Business email compromise (BEC) is the most expensive form of online fraud encountered every year, with international losses in excess of $26 billion over the past three years, according to the FBI. Despite that, email security measures that could stop the messages impersonating business executives remain underdeployed, experts say.
The key technology, known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces attackers' abilities to spoof targeted domains and business executives by validating the path from the sending server to the receiver's inbox. In addition, the technology gives an organization's email administrator visibility into how their domain is being abused in emails.
Given the recent move of many companies to remote work during the coronavirus pandemic, validating email messages is even more important, says Joseph Blankenship, vice president of research for cybersecurity at Forrester Research.
"We designed email to trust by its very nature," he says. "To keep it secure, we need a multilayered approach that makes sure any anti-phishing defense is using multiple methods to verify email senders."
Every year, attackers use impersonation in phishing attacks to harvest user credentials as well as in BEC schemes where they send fake invoices from vendors or requests for payment from purported company executives to a target's accounting department. In 2019, the FBI received nearly 24,000 complaints of BEC fraud totaling $1.8 billion in losses, according to the annual Internet Crime Complaint Center report.
A triad of email security technologies are designed to hobble attackers' attempts to impersonate legitimate organizations. Sender Policy Framework (SPF) adds the legitimate mail servers into the authoritative DNS record for a domain. The Domain Keys Identified Mail (DKIM) technology signs email messages to confirm the messages have not been changed. Finally, DMARC checks that a message's From address matches the information verified by SPF and DKIM. In addition, DMARC produces aggregate reports on the email traffic sent from an administrator's domain.
While DMARC gives companies protection against phishing, brand misuse, and BEC, it's difficult to implement across companies. "As someone who tried to do it with a team of smart IT people, it is an undertaking, I'll tell you that," says Blankenship. "We actually failed — we gave up after a couple of weeks."
Forrester recommends that companies work with their email infrastructure provider to set it up and consider bringing in a consultant.
While the complexity may scare off small firms, organizations that use the large email providers will likely have a managed offering that walks them through the process, he says.
"Two of the biggest providers of email services, Microsoft and Google, have a lot of email security capabilities built in," he says. "So any small firm should be taking full advantage of all the email filtering that is available to them from their email infrastructure provider."
While the use of DMARC is growing — tripling in 2019 — less than 10% of companies use it in most industries. Because of a US government mandate, however, almost every US federal agency uses the technology.
In addition, getting the full security benefits of the technology takes time. Administrators of an organization's email can select three different polices for messages that fail verification: Complete delivery of the messages, quarantine the messages, or reject the messages. In 2019, 71% of companies failed to enforce strict rules, taking no action and allowing the message to be delivered, according to data from DMARC.org.
"Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation," Alexander García-Tobar, CEO and co-founder of email security firm Valimail, said in a statement. "This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio