Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Companies Are Failing to Deploy Key Solution for Email Security

A single -- albeit complex-to-deploy -- technology could stop the most expensive form of fraud, experts say. Why aren't more companies adopting it?

Business email compromise (BEC) is the most expensive form of online fraud encountered every year, with international losses in excess of $26 billion over the past three years, according to the FBI. Despite that, email security measures that could stop the messages impersonating business executives remain underdeployed, experts say.

The key technology, known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces attackers' abilities to spoof targeted domains and business executives by validating the path from the sending server to the receiver's inbox. In addition, the technology gives an organization's email administrator visibility into how their domain is being abused in emails.

Given the recent move of many companies to remote work during the coronavirus pandemic, validating email messages is even more important, says Joseph Blankenship, vice president of research for cybersecurity at Forrester Research.

"We designed email to trust by its very nature," he says. "To keep it secure, we need a multilayered approach that makes sure any anti-phishing defense is using multiple methods to verify email senders."

Every year, attackers use impersonation in phishing attacks to harvest user credentials as well as in BEC schemes where they send fake invoices from vendors or requests for payment from purported company executives to a target's accounting department. In 2019, the FBI received nearly 24,000 complaints of BEC fraud totaling $1.8 billion in losses, according to the annual Internet Crime Complaint Center report

A triad of email security technologies are designed to hobble attackers' attempts to impersonate legitimate organizations. Sender Policy Framework (SPF) adds the legitimate mail servers into the authoritative DNS record for a domain. The Domain Keys Identified Mail (DKIM) technology signs email messages to confirm the messages have not been changed. Finally, DMARC checks that a message's From address matches the information verified by SPF and DKIM. In addition, DMARC produces aggregate reports on the email traffic sent from an administrator's domain.

While DMARC gives companies protection against phishing, brand misuse, and BEC, it's difficult to implement across companies. "As someone who tried to do it with a team of smart IT people, it is an undertaking, I'll tell you that," says Blankenship. "We actually failed — we gave up after a couple of weeks."

Forrester recommends that companies work with their email infrastructure provider to set it up and consider bringing in a consultant.

While the complexity may scare off small firms, organizations that use the large email providers will likely have a managed offering that walks them through the process, he says.

"Two of the biggest providers of email services, Microsoft and Google, have a lot of email security capabilities built in," he says. "So any small firm should be taking full advantage of all the email filtering that is available to them from their email infrastructure provider."

While the use of DMARC is growing — tripling in 2019 — less than 10% of companies use it in most industries. Because of a US government mandate, however, almost every US federal agency uses the technology.

In addition, getting the full security benefits of the technology takes time. Administrators of an organization's email can select three different polices for messages that fail verification: Complete delivery of the messages, quarantine the messages, or reject the messages. In 2019, 71% of companies failed to enforce strict rules, taking no action and allowing the message to be delivered, according to data from DMARC.org.

"Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation," Alexander García-Tobar, CEO and co-founder of email security firm Valimail, said in a statement. "This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.