Email authentication is a pillar to effective digital threat protection, but it shouldn’t stand alone. The latest example solidifying the need to go beyond authenticating emails comes from an attack leveraging the United States Postal Service (USPS) brand.
Here’s what happened: Fraudsters sent phishing emails to potential victims saying a package could not be delivered and the person should click on a link in the email. The email said the link would take the receiver to the USPS website to sort out the problem, but the link was obviously not legitimate, as with all phishing links.
In a world where cybercrime pays, this kind of phishing campaign happens all the time. So what? The reason this kind of attack is so alarming is because the USPS uses DMARC, an email authentication protocol that stands for Domain-based Message Authentication, Reporting and Conformance. Cybercriminals knew the USPS implemented DMARC so the fraudsters got creative and found a way around this widely-used email authentication protocol.
Every Action Triggers Fraudster Reaction
When DMARC is implemented correctly, it automatically rejects any phishing emails leveraging the domain of a legitimate organization. In the case of the USPS, fraudsters were forced to use a cousin domain, or similar domain, because they knew any email sent from the USPS’s identical domain would be rejected by DMARC and never reach the inboxes of potential victims. We know fraudsters were privy to fact that USPS had DMARC because Easy Solutions and other companies provide free tools that verify if a domain has DMARC. The picture below is a prime example, showing how the action of implementing DMARC creates a fraudster reaction of skirting around email authentication.
Going Beyond Email Authentication
The case of the USPS shows p=reject (a DMARC function that allows organizations to deny illegitimate emails using their domains) simply doesn’t solve the email phishing challenge and doesn’t provide robust digital threat protection. Fraudsters are always finding new ways to send phishing emails to potential victims while leveraging domains of real organizations.
Moreover, only 30 percent of email fraud is performed through spoofing identical domains, according to the Anti-Phishing Working Group. Fraudsters are much more likely to use cousin domains or implement tactics such as subject line spoofing, display name spoofing or email account spoofing. This means there’s a desperate need for organizations to implement a holistic approach to stopping digital threats.
That holistic approach most definitely should include implementing DMARC, as well as a system that actually measures the effectiveness of email security actions. It should also include the following recommendations to ensure organizations are best-protected from an array of different attacks through a variety of different channels:
- Implement a system that doesn’t just identify threats, but rapidly takes them down as well. This will minimize the impact of an attack on customers and employees.
- Don’t limit the attack monitoring process to the email channel. Expand to monitoring potential threats through social media channels, websites, the Dark Web and more.
- Monitor third-party application stores to ensure fraudsters are not creating malicious apps that leverage the brand or image of legitimate brands.
- Utilize a machine-learning protocol that analyzes data at scale to find and eliminate threats as quickly as possible.
- Measure similar domain registration as this could be an indicator that criminals plan to use the domains in future phishing campaigns.
Above all else, an effective digital threat protection strategy should include a proactive, multi-layered approach that addresses the entire fraud life cycle.