The recent DNC leak and Donald Trump’s call for Russians to hack Hillary Clinton’s email have suddenly brought the public’s attention to email security in a big way. Rightly so, as email phishing attacks play a role in 95% of the major security breaches taking place today.
In particular, we’ve seen the rise of a new form of phishing called spear phishing. It’s a crafty new technique that has duped a lot of organizations in recent years. The stakes are high, with businesses losing millions of dollars, critical secrets, and more. Experts say it’s likely to blame for the Russian hack of the DNC’s emails. Fortunately, there is a straightforward step every political organization, business or federal agency can take to inoculate itself against this kind of attack. It’s called email authentication.
Spear Phishing and Business Email Compromise
Spear phishing targets a specific employee inside a company for an email-based, one-on-one con job. It starts with email pretending to come from a trusted colleague with authority, often the CEO or another C-level executive. In a few messages back and forth, the “CEO” reveals the need for help with a time-sensitive and usually confidential matter. Eventually the employee acts as requested, believing to have done the company a service.
Unfortunately, the person on the other end is not the C-level executive in question. It’s actually a professional online scammer, and the unwitting employee has either taken action or revealed information that the criminal can use to profit at the company’s expense. Common outcomes include a wire transfer to a foreign bank account or revealing employees’ Personally Identifiable Information for use in identity theft.
Called Business Email Compromise, or BEC, these attacks are individually crafted for each executive they target. BEC attacks have emerged forcefully in the past few years. The FBI reports that between January 2015 and June 2016 BEC attacks increased 1300%, costing an estimated 22,000 companies $3.1 billion.
Losses can be quite large. In April, the US government filed court proceedings for an unnamed corporation that lost $98.9 million to one of these scams. In May, Austrian manufacturer FACC fired its CEO and finance chief after losing 50 million euros to a BEC attack. Recent months have seen class action lawsuits by employees against large companies like Seagate and Sprouts Farmers Market over W-2 information released to spear phishers.
Introducing Email Authentication
Spear phishing attacks are so effective because there is no way to visually distinguish them from real emails. The fraudsters use identity spoofing, where they change the email’s From field to exactly match the address of the impersonated individual. Training employees to detect these attacks is ineffective since they are undetectable to the human eye.
In response, the email industry has created Email Authentication. Email Authentication lets a domain name’s owner declare who is allowed to send email using that domain – and how to treat unauthenticated email. The owner can choose to mark unauthenticated email as spam or not deliver it at all.
This instruction takes place using an industry-standard protocol called DMARC. DMARC enforcement reaches more than 99% of messages received in North America, and organizations can use it to eliminate 100% of inbound email spoofing their identities.
Slow Adoption Slows Benefits
Even though it has been an established standard since 2012, DMARC today is present for less than 5% of domain names, despite major corporations like PayPal using it to slash phishing against their brands. That’s because until recently, implementing DMARC has been a difficult technical challenge. DMARC settings reside in a company’s Domain Name System, or DNS, records. DNS is a mission-critical technology that, incorrectly configured, can prevent electronic connection to the outside world. DMARC requires specific syntax that’s error-prone and tedious to create.
Corporate adoption of cloud services exacerbates this challenge. Third party internet services are popular tools for marketing, sales, recruiting, finance, contracts, HR, legal, benefits, expenses, and more. Most require email in their workflow. These services add complexity to DMARC configuration and change frequently, requiring constant attention and frequent DNS edits.
A misconfigured record can fail to stop phishing – or even block legitimate email. These reasons have conspired to stifle DMARC adoption for all but the best resourced and most determined enterprises.
Putting Authentication in Everyone’s Reach
Fortunately, a new era is dawning for Email Authentication. Recently introduced tools, consultants, and SaaS services make DMARC achievable even for ordinary companies without special expertise. For example, you can check out the authentication status of your own domain name using ValiMail's free DMARC checker.
New institutions are discovering and turning on email authentication every day. We expect this trend to continue until email authentication is the new normal, which means less opportunity for spear phishing scams and safer email for everybody. Including political candidates.