The Fraudster’s Favorite Phishing Tactic

Posted by Ash Valeski on

Deception is the essential ingredient in any successful phishing attack. And cybercriminals go to great lengths to create it, jeopardizing the brand reputation and revenue of companies they spoof.

In defense, many brands are now implementing email authentication standards like DMARC (Domain-based Authentication Reporting and Conformance). With DMARC, attacks that spoof legitimate sending domains are blocked before they ever reach consumer inboxes.

But fraudsters are finding creative ways to evade email authentication. Their favorite way to do it? Spoofing the Display Name of legitimate brands.

Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the Display Name.

Here’s how it works. If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

screen_shot_2015_09_22_at_2_16_17_pm (1)

 

Since My Bank doesn’t own the domain “secure.com,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for mybank.com to reject messages that fail to authenticate.

This fraudulent email, once delivered, may appear legitimate because most user inboxes only present the Display Name.

Since the Display Name is only one element of the Header From: field, we wanted to dig a little deeper to see if and how cybercriminals spoofed the sending email address following the Display Name.

We analyzed both the Email Name (to the left of the @) and the Email Domain (to the right of the @) and discovered that nearly 30% of threats spoofed the brand in the email address. Of those threats, more than two thirds focused on spoofing the Email Domain alone:

screen_shot_2015_09_22_at_2_17_38_pm_w1024

When we looked at the union of Display Names and email addresses, we discovered the following spoofing behaviors in relation to the Header From field:

screen_shot_2015_09_22_at_2_20_44_pm_w1024

 

In the majority (62.69%) of email threats, fraudsters spoof elements of the Header From field, the most popular being the Display Name field, for which there is currently no authentication.

Current email authentication solutions, while critical, clearly do not suffice on their own. Fraudsters like to mix and match tactics to reach their victims. That’s why visibility into all threats targeting your brand and your customers is critical.

Want to learn about the other tactics fraudsters use to cheat email authentication? Check out The Email Threat Intelligence Report.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Ash Valeski

As a Senior Product Manager for Return Path’s Email Fraud Protection group, Ash is responsible for the product road map, strategy, and execution of a SaaS product used by global brands to protect their customers from email fraud. He has more than 15 years of experience in product management, marketing, and business development working at companies like Microsoft, Skype, and Tellme Networks.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.