Trust is critical to digital marketing. Every time customers open your email or visit one of your web pages, they need to feel secure knowing that their personal information is not getting into the wrong hands. Unfortunately, there are cybercriminals who profit from stealing this information and using it fraudulently. One of their tactics is called phishing, which can have a serious negative impact on your organization and your customers. Luckily, there are methods, such as Domain-based Message Authentication Reporting and Conformance (DMARC) available to help combat phishing, and it’s relatively new and very promising.
What is phishing?
Phishing is a type of scam where a criminal uses digital media techniques to impersonate a reputable brand or person with the express purpose of stealing something from victims. For example, the attacker might send an email to a victim that appears to be from the victim’s bank telling them there is some issue with their account that needs to be resolved immediately. Social engineering techniques are used to create fear to make the victim believe they have been falsely accused of something or plays on their greed1. The emotional response that is created can cause even sophisticated “techies” to fall prey to these techniques. When the victim follows a link in the email and enters their account information into a fake web form, the attacker gains access to the victim’s account information and can drain their funds.
The impact of phishing on relationships
Data vendor, Return Path, recently published some scary facts about phishing:*
- 97 percent of people globally can’t identify a sophisticated phishing email
- Email fraud has up to a 45 percent conversion rate
- 71 percent of U.S. adults would be at least somewhat likely to switch to a different bank if they became a victim of online fraud at their current bank
- The average cost of an enterprise data breach is $3.79 million
* Return Path. (June 3, 2015). “13 Email Fraud Stats Every Security Professional Should Know.”
Cybercriminals are getting more advanced with their ability to mimic the look, feel and even domain names of their target brands. If your account holders are victimized, they will be angry, and it’s likely their anger will be directed at your financial institution, not the criminals. So what can be done?
The role of email authentication
The best way to stop phishing is to ensure that phishing emails never get delivered to the inbox. Internet Service Providers (ISPs) have sophisticated filtering techniques that cybercriminals try to get around by using a tactic called spoofing. Spoofing is the act of impersonating another organization’s domain name(s) in the delivery of email messages and/or in the links in those messages. Spoofing hijacks the trust relationship between an organization and its customers.
One tactic in the fight against spoofing and cybercrime is email authentication. Email authentication requires participation from both the sender and receiver to determine if a message is valid or not. In the type of email authentication called Sender Policy Framework (SPF), the sender publishes a range of IP addresses in its Domain Name System (DNS) that are authorized to send out email on its behalf. If the receiver sees messages purporting to be coming from that sender but from an invalid IP address, it has the option to block those messages.
Another type of email authentication is DomainKeys Identified Mail (DKIM), which is a cryptographic method where a public key in the sender’s DNS is resolved against a private key that the sending machine applies to the message. The receiver needs to resolve these keys in order for the DKIM signature to be valid. The receiver can then filter out messages if the DKIM is not valid.
These methods are very useful, and we suggest that all senders authenticate their emails with both SPF and DKIM. Harland Clarke Digital does this with all of its own domains as well as its clients’ custom mailing subdomains. But unfortunately, both protocols can be hacked, because they work in isolation from each other. To make matters worse, legitimate senders do not always use SPF and DKIM across all of their valid email channels. For example, your marketing emails might use DKIM, but your online banking messages do not. So, ISPs are still left in a position of not having an acceptable and reliable way to filter out bad mail and ensure good mail gets through.
DMARC is a newer authentication mechanism that leverages both SPF and DKIM. With DMARC, senders can:
- Receive reports about messages that purport to come from their domains but fail SPF and DKIM checks.
- Set a policy for how mailbox providers should treat these messages. The options are to deliver the message (but send a report), to quarantine the message or to outright reject the message.
One of the greatest benefits of the DMARC protocol is the reporting aspect. With that information at hand, senders can improve their message streams while also having an early warning system for spoofed messages. Because an outbreak of spoofing would likely not use valid DKIM and SPF, the spoofed messages show up in the reports. The organization can use this information to track down the spammers and hopefully get them shut down. The other advantage is that the sender can set a clear policy about what ISPs should do with messages that fail authentication.
How do you set up DMARC? What are the downsides to implementation? Are there any pitfalls organizations need to be aware of? We will cover in next month’s entry.