Many Orgs Still Aren’t Applying Protections to Fight Fake Emails

Fake email caused the 60% jump in 2018’s business email compromise losses reported by the FBI. Yet many companies still do not use open standards-based technologies to protect themselves from spoofs.

That’s the main conclusion of San Francisco-headquartered email authentication firm Valimail’s, “Email Fraud Landscape” report for the fourth quarter of 2018. The research indicated while government agencies and many major enterprises made significant strides to thwart the spread of fake emails around the world, email fraud remains an extensive and malicious problem.

Popularly known as spear phishing, identity deception is used in at least 90% of all cyberattacks, according to several sources cited in the Valimail report. The sender uses a fake “from” address, a deceptive domain or a display name that usually impersonates someone else, even the email recipient. “Fake email is not just a nuisance – it’s a critical threat,” the report warned.

For example, a highly-targeted malware-laced phishing campaign against certain credit unions, reported by Brian Krebs in his Krebs on Security blog, raised concerns because they were specifically directed at anti-money laundering contacts.

According to the Valimail report: “Far from being merely a ‘social engineering’ issue, fake email is a direct result of the way email technology was developed and has evolved: By design, internet email lacks a built-in authentication mechanism (a methodology to validate legitimate senders), making it trivial for hackers to ‘spoof’ senders. No account compromise is needed for a phisher to craft messages that appear to come from a bank, government agency, or other trusted organization.”

Without email authentication standards such as Domain-based Message Authentication Reporting & Conformance, malicious actors don’t need to compromise accounts to send emails that impersonate financial institutions, friends, coworkers, government agencies and other trusted sources.

When DMARC is configured to quarantine or reject suspicious emails, anyone who attempts to send email “as” a DMARC-enforced domain will fail unless that sender has been authorized by the owner of that domain, the research explained. In other words, the messages won’t reach the intended user inboxes.

Valimail used proprietary data from its analysis of billions of email message authentication requests, plus its analysis of nearly 17 million publicly accessible DMARC and Sender Policy Framework records, to compile its report, now in its third year. It found that many organizations and agencies aren’t implementing basic preventive measures, starting with DMARC or SPF.

U.S. tech companies, Crunchbase unicorns, and major U.S. financial institution are the only other categories in which the research found a DMARC success rate of 30% or greater.

“Fake emails, primarily email impersonation phishing attempts, continue to proliferate because, unfortunately, they work and are childishly easy to deploy. Executives, employees, and clients continue to click, send confidential information, share IP, and make bank transfers to the bad guys — all because of a lack of basic authentication,” Alexander García-Tobar, CEO and co-founder of Valimail, said. “These attacks are absolutely preventable. We therefore applaud those organizations that have implemented email authentication based on open standards such as DMARC, which, when properly configured, can stop the most convincing fake emails dead in their tracks.”

Tobar urged all domain owners and security leaders to adopt these standards and configure them correctly and completely, as quickly as possible, to ensure their own employees cannot be spoofed by cybercriminals.”

The Valimail report did discovered several encouraging signs regarding the adoption of email authentication standards, including:

80% of U.S. federal domains have published a DMARC record, up from 50% in 2018 (the result of a federal mandate).

87% of federal domains deploying DMARC successfully configured it to enforcement, a standout success rate.

At least 50% of Fortune 500 and large U.S. tech companies adopted DMARC.

Nearly 30 % of healthcare companies are using DMARC, more than double the rate in late 2017.

Global media entities, NASDAQ-listed companies and global billion-dollar public companies rank the lowest in DMARC enforcement among the 11 categories surveyed.

However, the fake email problem is also amenable to a technical solution, starting with several widely accepted email authentication standards, including the core standards SPF, DKIM, and DMARC, as well as newer standards ARC and BIMI. The core authentication standards have near-universal acceptance by email receivers. Among domain owners, usage is small but growing across a variety of sectors particularly the U.S. federal government.