It’s time for the internet to block fake emails

Jason Pressman

One of the biggest upsides of the internet is that people from all over the world now have access to virtually anyone anywhere. Everyone is just an email away.

That’s also the problem. That same accessibility has left people, businesses and organizations open to attack.

In headline after headline, crippling cyberattacks are highlighting in bright neon the new insecurity of our digital era.

One of the most preferred methods of attack is phishing -- a.k.a. spear phishing. That is, by sending fraudulent e-mails with legitimate-seeming details, hackers can now impersonate almost anyone’s identity -- and they are.

People on the receiving end of these phishing attacks, such as HR managers and company executives, have been tricked into sending fraudsters employee W-2s or wiring tens of millions of dollars into the attacker’s bank account, not to mention giving away access to their inboxes and every one of their contacts.

Here’s the thing: There’s a readily available tool to fix the problem. And it’s mind-boggling that, despite the increasing severity of the problem, we’re not using it enough.

It’s time for that to change. The internet has to shift from its default mode of not authenticating emails to authenticating them.

Do that, and we’ll solve a whole host of problems.

The scope (and stakes) of the problem

Consider some of the biggest international news stories of the past year stemming from successful phishing attacks.

With the intent to affect both election outcomes, hackers used email phishing to hack the presidential campaigns of Hillary Rodham Clinton and Emmanuel Macron in France.

In business, Leoni, one of Europe’s biggest companies, got taken for $45 million in an e-mail scam. Here in Silicon Valley, Coupa had its W-2 forms hacked this past March. And phishing attacks will continue. The Anti-Phishing Working Group reported a 10 percent increase in phishing attacks between 2015 and 2016, and experts expect the number of attacks to increase even more. And, the IRS recently disclosed that the number of companies, schools, universities, and nonprofits victimized by W-2 scams (a kind of phishing attack) increased from 50 last year to 200 this year.

What’s at stake? A lot of money. Customer relationships. Consumer anxiety and potential election outcomes. A recent report in Infosecurity Magazine found the average cost of a spear phishing incident is $1.6 million. The FBI uncovered that phishing costs companies billions each year in a combination of lost funds, data breaches and irrecoverable consumer confidence. Plus, when a company is hacked via e-mail, it loses one of its prime methods for contacting its customers. The damage can remain unchecked for quite some time.

When it comes to phishing attacks, the problem isn’t just one person clicking the wrong link or opening the wrong attachment. The problem lies with the fact that hackers and cyber gangs can trick employees into responding in the first place.

One of the most important steps to prevent this kind of attack is to enable e-mail authentication, which will stop the most common kinds of phishing attacks before they can cause damage. Authentication screens out fraudulent e-mails before folks even receive them.

Everything else is authenticated. Why not email?

In the physical world, a building with a security camera system, a doorman or a security guard ensures that visitors are who they claim to be. In many cases, a visitor presents a valid ID for verification. Anyone who doesn’t match is turned away – no excuses.

The same logic should be applied to email. According to Technalysis’ most recent study, e-mail is still the number one form of business communication – whether inside the company or outside. Yet if the source of the e-mails is not authenticated, then no one knows for sure if the memo from your company’s CEO is really from her or if it’s sent by a cybercriminal in Macedonia spoofing her e-mail address.

Today, when most companies have switched their websites to HTTPS by default, locked down their Wi-Fi networks, and insist on access cards to identify and grant access to every employee who wants to come in through the front door, can we really still be relying on non-authenticated emails? Everything else is authenticated. Why aren’t we doing the same with email?

The good news is there’s an industry standard

Fortunately, every company can have a security guard for their emails, through a widely-accepted standard called DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC protects against phishing and e-mail spam by analyzing each incoming e-mail and making sure that the sender is authorized by the domain that appears in the "From" field of the e-mail.

It also allows organizations to block fraudulent activity by specifying that emails from any non-authorized senders be automatically deleted or sent to spam. For those looking for more detail into how DMARC works, here’s an overview piece or a very in-depth blog series I’d recommend.

The good news is DMARC has become a nearly universal standard of authentication, which means that once a domain publishes a DMARC policy, it applies to all incoming email received by almost every major email service provider around the world. Email service providers such as Google, Yahoo, Microsoft and AOL have publicly adopted the standard. And according to DMARC.org, 2.7 billion email inboxes worldwide are using DMARC.

As effective as DMARC is, it’s hard to implement and when installed manually, it’s easy to make errors that make the configuration ineffective. It’s important to note that Google and Microsoft have implemented DMARC on the receiving side (meaning they check DMARC records for inbound messages, if the apparent sending domain has published a DMARC record) but they do not automatically implement it for senders. If you own a domain, take the additional steps to authenticate email sent from that domain, even if you’re using Google or Microsoft.