Understanding Email Phishing

For the past decade, companies and institutions have been moving towards digital communication with their customers and workers. With nearly 5 billion email accounts worldwide, there's no channel with cost, availability and a broader reach than the email service. Aside from the textual content inherent to sending a message to someone else, email messages today carry more details and brand building artifacts that give a sense of trust to the recipient that reads it.

One of these brand building artifacts is a custom domain. But, criminals can also make a custom domain, so that an email message appears to have originated from someone other than the actual sender, known as Spoofing.

Messages from spoofed domains are often visually similar to emails sent from widely known companies or institutions, accompanied with a scary or urgent message prompting the recipient to take an immediate action such as clicking a link, perform a transaction or reply to it. Ultimately, the goal is to trick the person reading the message and fraudulently obtain sensitive information or credentials, also known as Phishing.

What are the consequences?

Individuals risk having their money, information and identity stolen.

For companies, aside from a blemished brand reputation, having employees opening emails from spoofed domains can be seriously damaging. Email attachments may contain malware that can infect a company’s network and all the devices connected to it, encrypt or steal customer’s data while holding it up for ransom.

Actually, 95% of all major data breaches and cyber attacks involve email. Identity and brand-impersonation emails make up for more than half of the growing wave of business email compromise attacks (BEC), which have caused nearly $13 billion in losses over the past decade.

Why does this criminal activity persist?

Exploiting email does not require much technical skill. The cost of setting up all the necessary frameworks to engage in these attacks is low compared to the value that can be obtained from stolen information.

How do we stop it ?

Email spoofing can be stopped if the ESP (email service provider) from which the email message originates from, has previously published records used by modern authentication mechanisms:

• SPF (Sender Policy Framework) record gives email receivers the ability to check if an email message comes from an IP address authorized by the email domain owner.
• DKIM (Domain Keys Identified Mail) record gives email receivers the ability to check if an email message was altered during its commute to the recipient.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) record specifies what email receivers should do to messages that do not align any of the previous authentication mechanisms: Do nothing, reject the message, or send it to the spam folder.

This triad ensures that emails on our inbox come from the actual entity that sent them, thus preventing spoofing. Additionally, DMARC provides a reporting system that informs domain owners about the messages that are failing or passing the authentication mechanisms.

Do I need DKIM, SPF and DMARC for my company?

The short answer is yes, because they are effective at preventing email spoofing.

The long answer is you don’t have much of a choice. Most email service providers, such as Outlook and Gmail, already have policies that discriminate against messages that do not comply with modern email authentication mechanisms, which means if you don't set up DKIM, SPF and DMARC, emails sent by your company won’t reach the recipients inbox because they are labeled as spam/junk, and may be accompanied by a visual warning saying that the email sender is not trustworthy.

Bigger institutions are getting targeted

On March 18, an email sent by [email protected] was circulating asking for donations to the COVID-19 Solidarity Response Fund which would support tracking and treatments for the new coronavirus. The domain used by the World Health Organization is in fact who.int, but this email did not come from them. The WHO had a SPF record, but no DMARC record was published for who.int as of April 1, 2020. And so, a bad actor was able to use their domain to impersonate them and profit off the donations directed to the solidarity response fund.

Failing to implement proper DMARC authentication policies at companies, schools, state and local government, creates an opening for scammers to impersonate them.