$12.5 Billion: The Cost of Email Impersonation (And That’s Just the Tip of the Iceberg)

The costs of email impersonation and BEC

Email impersonation is in the news again.

On Friday, the news hit that the Department of Justice had indicted 12 Russians on counts of attempting to interfere with the 2016 election in the U.S. At least one of the indicted is accused of using spear-phishing techniques to gain entry to the Democratic National Committee.

It was well known that phishing played a key role in the DNC breaches in 2016, but additional details have come out this week. One key aspect worth noting: These spear-phishing attacks specifically use impersonation to engender trust in the recipient. (Impersonation means making an email message look like it comes from somewhere other than its true origin.)

Then, in an unrelated development on Monday, the FBI announced that companies globally have lost $12.5 billion due to business email compromise (BEC). This is a type of scam that usually involves email-based impersonation to fool the recipient into wiring company funds into the attacker’s account. The FBI’s $12.5B total covers October 2013 to May 2018.

Previously, the FBI had estimated that companies lost $5.3B due to BEC in the 39 months from October, 2013 to December, 2016. The new figures tell us that another $7.2B have been lost in just 17 months from January, 2017 to May, 2018.

That's a serious jump — from an average of $136 million per month to $424 million per month.

BEC and election hacking: Two serious threats that are having a significant impact on the world today. And both rely on impersonation.

What BEC and Election Hacking Have In Common

It was almost inevitable that we would reach this point, given the way email’s fundamental standards work. In short, there is no authentication built in to email.

Without authentication, anyone can put whatever email address they want in the From: address field, and in most cases, their email will be delivered just like that.

Unlike on Twitter, there are no “verified accounts” with a blue check mark to tell you that the person sending you a message really is who they appear to be.  

The first attempts to remedy this situation, SPF and DKIM, while widely used, are only partial solutions. Phishers can still impersonate a domain, even when that domain properly validates its messages with SPF and DKIM. That’s because these two standards are tied to fields that most human readers of email messages never see. In the case of SPF, that’s the Return-Path (envelope) of the message; in the case of DKIM, it’s the DKIM domain and selector specified in the DKIM-Signature field. In both cases, an attacker can easily “validate” a message using domains that do authenticate the hidden fields (badactor.com or phisher.com in the example below) while putting a deceptive address in the From field, which is never actually authenticated (example.com below).

email impersonation is easy when email headers don't align

However, there is now a way to stop this kind of impersonation, definitively. DMARC requires either SPF or DKIM (or both), and it ensures alignment with the From field shown to the end user. What that means: For an SPF-validated message, the Return-Path and From field need to match. For a DKIM-signed message, the DKIM-Signature domain and the From field need to match.

DMARC alignment means email headers have matching domains

Same-Domain Impersonation — And Other Types

DMARC is incredibly effective at stopping same-domain impersonation for the simple fact that most email gateways and ISPs enforce DMARC (assuming that the owner of a domain shown in the From field of an incoming message has set a DMARC policy). Seventy-five percent of the world’s inboxes (and 100 percent of major U.S. mail providers, including Gmail, Oath, Yahoo, Microsoft, and more) enforce DMARC, our research has shown.

And we know from other published research that same-domain impersonation is the largest single type of email impersonation. It’s the primary kind of impersonation used in BEC attacks, and it appears to be what was used in the 2016 election hacking incidents.

However, there are other types of impersonation. Sometimes an attacker will put a deceptive name, or even an email address, in the “Friendly From” field, while using a throwaway address for the underlying From field. Since many mail clients — especially mobile clients — only show the Friendly From, that is often sufficiently deceptive to get recipients to click.

In other cases, attackers will go to the trouble of registering a domain name that resembles the one they want to impersonate, but which differs very slightly: For instance, they might register a domain using Unicode characters that look similar to the actual domain’s letters (examp𝗅e.com instead of example.com — that’s Unicode character U+1D5C5 in the sixth position there instead of a lowercase “L”). Or they might register a domain that leaves out a letter (exmple.com).

DMARC alone can’t protect against these Friendly-From and lookalike-domain attacks, which is why Valimail created Valimail Defend, providing enterprises with complete protection against these attacks.

How to Stop BEC and Election-Hacking Phishing Attacks

When you combine email authentication through DMARC with an effective defense against inbound friendly-from and lookalike-domain attacks, it becomes possible to trust that the sender of an email really is who they appear to be.

In a layered defense strategy, which also includes SEGs and anti-phishing training, authentication and anti-impersonation defense technologies make an organization a much harder target.

Most organizations have a long way to go before they have all of these elements in place. But this week’s news shows that the problem is not going away — far from it.

Email needs to be more trustworthy. The first step is authentication. The next step is implementing a strong, layered defense against all types of impersonation.

Contact us to find out how Valimail Enforce and Valimail Defend can provide an essential layer of trust for your organization’s email infrastructure.

Dylan Tweney is the head of communications for Valimail.