Despite the plethora of communication tools available to consumers and businesses, the de facto form of sharing information and communicating remains email. As the number of worldwide email users is predicted to reach more than 2.9 billion by the end of 2019, according to the Radicati Group, businesses and governments still rely on this channel to communicate with their customers and citizens.
However, email is also acknowledged as the primary cyber-attack vector and pivot point into corporate and private networks for nefarious gains. The concept of Spear Phishing, where individuals are targeted with emails perpetrating to be from an individual or company that the user knows and which are normally seeking valuable data or login credentials, has been circulating within the industry for several years.
And as with all cyber-attacks, this concept has evolved to changing environments with Business Email Compromise (BEC) attacks, in which attackers impersonate executives within a company, now becoming one of the biggest cyber threats facing businesses today. Recent data from the FBI estimates that BEC attacks have cost businesses more than $3.1 billion in the last three years alone.
All of these attacks are possible because the original circa-1982 email technology we use today was developed without any security, allowing criminals to spoof any email identity. The industry responded in 2012 with a new standard, DMARC (Domain-based Message Authentication, Reporting and Conformance) that puts security back into email. And since 2012 there have been calls within the industry for businesses to protect both employees and customers from being targeted and attacked by criminals via email.
As of October 1, the UK’s Government Digital Services (GDS), a part of the Cabinet Office, mandated that all central Government departments need to adopt DMARC, an email authentication protocol, as standard for all emails using the .gov domain. But what does this mean and why should enterprises take heed from the government sector?
What is DMARC?
DMARC is a protocol that is designed to detect and prevent emails from being spoofed by enabling ISPs (Internet Service Providers) to check that incoming mail is authorised by the domain name it is using.
This means that if an email is sent by an unauthenticated sender, which could be a malicious actor or even an unauthorised department within the company, DMARC can detect the unauthorised activity and the receiving ISP will simply block the email before it reaches the end user’s inbox. It also confirms that the content of the email and any attached files have not been modified during sending.
DMARC makes use of existing internet standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). An organisation can authenticate their emails using a combination of these methods. If an email passes neither of these authentication criteria, then a policy can be set in place to either mark it as junk or reject it. For many users, this will remove the guesswork associated with incoming emails and reduce their potential exposure to fraudulent and harmful messages.
Most approaches to email management have very little luck in stopping spoofed emails, because the content and domain of a well put together phishing message are almost indistinguishable from a legitimate message. By checking that the domain name itself, rather than the content of the message, is authorised, the implementation of DMARC means that even the most sophisticated spoof email can be detected and blocked from reaching its intended inbox.
Trusting your inbox
GDS’s move to require all governmental departments to use DMARC to authenticate their emails is a positive and forward thinking move toward improving security for both the UK government and its citizens. With email as the number one entry point for data breaches, and many reported attempts by cyber criminals to spoof the associated domains, the use of DMARC email authentication protocol for all legitimate.gov.uk email domains greatly reduces the risk of breaches and cyberattacks.
In fact, DMARC already has a proven track record at government level. In Philip Hammond’s recent National Cyber Security Strategy announcement, which saw £1.9 billion being allocated to combat the threat of cybercrime, the subject of spear phishing and email spoofing featured heavily.
As referenced by the Chancellor of the Exchequer, in one case more than 50,000 fraudulent emails from an account named ‘taxrefund.gov.uk’ were being sent to the unsuspecting British public daily. This spoofed domain has now been shut down thanks to the use of the DMARC protocol. gҔ 4w
Following the Government
The same effect can be achieved across enterprises. Many organisations may not even have a handle on the number of emails that are being sent out to its customers, allegedly from them, which is eroding the trust they have in the company. We have seen businesses of all types, and across all sectors, lose millions of pounds in revenue every year because customers are becoming more reluctant to click on their emails and calling customer service to determine if emails are legitimate.
By adopting an effective email authentication standard, as the UK government has done, organisations can be confident that both inbound and outbound emails are secure and from the recipient that they are stated to be from. By quickly being able to identify email spoofing, it not only reduces the potential risk of fraud and exposing the organisation to a data breach, and all the public reputational and financial penalties that are associated with an incident, but restores the faith that employees and customers have in the brand.
Whilst there is still some merit in ensuring that there is increased awareness and training provided to employees so that they are aware of the threats posed, employees are not the experts in this field. There is no amount of training that can be done that would stop even the most diligent employee from falling victim to a sophisticated, well-researched social engineering attack.
Instil best practice
The industry has been hard at work to develop technical capabilities to stop these types of emails ever reaching the unsuspecting employee’s inbox in the first place. Ultimately, this removes the fraud risk to the business and ensures that the organisation’s employees only reacting to trustworthy emails.
Enterprises should take notice of the UK government’s move to mandate the use of DMARC across all governmental bodies as it marks a watershed moment toward better security for both the government itself, and all UK citizens, and should help to greatly reduce the risk of breaches and cyber-attacks. Now the wheels need to be set in motion for other public and private sector organisations to follow suit and implement more effective methods for authenticating emails. We already know that emails are the number one method used to infiltrate networks, so if businesses want to protect their assets, they must protect their inboxes.
Image source: Shutterstock/kpatyhka
Patrick Peterson, founder and executive chairman, Agari