Email spoofing, a tactic used by cybercriminals to impersonate your brand by using your exact domain to send emails, is on the rise as email is the top threat vector facing organizations today. And unfortunately, it’s almost impossible to spot an exact domain attack, as phishing emails can appear indistinguishable from legitimate ones. DMARC is a protocol that informs you and receiving email servers if a bad actor is using your company’s domain to send malicious emails without your permission. Implementing this solution can stop email spoofing of your own domains.
Recently, a client of ours let us know that one of their customers had received an email with a past-due invoice that appeared to be from our client. In the string of emails back and forth, “our client” requested that the invoice be paid with a wire transfer and provided updated banking information for payment.
Without hesitation, their customer wired $85,000 to the specified bank account. But here is the kicker. Our client never actually sent any emails to their customer requesting payment, or to change banking information. Not only that, but they also had no clue that cybercriminals were sending emails impersonating their domain. Had their customer had administrative controls in place to verify the legitimacy of the emails, they wouldn’t be out tens of thousands of dollars.
Our investigation into the incident revealed that our client’s email or systems had not been compromised. In all likelihood, it was their customer who was the victim of a social engineering attack using spoofed email, which resulted in them being swindled out of a large sum of cash. They were undoubtedly a victim of a very common email scam. But our client was also a victim of what is known as brand impersonation.
Brand impersonation can come in the form of a spoofed email, a lookalike web domain or a copycat social media account. According to a report by Mimecast, impersonation attacks during the beginning of the pandemic increased by 30.3% in the first four months of 2020 alone.
What is Email Spoofing?
Email spoofing is when cybercriminals send emails with a forged sender address. The emails look legitimate and appear to be from someone you’re familiar with and trust – like a vendor – or perhaps your company’s CEO. Email spoofing is a tool used in phishing attacks that are designed to steal sensitive information, take over your online accounts, send malware or steal funds. They rely on human error to successfully defraud their victims. Email spoofing is fairly simple to set up and execute and requires almost no technical know-how. A hacker doesn’t even have to hack your email account to send spoofed emails from your domain.
Differentiating between legitimate emails and fake ones can be a challenge for victims. They often look exactly like a legitimate email and unless the email header is scrutinized, there’s usually no other clue that it could be an imposter.
On the flip side, most companies are completely unaware that their domain is being used to send emails to unsuspecting victims. Unless your IT partner is actively hunting for threat actors outside of your network and systems, you will have no clue that you are being impersonated by cybercriminals to your customers, partners or supply chain.
DMARC Adds Another Layer of Security
To protect themselves from exact domain attacks, organizations should implement Domain-based Message Authentication, Reporting & Conformance (DMARC) policies. DMARC is an email validation protocol that lets domain owners see when their domain is being used for email spoofing, phishing scams or other cybercrimes. It also authenticates legitimate mail sent from the domain. With the skyrocketing threat of email spoofing and brand impersonation, simple email security controls and user training alone are not enough. DMARC must be a component of your layered security.
How does DMARC stop email spoofing?
Without getting too technical, DMARC works with two other email security protocols – Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). SPF and DKIM are also email authentication techniques, but hackers can easily bypass these security measures. DMARC creates a link between SPF and DKIM by authenticating the visible from domain seen in an email client and requiring that it match either the SPF or DKIM domain. It then instructs the receiving email servers to send a report that shows who is sending emails on a company’s behalf. Those could be legitimate sources such as a CRM tool or maybe an email marketing provider like Mailchimp. But these DMARC reports can also reveal any potential spoofing activity.
Once SPF and DKIM are properly configured and aligned with the sending domain, DMARC policies can be applied that tell receiving email servers (and your own email gateway—DMARC checks are enabled by default in M365 and Google Workspace) to reject malicious emails so they never land in a victim’s inbox. Using our partner Red Sift’s OnDMARC solution, it usually takes about eight weeks to monitor reports and authenticate all legitimate email to the point that emails can begin being rejected by servers, which is called DMARC enforcement. To see a live demonstration of how DMARC works, watch this short video.
Benefits of DMARC
With more than 90% of all cyberattacks originating from email, it’s wise to consider protecting this crucial part of your business. DMARC is not a magic bullet, but rather it is one component of a layered security stack. When applied and configured it can:
- Tell email servers how to handle unauthorized use of your domain
- Fight against spoofing, phishing and email compromises
- Provide visibility into who is sending emails using your domain
- Improve deliverability of your emails and keep them from being marked as spam
- Protect your company’s reputation
While organizations who are victims of email spoofing may not have done anything wrong or even be aware that their domain is being used to target their clients, many governments and regulators have begun requiring that businesses safeguard their customers against phishing attacks. Organizations that haven’t taken appropriate measures could find themselves in hot water.
If you would like more information on how DMARC and MIS Solutions can protect your business from cybersecurity threats, contact us at 678-745-5109.