Phishing is as much a technical attack as it is a social engineering method—for any phishing attempt to be successful, a phishing email must pass through software filters, and be acted upon by the recipient, exposing sensitive data. That may sound like slim odds for success, though the Valimail Spring 2019 Email Fraud Landscape report released Tuesday indicates at least 3.4 billion fake emails are sent each day—making phishing attacks resemble something of a “spray and pray” strategy.
The original specifications for email were written without particular regard to security. While that may have been an acceptable course of action decades ago—when internet use was restricted to government and academic users—deploying a mail server in 2019 without any security protection at all is inadvisable.
Domain-based Message Authentication, Reporting and Conformance, or DMARC, is an open standard (published as RFC 7489) that can be used to prevent inauthentic email from reaching the inboxes of end users. DMARC is gaining widespread adoption, with Valimail reporting that DMARC is used on “almost 80% of all the inboxes in the world.” A survey of public DNS records revealed nearly 740,000 domains with DMARC records as of May 2019, an increase of 140,000 since the beginning of the year.
SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)
DMARC is complex to implement, however, and partial implementations—namely, DMARC records versus DMARC enforcement—can limit the efficacy of these deployments. “For domains that are actually used to send email, it takes a lot of tedious work to figure out which sending services need to be whitelisted. The fear of blocking good (legitimate) email keeps a lot of domains from switching to enforcement, and thus they remain vulnerable to bad (fake) email,” the report states.
A few industries are rising above 20% enforcement rates, with the US federal government leading the way, due largely to mandates requiring the protection. Conversely, the least-protected industry is media organizations.
“It remains clear that fake emails from hackers, phishers and other cybercriminals constitute the major source of cyberattacks,” Alexander García-Tobar, CEO and co-founder of Valimail, said in a press release. “As more companies recognize and respond to email vulnerabilities, we expect to see organizations continue to deploy authentication technologies to protect against untrusted and fraudulent senders. The fact is that too many attackers are using impersonation to get through existing email defenses. A robust approach to sender identification and authentication is needed to make email more trustworthy, once and for all.”
For more, check out “Oh Canada: Why half of phishing attacks target the Great White North,” and “Your data, stolen twice: Pirated phishing kit contains hidden backdoor” on TechRepublic.