Attacks on global brands such as eBay, PayPal and Amazon get a lot of news coverage, and each time this happens, the brand suffers. Often the source of corruption, unbeknownst to the organisation, is an email that appears to have come from the company, but instead was sent by a criminal source aimed at illegally soliciting sensitive information.
This practice, commonly known as phishing, is typically carried out by "email spoofing." With increasing frequency, these criminals are no longer targeting just top brands, but also setting their sights on small and medium-sized businesses. As larger organisations adopt security strategies to prevent these attacks, hackers are moving down the road to easier targets.
No company is immune to a spoofing attack. Most large organisations and B2C companies are already taking steps to resolve this issue. It's important that B2B, as well as medium and small businesses also protect themselves. Smaller businesses are especially vulnerable because, too often, they assume they aren't big enough to draw hackers' attention, and they haven't adopted the security strategies needed to fight this type of cybercrime.
Launchpad for bigger attacks
The flaw in that kind of thinking is that hackers don't care about the size of a business, they only care about vulnerability. They can get plenty of loot from mounting a series of attacks on vulnerable small and medium-sized businesses, and then use that data to launch an attack against a larger target. In the meantime, they've collected your employee and customer data, banking information and passwords, and they've compromised your brand.
Hackers use spoofing to make an email message look like it's from a sender the recipient knows or trusts to trick them into opening it. They simply edit an email address to make it look like it came from the sender's email account, so that when it's opened, it can infect the recipient's system with malware, or provide a pathway for the hacker to steal credit card data, passwords or other personal and financial information.
They can do this because email doesn't support authentication, allowing any criminal to send an email purporting to be from your company or brand.
DMARC: fighting back
Such phishing is without doubt a growing trend, and to combat the spoofing threat, 15 email services providers, financial firms and message security companies – including AOL, Google, Microsoft, Return Path and Yahoo – founded DMARC.org, a working group to create standards to reduce the threat posed by phishing, spam and other messaging abuses.
Domain-based Message Authentication, Reporting and Conformance (DMARC) standardises the way recipient email servers perform email authentication using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms. The organisation was launched in January 2012 and now protects 60% of global consumer email inboxes, and 80% in the United States.
Large organisations, including such top brands as Twitter, Amazon, eBay, Facebook and PayPal have adopted DMARC to combat spoofing with relatively good levels of success. According to DMARC.org, Outlook.com reported a 50% drop in reported phishing in 2013 due, in part, to DMARC. Additionally, more than 25 million email messages spoofing PayPal were rejected during the 2013 Christmas buying season.
What DMARC provides these organisations is visibility into whether their email is authenticating – proof that the email is coming from your own domain and not some other unauthorised domain that only looks like your site. Without DMARC, there is no visibility, and senders remain unaware of authentication problems because they have no way to get feedback about potential email spoofing, or to determine what to do with those emails – whether to block them or quarantine them somewhere.
As hackers troll for easier targets, it is vital for businesses of all sizes to protect their brands by adopting DMARC. Although most people today know not to open questionable attachments or click on suspicious links, spoofers have become so good at what they do that their targets can be easily fooled into believing an email is legitimate.
