Phishing Attacks Rise Again During the Holidays – Even for DMARC Protected Brands

Share Button

It is no secret that phishing attacks are growing in scope and the reason is quite simple: they are still effective. For the past several years, we have seen a marked increase in the number of email driven phishing scams that coincide with the holidays. Below you’ll find an email-driven phishing scam which shows a notification from FedEx—we’ve seen this with other brand-recognized delivery couriers like UPS and DHL. You can view the US-CERT advisory here. In this instance, the notification indicates that FedEx was unable to deliver a package because there was nobody available to sign for it. Once the recipient clicks on the invoice, the phishing attack is launched. With this kind of attack, the company purported to be sending the message is also a victim as the brands themselves become associated with fraudulent activities.

What’s interesting about this fake notification is that the message was spoofed from “secure.com” instead of “fedex.com.” This is probably because FedEx is an early adopter of DMARC, and is most likely already in a p=reject mode (more details on that here: http://newblog.easysol.net/guide-to-leverage-dmarc/). This means it’s virtually impossible to spoof the fedex.com domain, leading phishers to utilize other domains instead.

While DMARC is effective in this case in ensuring no one can spoof the company’s domain, one issue that DMARC doesn't solve is the fact that cybercriminals can create domain names that are similar to the target they are attempting to leverage in an attack, using so-called “sister” or “cousin” domains. But because they are not attempting to spoof the full original name of the organization, DMARC won’t catch them.

Captura

It’s important to recognize that DMARC as a standalone tool is not a complete solution to the problem of email-based fraud and phishing attacks. While DMARC compliance is a good first step towards eradicating email fraud, it’s simply one layer, and should be supplemented with other technologies to help identify and remove threats from the web. Otherwise, once the phishing email is on an inbox, your end-users and employees are just one click away from allowing their devices to be infected and becoming a victim of fraud, perpetrated both against them and your brand.

 

 

Related Posts

Fraud Predictions: What Do The Cards Hold for 2020? Over the past year there have been some incredible advancements in cybersecurity.
The Fraud Beat 2019: Time to Reevaluate It has never been clearer that organizations are aware of the risks of fraud: in 2019 100% of financial institutions surveyed in the Faces of Fraud Report reported increasing or maintaining their budgets for fraud prevention.

Leave a Reply

Your email address will not be published. Required fields are marked *