By failing to implement proper DMARC protections and policies, universities, schools, and, most importantly, state and local governments are opening the door to scammers to hack into their email domains and impersonate them.
For the past decade, companies and institutions have been moving towards digital communication with their customers and workers. With nearly 5 billion email accounts worldwide, there's no channel with cost, availability and a broader reach than the email service. Aside from the textual content inherent to sending a message to someone else, email messages today carry more details and brand building artifacts that give a sense of trust to the recipient that reads it.
What is spoofing and phishing?
One of these brand building artifacts is a custom domain. Unfortunately, criminals can forge a custom domain so that the message appears to have originated from someone other than the actual source, also known as spoofing.
Emails from a spoofed domain often have graphical similarities to emails sent from widely known companies or institutions accompanied with a scary or urgent message, prompting the recipient to take immediate action, such as clicking a link that redirects him to a malicious website designed to look like a real one. The goal is to trick the person reading the message and fraudulently obtain their sensitive information or credentials, also known as phishing.
Why does this criminal activity persist?
Exploiting email does not require much technical skill.
The cost of setting up all the necessary frameworks to engage in these attacks is low compared to the value that can be obtained from stolen information.
What are the consequences?
For email users, they risk having their money, information and identity stolen.
For companies, aside from a blemished brand reputation, having employees opening emails from spoofed domains can be seriously damaging, as email attachments may contain malware that can infect a company’s network and all the devices connected to it, encrypt or steal customer’s data while holding it up for ransom. Actually, 95% of all hacking attacks and data breaches involve email. Identity and brand-impersonation emails make up for more than half of the growing wave of business email compromise attacks (BEC), which have caused nearly $13 billion in losses over the past half-decade.
How do we stop it ?
Email spoofing can be stopped if the ESP (email service provider) from which the email message originates from, has previously published records used by modern authentication mechanisms:
- SPF (Sender Policy Framework) record gives email receivers the ability to check if an email message comes from an IP address authorized by the email domain owner.
- DKIM (Domain Keys Identified Mail) record gives email receivers the ability to check if an email message was altered during its commute to the recipient.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) record specifies what email receivers should do to messages that fail the previous two authentication mechanisms: Do nothing, Reject the message, or Send it to the spam folder.
This triad ensures that emails on our inbox come from the actual entity that sent them, thus preventing spoofing. Additionally, DMARC provides a reporting system that informs domain owners about the messages that are failing or passing the authentication mechanisms.
Do I need DKIM, SPF and DMARC for my company?
The short answer is yes, because they are effective at preventing email spoofing.
The long answer is you don’t have much of a choice. Most email service providers (like Outlook and Gmail) already have policies that discriminate against messages that do not comply with modern email authentication mechanisms, which means if you don't set up DKIM, SPF and DMARC, emails sent by your company won’t reach the recipients inbox because they are labeled as spam/junk, and may be accompanied by a visual warning saying that the email sender is not trustworthy.
And Larger organizations? Are these a target as well?
On March 18, an email sent by email@example.com was circulating asking for donations to the COVID-19 Solidarity Response Fund which would support tracking and treatments for the new coronavirus. The domain used by the World Health Organization is in fact who.int, but this email did not come from them. The WHO had a SPF record, but no DMARC record was published for who.int as of April 1, 2020. And so, a bad actor was able to use their domain to impersonate them and profit off the donations directed to the solidarity response fund.
Failing to implement proper DMARC authentication policies at universities, schools, state and local governments creates an opening for scammers to impersonate them. Our company can provide a robust email security system and ensure your organization is sufficiently protected from the most modern email security breaches. See more about our product or request a demo.
Author: Rui Antunes
Rui is part of the Research and Engineering team at Anubis, and he is currently in charge of Anubis internal DMARC global analysis security module.