Hook, Line, & Sinker: Protecting Data Against Malicious Phishing Attacks
IT security stories are becoming more and more prevalent in the news. We are seeing hacking, data theft and the importance of data protection crowding the news agenda daily. Email marketing remains one of the most valuable internet services however it is extremely vulnerable and therefore prone to malicious attacks. These attacks that seek to obtain sensitive data can cause major damage to companies, including fraud losses, call centre costs, remediation costs and ultimately brand degradation and the loss of customers. One of the most common web born attacks is phishing; as many as 55% of companies in the UK and US have been a victim of a phishing attack. Return Path has outlined some guidelines and best practices to help protect organisations and their customers from falling victim to these scams.
The first misconception businesses and individuals have is that phishing emails are always easy to spot because of poor spelling or mistakes in the mail. This may be the case when phishers send out obvious scam emails to test out basic vulnerabilities in subscribers, but for the majority of the time, phishing emails are highly accurate, complex and sophisticated and as a result, convincing. From the branding design and tone of language even down to the small print, phishing emails are built and rendered to look as legitimate as possible to trap people. Therefore the solutions businesses use need to be holistic and as accurate and sophisticated as the email threats. Business should focus on multi-layered solutions that eliminate the problem where possible and reduce the impact of the attack as quickly as possible.
What can businesses do to protect their brand and customers?
- Email authentication and governance: This is the first line of defence against any phishing attack. Authenticating all your outbound emails with DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework), is the only way to validate your sending identity and assure ISPs that they can block non-authenticated mail. This standard authentication is critical in providing more than enough proof to mailbox providers that your email is legitimate, as anti-spam filters don’t always get it right. We have seen obvious phishing attacks bypass ISP filters and in one case, less than 7% of fraudulent messages were caught.
- Implement DMARC: DMARC (Domain-based Message Authentication, Reporting and Conformance) is a specification policy that informs receiving ISPs what to do with email that doesn’t pass authentication. By referencing a sender’s DMARC policy, you are able to indicate that your messages are protected by DKIM and SPF. With DMARC the guesswork is removed and it eliminates the impact of phishing.
- Pre-emptive prevention: Establish and enforce blocking policies at major mailbox providers to prevent phishing attempts before they even reach customers. By adding your sending domains to an authentication registry, mailbox providers can block all unauthenticated mail attempting to leverage your domain.
- Proactively protect: Proactively monitor your outbound mail streams to ensure complete visibility of threats. DMARC provides companies with reports on every email that does not pass authentication by mailbox providers, creating a clear overview of messages sent from your company domain which may be fraudulent. Use secure domain software to set up real time alerts to immediately learn about any suspicious messages in your outbound mail streams. The quicker an attack can be identified the better. The most crucial time in a phishing attack is the first few hours when people are more likely to respond.
- Educate: Businesses should publish advice and guidelines that cover how it will communicate with its customers, for example, highlighting that account information is never asked for via email.
- Prepare: Have a plan in place to handle phishing messages that spoof your domain. This may include:
- Establishing a “rapid response team” with clearly delineated responsibilities for handling the aftermath of an attack
- Creating template external and internal communications to customers and employees that can be quickly tailored to the specifics of the attack and distributed
- Work with a takedown vendor to ensure that all phishing sites related to the attack are dismantled
- Notify your customers that your brand is being phished and what to look out for. Notify local and governmental authorities (or applicable legal organisation) of the crime
- Joining a trusted sender registry allows ISPs to block unauthenticated messages that use your domain
- Align marketing and IT security teams: Marketing and IT teams can and should work together to help better protect the company and its customers from phishing scams and attacks. IT Security teams have insight into traffic and activity monitoring as well as keeping up to date on any scams or threats that pose a concern to the business. As marketing teams build the email campaigns, they are fully aware of the legitimate emails and which customers they are engaging with. In addition they have an overview of all email domains used by the company therefore would be able to quickly identify which domains have been hijacked in an attack. With both teams working together, businesses will be better equipped to plan, identify and respond to the increasingly diverse an complex threats that we see today, through sharing insight, knowledge and expertise.
Phishing attacks that steal information are one of the biggest threats to maintaining consumer trust today. Through using the right technology and data, businesses can effectively combat increasingly sophisticated attacks. By gaining a holistic overview of outbound mail streams and using data intelligence, businesses can identify phishing threats and take action against them swiftly before they have had a chance to make a serious impact.
About Robert Holmes
Robert Holmes is General Manager, Email Fraud Protection at Return Path. Rob has been in the brand & fraud protection industry for 15 years, helping major corporations understand, quantify and manage risk across the digital channels. Having previously held global roles running the product teams at Corporation Service Company and Melbourne IT's Digital Brand Services, Rob is a frequent speaker at major security events, including RSA Conference, Gartner Security & Risk Management Summit, FS-ISAC, and the global eCrime series. Rob has a MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford.