Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Companies Are Failing to Deploy Key Solution for Email Security

A single -- albeit complex-to-deploy -- technology could stop the most expensive form of fraud, experts say. Why aren't more companies adopting it?

Business email compromise (BEC) is the most expensive form of online fraud encountered every year, with international losses in excess of $26 billion over the past three years, according to the FBI. Despite that, email security measures that could stop the messages impersonating business executives remain underdeployed, experts say.

The key technology, known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces attackers' abilities to spoof targeted domains and business executives by validating the path from the sending server to the receiver's inbox. In addition, the technology gives an organization's email administrator visibility into how their domain is being abused in emails.

Given the recent move of many companies to remote work during the coronavirus pandemic, validating email messages is even more important, says Joseph Blankenship, vice president of research for cybersecurity at Forrester Research.

"We designed email to trust by its very nature," he says. "To keep it secure, we need a multilayered approach that makes sure any anti-phishing defense is using multiple methods to verify email senders."

Every year, attackers use impersonation in phishing attacks to harvest user credentials as well as in BEC schemes where they send fake invoices from vendors or requests for payment from purported company executives to a target's accounting department. In 2019, the FBI received nearly 24,000 complaints of BEC fraud totaling $1.8 billion in losses, according to the annual Internet Crime Complaint Center report

A triad of email security technologies are designed to hobble attackers' attempts to impersonate legitimate organizations. Sender Policy Framework (SPF) adds the legitimate mail servers into the authoritative DNS record for a domain. The Domain Keys Identified Mail (DKIM) technology signs email messages to confirm the messages have not been changed. Finally, DMARC checks that a message's From address matches the information verified by SPF and DKIM. In addition, DMARC produces aggregate reports on the email traffic sent from an administrator's domain.

While DMARC gives companies protection against phishing, brand misuse, and BEC, it's difficult to implement across companies. "As someone who tried to do it with a team of smart IT people, it is an undertaking, I'll tell you that," says Blankenship. "We actually failed — we gave up after a couple of weeks."

Forrester recommends that companies work with their email infrastructure provider to set it up and consider bringing in a consultant.

While the complexity may scare off small firms, organizations that use the large email providers will likely have a managed offering that walks them through the process, he says.

"Two of the biggest providers of email services, Microsoft and Google, have a lot of email security capabilities built in," he says. "So any small firm should be taking full advantage of all the email filtering that is available to them from their email infrastructure provider."

While the use of DMARC is growing — tripling in 2019 — less than 10% of companies use it in most industries. Because of a US government mandate, however, almost every US federal agency uses the technology.

In addition, getting the full security benefits of the technology takes time. Administrators of an organization's email can select three different polices for messages that fail verification: Complete delivery of the messages, quarantine the messages, or reject the messages. In 2019, 71% of companies failed to enforce strict rules, taking no action and allowing the message to be delivered, according to data from DMARC.org.

"Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation," Alexander García-Tobar, CEO and co-founder of email security firm Valimail, said in a statement. "This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.