U.S. federal government agencies and many major enterprises have made significant strides to thwart the spread of fake emails, a major cybersecurity attack vector. But many organizations remain susceptible because they’re still not using readily available open standards-based technologies that prevent these fakes from reaching end-user inboxes.
Valimail’s “Email Fraud Landscape, Q4 2018” indicates that the fight against fake email is advancing around the world — but email fraud remains a widespread and pernicious problem. In fact, the report notes, fake emails were a key driver in the 60 percent jump in business email compromise (BEC) losses in 2018 as reported by the FBI.
Researchers distilled and analyzed proprietary data based on billions of email message authentication requests, along with an analysis of millions of publicly accessible DNS records. It found that many organizations and agencies aren’t implementing basic preventive measures, starting with Domain-based Message Authentication Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) records.
Email authentication standards need more adoption
“Fake emails — primarily email impersonation phishing attempts — continue to proliferate because, unfortunately, they work and are childishly easy to deploy. Executives, employees, and clients continue to click, send confidential information, share IP, and make bank transfers to the bad guys — all because of a lack of basic authentication,” said Alexander García-Tobar, CEO, Valimail. “These attacks are absolutely preventable. We therefore applaud those organizations that have implemented email authentication based on open standards such as DMARC — which, when properly configured, can stop the most convincing fake emails dead in their tracks. We urge all domain owners and security leaders to adopt these standards and configure them correctly and completely, as quickly as possible, to ensure their own employees cannot be spoofed by cybercriminals.”
The report discovered several encouraging signs regarding the adoption of email authentication standards, including:
- 80 percent of all U.S. federal domains have published a DMARC record — up from 50 percent in 2018 (the result of a federal mandate).
- 87 percent of federal domains that deploy DMARC have successfully configured it to enforcement — a standout success rate.
- At least 50 percent of Fortune 500 and large U.S. tech companies have adopted DMARC.
- Nearly 30 percent of healthcare companies are using DMARC — more than double the rate in late 2017.
- Global media entities, NASDAQ-listed companies and global billion-dollar public companies rank the lowest in DMARC enforcement among the 11 categories surveyed.
Email lacks built-in authentication provisions that can authenticate a legitimate sender’s identity. That makes it easy to ‘spoof’ the sender’s address. Without email authentication standards such as DMARC, malicious actors don’t need to compromise accounts to send emails that impersonate friends, coworkers, banks, government agencies and other trusted sources.
DMARC — properly configured — prevents fake emails from reaching inboxes
Popularly known as “spear phishing,” identity deception is used in at least 90 percent of all cyberattacks, according to several sources cited in the report. The sender uses a fake “from” address, a deceptive domain or a display name that usually impersonates someone else — even the email recipient.
When DMARC is configured to quarantine or reject suspicious emails, anyone who attempts to send email “as” a DMARC-enforced domain will fail unless that sender has been authorized by the owner of that domain. In other words, the messages won’t reach the intended user inboxes.