Being Careful About Links Is Not Enough
According to the Anti-Phishing Working Group’s Q3 2016 report (.pdf), there are over 100,000 unique phishing sites active every month. And, as Wired reported this week, thousands of people fall for them — even the tech nerds who ought to know better.
Wired responds with some good advice, which we can boil down like this:
- Think twice before clicking on a link in email. Trust your gut — if it looks fishy somehow, it’s probably phishy too.
- Scrutinize the source. Examine the email address closely. Ask yourself “Would my Mom really send me this email?” And again, trust your gut.
- Take basic security precautions. Set up two-factor authentication, use a password manager, and back up your data.
Wired adds that training works: “when people do consistent anti-phishing training — say, once a month — they are better at avoiding phishing links than when they haven’t had lesson in a few months.”
All fine advice, as far as it goes. But if phishing is one of the leading tools used by hackers to gain entry into networks (it is), causing up to $70 billion a year in losses — “trust your gut” is not a comprehensive solution.
What’s more, German researchers last year found that even people who had been trained to recognize phishing scams were still easy to fool. Just send them a message that appears to contain links to photos from an exciting party the night before.
In fact, we would argue that any solution that requires ordinary users to scrutinize the headers of email messages they receive is doomed to fail. People are just trying to take care of their email, get some work done, and get on with their days.
That’s why email authentication through DMARC is growing exponentially. Companies see its value in protecting their employees and their brands against phishing attacks. Over 80,000 organizations are now publishing DMARC records, and the vast majority of consumer email providers are checking DMARC records for incoming messages.
What that means: For a company that has published a DMARC record and set it to enforcement mode (p=reject or p=quarantine), phishers that use a company’s domain name in the From: field will have their bogus emails rejected by all DMARC-compliant email receivers. Today, that includes Gmail, AOL Mail, Microsoft Hotmail and Live.com mail, Yahoo Mail, and more — over 2.7 billion mailboxes — as well as email gateways from many companies including Proofpoint, Cisco, and Symantec. Emails from all senders who are not authorized to use that domain will be rejected outright or quarantined into the recipients’ spam boxes.
Also, for companies that haven’t published DMARC records, email service providers may start to diminish the deliverability of their email or add warning signs to all incoming messages that appear to come from that domain. For instance, Gmail adds a question mark in place of the sender’s avatar when it’s presenting an email from a domain that lacks authentication.
So yes, training users to avoid clicking on suspicious links is a good idea. You should be especially cautious about links in inbound emails if you are dealing with companies or senders who aren’t authenticating their emails. But the long-term solution is not training alone: It’s fixing email so that authentication is something that everyone does and is simply taken for granted. Fortunately, thanks to open standards like DMARC, that is absolutely possible. We just need more companies to adopt DMARC and get it set to enforcement mode.