Estimated Read Time: Six Minutes
Prevent Phishing By Enhancing Your Email Security
For many years, email has been used as a popular communication tool, with little understanding of its IT security pitfalls. When we use email, we trust that the person we are corresponding with is who they say they are, with no mechanisms in place to ensure that is actually the case. Along with its widespread use, email has also been used for widespread abuse—including using it for phishing.
What is Phishing? Here are Some Examples:
Phishing (pronounced fishing) is a term that describes an attempt to trick unsuspecting email recipients into taking an action such as opening an attachment, clicking on a link, or redirecting them to an infected website that results in a malicious outcome.
The sender of the emails entice the recipients to click through by ‘baiting’ them. For instance, the email could contain a fictitious statement telling the recipient ‘they have received a parking ticket, and should click here to see a photo of your vehicle parked illegally’. These types of emails are sent to a wide audience of random people, in hopes that some of them will take the bait and be caught—trusting the fraudulent sender with sensitive information.
Spear-phishing is a more targeted form of phishing, where fraudulent emails are sent to very specific people in specific roles to try to get them to take the bait. For instance, sending a bogus link for banking information to an Accounts Payable Officer at a specific company in the hopes that they will click on it would be considered spear-phishing. These phishing attempts take a little more effort to set up, but can be more dangerous since the email seems relevant and personalized, making the recipient more likely to trust it and take the bait.
Whaling is another targeted approach of phishing, but their mark is the biggest phish of all. Whaling emails are sent to senior executives such as CEOs and Directors. Generally, the emails contain engaging content for those recipients, such as large financial transactions, customer complaints, or fake articles from news media.
Is Email Security Achievable?
It is generally accepted by reasonable people that if an email is received from Santa.Claus@NorthPole.com, the email is bogus. Those same reasonable people, however, are much more likely to accept and open an email that appears to be coming from an email address from a government, bank, e-commerce company, or utility company, just because the email looks authentic.
Email was never designed as a secure system, and up until recently, any form of IT security in email only protected us from malicious software or viruses. Also, an email could be blocked if its network address or specific domain was identified as suspicious by using blocklists or reputation-based lists to examine mail. These list-based methods rely on the lists being updated in order to be effective, and only block mail that is sent to a large number of recipients.
Individually, users typically validate email they receive by examining the to and from addresses, and if it looks right, they will open an email and any attachments—trusting that somehow, they are protected from viruses or malicious emails.
Phishing, spear-phishing, and whaling have now become mainstream. The common denominator in all of these types of fraudulent emails is that they target people and organizations with carefully crafted emails often so cleverly disguised that it may be next to impossible for the average user to be able to spot them. That is why so many people fall victim to phishing, exposing confidential information, making the company network vulnerable, and sometimes going as far as transferring money from a business bank account to a third-party account.
Using SPF, DKIM and DMARC to Prevent Phishing
There is hope when it comes to improving email security and reducing the impact of phishing and other malicious email-borne threats. Three specific defense mechanisms available to help organizations are:
- Sender Protection Framework (SPF)
- Domain Keys Identified Mail (DKIM)
- Domain Message Authentication Reporting and Conformance (DMARC)
Sender Protection Framework (SPF) is a basic protection which is very straightforward for an organization to implement. It tells the rest of the world “if you get an email from us, it is only legitimate if it came from these servers”, and lists the servers that the mail should have come from. In this way, recipient organizations can direct their mail servers to reject any mail that fails an SPF check. In other words, if the mail did not come from a listed server, treat it as bogus.
Domain Keys Identified Mail (DKIM) provides more advanced protection by digitally signing outgoing mail with an encrypted signature from your organization. Recipient mail servers are then configured to reject mail that fails a DKIM test, meaning if it does not have the appropriate signature on it, it is fake.
Domain Message Authentication Reporting and Conformance (DMARC) takes both of the other techniques a step further by allowing your organization to inform other organizations how to treat mail that has failed SPF and DKIM checks. It also asks recipient organizations to report back to you to let you know that someone is spoofing your email addresses. Using this technology can help you decide whether to pursue an additional investigation or even legal action against offenders and to stop the fraudulent use of your email domain.
The use of SPF, DKIM, and DMARC is gaining traction and growing exponentially throughout the world. Cloud-based service such as Office 365, Google Mail, and others are building in support for them. Add-ons are also available to deploy these tools in on-premise environments.
Enhance Your Email Security with Bulletproof
It’s time to put effective measures in place to protect your organization from threats such as phishing emails. We can help you understand and deploy these protections in your environment to enhance your email security. Download our Security Aware Data Sheet to learn more about how to decrease phishing rates among employees.