There’s no question that email fraud is more rampant than ever. For example, we’ve seen hackers impersonate high-profile CEOs—including Barclays Chief Executive Jes Staley, Citigroup Chief Executive Michael Corbat and Goldman Sachs Chief Executive Lloyd Blankfein—to trick employees, often in accounting and HR departments, into sharing sensitive financial information with their “boss.” According to FBI reports, fraudsters have sought to steal $5.3 billion between October 2013 and December 2016 through these sorts of email compromise schemes, with the number of business email compromise cases nearly doubling from May to December of last year.
And now scammers are branching beyond the business sphere to target top officials at government agencies. In early August, a self-described “email prankster” in the U.K. fooled a number of White House executives into thinking he was other White House representatives, including Trump Senior Advisor Jared Kushner. In that incident, the prankster impersonated Kushner to trick Homeland Security Advisor Tom Bossert into sharing his personal email address. Although it didn’t have devastating consequences for the White House, it did raise a major red flag to security officials that their systems were less secure than they believed.
As email spoofing, or the creation of email messages with forged sender addresses, becomes more common, it’s unsurprising that we’re seeing Congress take greater strides to combat cyberattacks. Earlier this summer, Oregon Senator Rob Wyden called on federal agencies to implement stricter controls to prevent hackers from impersonating government officials via email. To do so, he proposed the use of an email protocol called Domain-Based Message Authentication Reporting and Conformance (DMARC).
What Is DMARC?
DMARC is an email authentication, policy and reporting protocol. Building on the popular Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols, DMARC offers linkage to the author’s domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders. These features are designed to help email recipients determine whether messages align with what they know about the sender. If not, DMARC provides guidance on how to handle the situation to prevent potentially harmful outcomes due to the purported message.
Image courtesy of DMARC.org
Who Can Benefit by Deploying DMARC Protocol?
All organizations—not just government agencies—can use DMARC to detect and prevent email spoofing. The protocol can be particularly helpful for industries known to be IT security laggards, such as health care. The health-care sector is known to be slow to adopt up-to-date IT systems and security measures. As a result, malicious attackers—aware of the sector’s vulnerabilities—target hospitals and health groups, easily attaining coveted information.
Although health-care organizations typically choose not to invest in security measures (largely owing to flat or declining IT budgets and a tendency to focus their resources on other initiatives), they may want to reconsider their strategies to maintain patient trust. According to new research from the Global Cyber Alliance, 99 percent of for-profit and public hospitals failed to secure their email domains from hackers. Impersonating other people, these hackers have used phishing emails with malicious attachments to secure sensitive medical data that contains personally identifiable information on patients, including home addresses and Social Security numbers.
Philip Reitinger, president and CEO of Global Cyber Alliance, points out that “health data is actually much more valuable to someone who wants to spoof your identity than your credit data or username.”
For hospitals interested in maintaining patient trust, DMARC presents a valuable solution. Of course, the protocol is critical for all industries—especially finance and payment services, which are also highly vulnerable to email phishing, according to DK Media.
How to Effectively Implement DMARC
Although the best implementation practices vary by organization industry, size and email trends, the DMARC coalition suggests that all organizations do the following:
- Deploy DKIM and SPF protocol
- Ensure mailers are properly aligned with the appropriate identifiers
- Publish a DMARC record with the “none” flag set for the policies, which requests data reports
- Analyze the data and modify mail streams as needed
Typically, an organization’s collaboration group in the IT department as well as its information-security and privacy group in the security department are charged with managing DMARC deployment. But the process can be complex, so organizations may want to enlist the help of third-party vendors specializing in DMARC deployment.
Third-party vendors can help organizations implement the policy correctly, optimizing the protocol for the specific organization’s email habits. This process requires weighting the scores and results with employee usage patterns. Vendors can also help to train IT teams and general users on how DMARC compliance will affect their communication habits. The impact is relative to the manner in which DMARC is implemented (e.g., “limited capacity”).
Call to Action
Although implementing DMARC may be daunting, it can clearly help protect sensitive information relating to an organization’s internal affairs, as well as information about its customers. And keeping that information safe is essential to maintaining customer loyalty: one Aviva study found that 60 percent of customers consider switching vendors after a company is breached, and 30 percent actually do.
To keep customer trust—and uphold business momentum—organizations must invest in their security, and soon. Today, only one-third of organizations use DMARC protocol and less than 10 percent use the strongest available setting, according to the Federal Trade Commission. It’s time to get those numbers up. If we’ve learned anything from Jared Kushner, Jes Staley, Michael Corbat or Lloyd Blankfein, it’s that no one is truly safe from email spoofing. Hackers, with their sophisticated approaches, are capable of impersonating virtually anyone—and taking advantage of employees who don’t know any better than to share classified information with someone whom they deem to be their boss, peer or confidant.
Yes, cyber scams are scary. But they don’t have to be. So what’s stopping you from implementing the solution?
About the Author
Greg Arnette is a messaging, collaboration, Internet and networking expert with more than 15 years of experience. He built Sonian—a cloud-based business that allows companies to preserve, analyze and access their electronic communications for legal, regulatory and continuity purposes—a decade ago. As CTO, Greg focuses on technical evangelism and innovation while actively working with Sonian’s strategic partners.