How Return Path Helped a Financial Services Giant Block 96% of Suspicious Messages

Posted by Brian Westnedge 

Too often, brands lack visibility into the widespread phishing attacks plaguing their email program. As a result, they must rely on a small volume of customer abuse reports to identify attacks.

This reactive approach can wreak havoc on brand reputation and revenue. In 2012, a global financial services leader was experiencing these dangerous consequences and needed help—fast.

The threat
Cybercriminals were launching aggressive phishing and malware email attacks from legitimate sending domains, tricking customers into giving up email addresses and passwords. But this organization had little visibility into the size and scale of these attacks. The only malicious behavior they could detect was the number of suspicious emails reported directly by customers, knowing full well that most customers will not take the time or know how to report phishing or spoofing attacks, especially with helpful header data for forensic investigations.

Blocking bad email before it hits the inbox
The first thing Return Path did to support this organization was implement the email authentication specification DMARC (Domain-based Message Authentication, Reporting & Conformance).

DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards, and that fraudulent activity appearing to come from domains under the organization’s control (active email domains, non-sending domains, and defensively registered domains) is blocked.

In partnership with the world’s largest consumer mailbox providers, Return Path interprets regular DMARC authentication reports for its customers to reveal what email is authenticating correctly, what email is not, and why, (i.e., is it a legitimate message or a malicious one).

Thanks to Return Path, this financial company gained full visibility into its email ecosystem, and can now block email attacks purporting to be from their domains before they reach the inbox.

Beyond DMARC
While a DMARC policy is effective at blocking attacks from domains owned by the organization, it cannot help prevent attacks coming from “cousin” domains that are not owned by the organization. Up to 70% of all phishing attacks leverage cousin domains and after implementing DMARC, this organization realized they were not immune.

Return Path’s data detected malicious URLs in email campaigns that used misspellings of the brand’s domain name, and spoofed the brand in the Display Name field (which is easy to forge and highly effective). Return Path notified the brand’s takedown vendor in real time, ensuring malicious landing pages were deactivated before they could do significant harm.

No matter how sophisticated email authentication protocols become, the reality is, some fraudulent email will still reach the inbox. Brands need to prepare for that reality if they haven’t already.

The results

  • After implementing a DMARC reject policy, this organization successfully blocked millions of phishing emails sent over a two-day attack period.
  • Today, all of the organization’s main sending domains deploy a DMARC reject policy with 99% of its active sending traffic now protected.
  • The company now has true visibility into cousin domain trends, allowing them to protect their customers and their brand outside of DMARC.
  • With Return Path, the percent of suspicious messages that this company blocked grew from 13% to 96%a 600% increase and a major benefit for its customers who can now trust the messages they receive in their inbox from the brand’s domains are legitimate.

Check out more stories of how Return Path helps the world’s leading companies fight email fraud on our customer success page.

Author Image

About Brian Westnedge

Brian is Senior Director of Client Services for Email Fraud Protection at Return Path, where his team supports our customers with strategy and implementation to keep malicious mail out of the inbox while protecting legitimate mail. He has been with Return Path for 12 years and has spent a majority of that time fighting email fraud and abuse and advocating on behalf of brands and consumers around the world. Connect with Brian @bwestnedge on Twitter.

Author Archive