an icon next to all your emails, making it instantly recognizable in someone’s inbox. If an attacker were to send an email from your domain, their email wouldn’t have your logo next to it. So even if the email got delivered, the chances of your customers recognizing a fake email would be much higher. But BIMI’s advantage is twofold. Every time someone receives an email from you, they see your logo and immediately associate you with the product or service your offer. So not only does it help your organization avoid email spoofing, it actually boosts your brand recognition.