Every business is prey to email cybercriminals; the “$26 billion scam” 80% of organisations are still exposed: DMARC can protect you
Cybercrime is a top agenda item for many businesses, and email is a major attack vector that is actively exploited. Yet most companies mistakenly believe that they have all the necessary email security protocols that will protect them. This mistaken belief, and the fact that when email was first designed the idea of forgery was not considered have been contributing factors in the rise of cybercriminals who are increasingly weaponising email and successfully using it as their “attack-tool” of choice.
Because of its security design flaw, email, as it stands, offers no protection against attacks such as:
- Domain Name Spoofing
Domain Name Spoofing involves a cybercriminal using a company’s domain name to impersonate the company and trick a user into giving them money or confidential information, and also involves email links to fake websites.
- Display Name Spoofing
Display Name Spoofing is when an email has a forged display name of a trusted sender who is known to the recipient.
- Phishing Attacks
Phishing Attacks are used by cybercriminals to trick victims into handing over information or money, or installing malware, which is achieved by sending a malicious email.
Email: the cybercriminal’s weapon of choice
Forging an email (Display Name Spoofing) is relatively quick and doesn’t require any coding skills. However, fake emails that hijack the names of employees and also mimic the formatting and unique language characteristics of the sender or company, require more skill. However, there are many websites that advertise how to forge a sender display name, and it takes just few simple steps for anyone to create and send a fake email and take on the identity of the real person.
Creating a forged domain name (Domain Spoofing), is faster and easier than registering a look-a-like domain although both of these methods are much-used weapons in the cybercriminal’s toolbox. This should be of enormous concern for every business.
Whilst it is commonplace to implement security technology focused on protecting against what comes into an organisation, many organisations are forgetting to implement the security protocols required to ensure that only authenticated emails going out that bear their name reach an inbox. This gaping security hole is costing businesses dearly; financially and reputationally. The defence against these attacks is the global technical standard called DMARC (Domain-based Message Authentication, Reporting and Conformance), and businesses without it are at risk.
Every company should know their DMARC exposure risk to cybercriminals.
Any business serious about email security and safeguarding their brand, employees and partners can instantly know their vulnerability to email scammers with a fast self-administered online analysis.
Cybercriminals earn billions through email fraud
In 2019 a staggering 128.8 billion* business emails were sent daily. However, all of these were not necessarily what they first appeared to be. More often than not when an email is received, we scan to see who it is from. We look at the name of the sender and/or the company domain name and determine if we recognise it or not. When these are recognised, we automatically assume the email’s legitimacy and trust that it is what it appears to be; we take it for its face value.
Search for examples of organisations that have been hit by cybercriminals who have impersonated executives, vendors and suppliers and you will be spoilt for choice. There is the case of the Ottawa city treasurer who received an email from an address she thought belonged to the city manager and was tricked into wire-transferring around US$100,000.00 to a fraudster, and the more widely reported case of Mattel’s financial executive who believed that an email he has received was from the CEO when in fact it was a fake that had been sent from a criminal impersonating the CEO. The financial executive sent $3 million to the criminal.
In South Africa, the University of Mpumalanga was tricked into transferring around $6.5 million (ZAR100 million) to a fraudster. They received a forged email that used the name of their asset manager as well as the company name, which was Investec. The cybercriminal deployed both display name spoofing and domain name spoofing in his attack on the University for fraudlent gain.
The email stated that Investec, the company managing their assets, had changed banking details; their new bank was FNB and they shared the new account number for money to be paid to.
Payments were transferred by the University to the new bank account. The criminal activity was only exposed when the real broker made enquiries with the University’s Finance Manager about the status of the due payment, and the University responded that they had already transferred the money to their new bank. Having been alerted to the fraudulent email and the incorrect transferring of funds, the banks were contacted to stop the transaction, and it was fortunate that FNB had flagged movement on the account as suspicious and the University was able to recoup the majority of the money.
UNICEF in South Africa has also been targeted by cybercriminals using display name and domain name spoofing in a targeted phishing attack. In early 2021, a forged email pretending to be from UNICEF South Africa was sent to recipients asking them to participate in a bid process for construction and interior renovation of one of their facilities in Pretoria. The email address did not belong to UNICEF South Africa, but cybercriminals had hijacked UNICEF’s name in this phishing attack.
These phishing emails involving look-a-like domains target specific people with the specific aim of defrauding their company. The look-a-like domain may have just one changed letter in the domain name, however if the different look-a-like permutations are not considered in designing and implementing robust email security solutions, cyber criminals can successfully and without hindrance, carry out their crimes.
Unfortunately there are tens of thousands of real life examples that range from small businesses to large multinational corporations who have fallen prey to email scams made possible by cybercriminals taking advantage of non-existent or weak email security.
It is reported that approximately 80% of organisations do not have the necessary security protocols in place to stop phishing and spoofing attacks, and to protect their domain name being ruthlessly exploited by fraudsters. Email wasn’t originally designed with security in mind and this allows criminals to easily insert any sender’s address in a forged email. It is this flaw gives today’s cyber criminals a tool for fraudulent activities, unless the right technology is implemented to stop it.
Cyber attacks against high-profile businesses generate many headlines, however every organisation has email and small and mid-sized businesses are just as at risk as a large company. This is why implementing DMARC must be a priority for businesses of all sizes.
The best technology standard for protection against fraudulent email activity
DMARC, is a technology protocol that verifies the source of an email and makes sure that only real emails from the real company and person ever reach an inbox. This technology interrogates the source of the email, and verifies whether who it is claiming to be from is in fact the case, and only then gives permission for it to be delivered to the intended recipient. Emails that are not or cannot be authenticated are not delivered.
By implementing DMARC, a company’s genuine emails will reach the recipient’s inbox, and their name will not end up being associated with scams and fraud. Seamless, fast email delivery of legitimate emails is an important contributor to productivity, and with DMARC email delivery is greatly improved.
There are two critical functional elements of DMARC. Firstly, DMARC sets a policy for domains that have been authenticated by SPF (Sender-Policy Framework) and DKIM (Domain Keys Identified Mail). SPF provides verification of emails that are matched with servers and authorised IP addresses linked to the domain owner, whilst DKIM verifies that a message has not be tampered with, either altered or faked, using an encryption key and digital signature. The DMARC policy determines what should happen when an unauthorised email is received from this domain. Whilst there are three policy possibilities – none, quarantine and reject – it is only with a reject policy that a company is truly protected.
Sendmarc has a standard guarantee of achieving p=reject within 90 days for all managed customers, and proactively configures domains to ensure the continual defence against new threats as they arise.
However, businesses must not think that by simply setting a policy to “reject” that it will be business as usual. Unless there is full and proper analysis and constant reporting of the usage of all domains registered to a company, the delivery of legitimate emails will be severely affected as they will be blocked, causing serious productivity damage, operational service issues and negative customer experiences.
Secondly, DMARC enables reports to be generated by ISPs providing a full view of the success or failure of domain authentication. Sendmarc’s custom built platform is fully compatible with all ISPs and integration is seamless, and its utilisation of automated process and policy implementation allows for real time visibility and reporting of all legitimate and illegitimate emails using a customer’s domain name.
Whilst DMARC is a combination of SPF and DKIM, adding the critical layers of policy setting reporting, Sendmarc offers a further supercharged layer to the DMARC defence with BIMI (Brand Indicators for Message Identification) which builds on DMARC and email authentication protocols. BIMI enables organisations to have a logo or image seen next to the sender name in an email messages.
A logo or image must be ‘certified’ which involves a verification process which sees the logo or image associated and locked to a company and domain, and a Verified Mark Certificate (VMC) being issued. The VMC is added to a company’s BIMI record to display the visual. This empowers a company with full control over their logo or an associated image and adds an additional layer of verification to DMARC, providing the recipient with easy visual trust in the authenticity of the email.
Keeping in mind that brand impersonation is 83 % of spear phishing attacks and since 2016 email spoofing and phishing attacks have cost companies worldwide $26 billion, it is vital that businesses ensure that they not only implement DMARC but ensure that the domains are correctly configured to use DMARC to stop cybercriminals.
Stopping cybercriminals; the highest security standards
Sendmarc was built with the goal of easily and completely implementing DMARC. It has a single universal product which means that every customer receives the same full set of features and functionality. Because every business faces the same threats Sendmarc believes that every business should receive the same standard of protection.
In addition to the features and functionality of the Sendmarc product being identical for every customer, so is their guarantee. And whilst the product is identical for every customer, it is worth highlighting that the domain and email environment analysis, DMARC implementation, and the ongoing reporting will be different for each company. This is because the number of registered domain names as well as the number of third-party service providers varies for each company from a few to many hundreds, and this affects the complexity of implementation.
Every company of every size needs to know if they are protected from cybercriminal impersonators. These cybercriminals are fulltime fraudsters, focused on stealing from any business they can, especially those that make it easy for them to do so. Without exception organisations must invest in technology to prevent successful attacks and bolster their current solutions of spam filters, antivirus software, and other legacy security solutions with DMARC, to stop cybercriminals attempting to trick the email recipient into believing it is from someone they trust or know. This could be a colleague, brand or partner/vendor. This trust is then able to be exploited for illicit gain.
Sending an email is fast and easy and the most commonly used tool for business communication. It is now also the most commonly used tool for cybercriminals, and business email compromise scams can go on for months or even years before being detected causing, for some, irreparable financial and reputational damage.
Cybercrime is hitting every business on every continent. An Interpol report on cybercrime in Africa, has said that from January 2020 to February 2021 “South Africa … had the highest targeted ransomware and BEC [business email compromise] attempts”. Without DMARC a company is more susceptible to fall victim to these cybercriminals, who spoof email accounts or websites or send spearphising emails.
Find out how susceptible you are to those cybercriminals using email as their weapon of choice by taking Sendmarc’s self-administered online assessment.